WO2021239059A1 - Key rotation method, device, electronic apparatus, and medium - Google Patents

Key rotation method, device, electronic apparatus, and medium Download PDF

Info

Publication number
WO2021239059A1
WO2021239059A1 PCT/CN2021/096434 CN2021096434W WO2021239059A1 WO 2021239059 A1 WO2021239059 A1 WO 2021239059A1 CN 2021096434 W CN2021096434 W CN 2021096434W WO 2021239059 A1 WO2021239059 A1 WO 2021239059A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
value
data
pseudo
random number
Prior art date
Application number
PCT/CN2021/096434
Other languages
French (fr)
Chinese (zh)
Inventor
沈象文
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021239059A1 publication Critical patent/WO2021239059A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Definitions

  • This application relates to the technical field of information security cryptography, in particular to a key rotation method, device, electronic equipment and medium.
  • the working key corresponding to the transaction data is usually encrypted and stored in the encryption machine.
  • the work key may be derived from the encryption machine, so there is a risk of leakage of the work key to a certain extent.
  • the first aspect of the present application provides a key rotation method, which includes:
  • the target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  • a second aspect of the present application provides an electronic device including a processor and a memory, and the processor is configured to execute computer-readable instructions stored in the memory to implement the following steps:
  • the target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  • a third aspect of the present application provides a computer-readable storage medium having at least one computer-readable instruction stored thereon, and the at least one computer-readable instruction is executed by a processor to implement the following steps:
  • the target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  • a fourth aspect of the present application provides a key rotation device, which includes:
  • a generating unit configured to generate multiple key pairs and establish indexes for the multiple key pairs
  • the extraction unit is used to extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library;
  • An encryption unit configured to use any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
  • the determining unit is configured to determine any private key corresponding to the any public key according to the index when the rotation request is received;
  • a decryption unit configured to use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext
  • the extraction unit is further configured to extract a target key pair from the multiple key pairs
  • the encryption unit is further configured to use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  • the arbitrary private key corresponding to the arbitrary public key is determined according to the index, and the arbitrary private key is used to decrypt the first ciphertext to obtain the plaintext. Extract a target key pair from the multiple key pairs, and then use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext.
  • This application can be used when a rotation request is received , Perform key rotation on all the stock data, which improves the security level of all the stock data.
  • Fig. 1 is a flowchart of a preferred embodiment of the key rotation method of the present application.
  • Fig. 2 is a functional block diagram of a preferred embodiment of the key rotation device of the present application.
  • FIG. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the key rotation method according to the present application.
  • FIG. 1 it is a flowchart of a preferred embodiment of the key rotation method of the present application. According to different needs, the order of the steps in the flowchart can be changed, and some steps can be omitted.
  • the key rotation method is applied to one or more electronic devices.
  • the electronic device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. Its hardware includes but not Limited to microprocessors, application specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital processors (Digital Signal Processors, DSPs), embedded devices, etc.
  • the electronic device may be any electronic product that can interact with a user with a human machine, for example, a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
  • a personal computer for example, a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
  • PDA personal digital assistant
  • IPTV Internet Protocol Television
  • smart wearable devices etc.
  • the electronic equipment may also include network equipment and/or user equipment.
  • the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of hosts or network servers based on Cloud Computing.
  • the network where the electronic device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), etc.
  • S10 Generate multiple key pairs, and establish an index for the multiple key pairs.
  • each key pair is composed of a public key and a private key.
  • the public key is the public part of the key pair.
  • the public key is usually used to encrypt the session key and verify the digital signature.
  • the public key can also be used to encrypt the data decrypted by the private key.
  • the public key It is composed of the target value and the first value.
  • the private key is the non-public part of the key pair.
  • the private key is usually used to decrypt the session key and verify the digital signature.
  • the private key can also be used to decrypt data encrypted by the public key.
  • the private key The key is composed of the target value and the second value.
  • the index represents a pointer to a key pair in a database table.
  • the generating multiple key pairs includes:
  • the electronic device For each key pair, the electronic device obtains a preset number of bits, and generates a first pseudo random number and a second pseudo random number with the preset number of bits, and the electronic device uses the Fermat test method to detect the Whether the first pseudo-random number and the second pseudo-random number are prime numbers, when it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, the electronic device will The pseudo-random number and the second pseudo-random number are multiplied to obtain a target value, the electronic device calculates the least common multiple between the first pseudo-random number and the second pseudo-random number, the electronic device A pseudo-random number generator is used to generate a first candidate value that is greater than a preset value and less than the least common multiple, and the greatest common divisor between the first candidate value and the least common multiple is determined by the toss and turns division method, when it is detected When the greatest common divisor is the preset value, the electronic device determines the first candidate value as a first value,
  • the value of the preset number of digits is not limited in this application, for example, the preset number of digits may be 8 digits.
  • the value of the preset value is 1.
  • the generating the first pseudo-random number with the preset number of bits includes:
  • the electronic device obtains an arbitrary password from a password library, and further, the electronic device inputs the arbitrary password into a one-way hash function to obtain a hash value, and the electronic device determines the position of the hash value The first digit is obtained, and the difference between the preset digit and the first digit is determined as the second digit, and the electronic device uses a mixed linear congruential method to generate the second digit And concatenate the hash value with the arbitrary number to obtain the first pseudo-random number.
  • the index of the key pair is determined according to the generation order of the key pair, that is, the earlier the key pair is generated, the smaller the index of the key pair is.
  • index corresponding to key pair A is index 1
  • index corresponding to key pair B is index 2.
  • indexing the multiple key pairs not only the key pairs in the database table can be quickly accessed, but also the private key corresponding to the public key in the key pair can be determined according to the index.
  • the key pair and the corresponding index are stored and stored in the index library.
  • the storage format of the key pair and the corresponding index can be, index No. 1: ⁇ Key pair C C public key; C private key of key pair C ⁇ .
  • S11 Extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library.
  • the arbitrary key pair is randomly extracted from the multiple key pairs using a random method, and the specific random method is the prior art, and will not be described in detail in this application.
  • the inventory data to be encrypted is stored in the configuration library. Further, the inventory data may be a work key, which is not limited in this application.
  • the obtaining all the inventory data from the configuration library includes:
  • the electronic device uses multiple threads to read the storage log in the configuration library, and further, the electronic device parses the storage log to obtain all the inventory data.
  • the first ciphertext is a message obtained by using the arbitrary public key to perform a certain algorithm calculation on all the stock data.
  • the use of any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data includes:
  • the electronic device determines any public key in the any key pair, and determines the first value and the target value of the any public key. Further, the electronic device uses a message digest algorithm to calculate all the inventory data, To obtain first data, the electronic device performs a power operation on the first data for the number of times to obtain second data, and the electronic device takes the remainder of the second data and the target value Operate to obtain the first ciphertext.
  • the digest algorithm can increase the difficulty of decrypting the first ciphertext.
  • the electronic device uses a message digest algorithm to calculate all the stored data, and can obtain the first data of a fixed length, which facilitates subsequent exponentiation and remainder operations on the first data.
  • the private key needs to be used to calculate the ciphertext according to the decryption algorithm. Therefore, in this case, the first ciphertext is decrypted, except for obtaining the same public key as the arbitrary public key. In addition to the corresponding arbitrary private key, a decryption algorithm corresponding to the encryption algorithm needs to be obtained.
  • the encryption algorithm refers to an algorithm that converts all the stock data into the first ciphertext.
  • the rotation request may be triggered by the user, or it may be triggered automatically when certain conditions are met, which is not limited in the present application.
  • the meeting certain conditions includes, but is not limited to: meeting the configuration time, the electronic device detects a data saving request, and the like.
  • the configuration time may include a time period (for example, the configuration time may be 10 days) and the like.
  • the determining any private key corresponding to the any public key according to an index includes:
  • the electronic device determines a target index corresponding to the arbitrary public key, and further, the electronic device obtains a private key corresponding to the target index from the index library as the arbitrary private key.
  • any private key corresponding to the any public key can be accurately determined.
  • the method further includes:
  • the electronic device When a data saving request is detected, the electronic device generates the rotation request according to the data saving request.
  • the electronic device inserts monitoring code into the configuration library, and the monitoring code is used to detect whether a keypress event or keydown event is generated in the configuration library.
  • the electronic device determines the target button that generated the keypress event or the keydown event, and further, the electronic device detects whether the target button is a save button, When detecting that the target button is the save button, the electronic device determines that a data save request is generated on the configuration library.
  • the saving request on the configuration library can be monitored in real time, effectively avoiding the omission of the data saving request, and thus avoiding the omission of generating the rotation request.
  • the electronic device in order to prevent the private key from being leaked during the configuration time, sets a validity period for each key pair, wherein the length of the validity period is equal to the length of the configuration time. The duration is consistent. When the electronic device detects that the validity period of the arbitrary key pair has expired, it will trigger the generation of the rotation request.
  • the plaintext refers to the readable information that the sender wants the receiver to obtain.
  • the plaintext refers to the The data obtained after the text is decrypted, in fact, the plain text is all the stored data.
  • the use of the arbitrary private key to decrypt the first ciphertext to obtain the plaintext includes:
  • the electronic device determines the second value and the target value of the arbitrary private key, and further, the electronic device performs operations on the first ciphertext to the power of the second value to obtain third data, so The electronic device performs a remainder operation on the third data and the target value to obtain fourth data, and the electronic device uses a message digest algorithm to calculate the fourth data to obtain the plaintext.
  • the fourth data refers to data corresponding to the first data.
  • the fourth data can be accurately obtained, and then the fourth data is processed through a message digest algorithm By calculation, the plaintext can be accurately obtained.
  • the target key pair and the arbitrary key pair are not the same key pair.
  • the extracting a target key pair from the multiple key pairs includes:
  • the electronic device removes the arbitrary key pair from the multiple key pairs to obtain the current key pair. Further, the electronic device randomly extracts any key pair from the current key pair, As the target key pair.
  • a target key pair different from the arbitrary key pair can be obtained, which avoids adopting the same key pair for rotation during the key rotation process, and improves the security of the key rotation.
  • the above-mentioned target key pair may also be stored in a node of a blockchain.
  • the target public key refers to a key capable of encrypting the plaintext
  • the second ciphertext uses the target public key to perform a certain amount on the plaintext. The message obtained after algorithm calculation.
  • the method further includes:
  • the electronic device obtains the request number of the rotation request, and further, the electronic device generates prompt information according to the request number and the second ciphertext, and sends the prompt information to the terminal device of the designated contact
  • the electronic device initiates a voice to the designated contact.
  • the designated contact person refers to the person in charge of controlling the key rotation request.
  • the value of the preset time can be arbitrarily configured according to specific scenarios.
  • the designated contact person can be reminded of the receipt of the prompt information.
  • the method further includes:
  • the electronic device When it is detected that the response to the rotation request is unsuccessful, the electronic device obtains the request number of the rotation request, and generates alarm information according to the request number. Further, the electronic device determines an alarm form according to the alarm information , Sending the alarm information to the designated contact in the alarm form.
  • the alarm form includes: email form, voice form, short message form, etc.
  • a suitable alarm form can be determined to send the alarm information.
  • this application improves the security level of all the stock data by performing key rotation on all the stock data.
  • the key rotation device 11 includes a generation unit 110, an extraction unit 111, an encryption unit 112, a determination unit 113, a decryption unit 114, an acquisition unit 115, and a sending unit 116.
  • the module/unit referred to in this application refers to a series of computer program segments that can be acquired by the processor 13 and can complete fixed functions, and are stored in the memory 12. In this embodiment, the functions of each module/unit will be described in detail in subsequent embodiments.
  • the generating unit 110 generates a plurality of key pairs, and establishes an index for the plurality of key pairs.
  • each key pair is composed of a public key and a private key.
  • the public key is the public part of the key pair.
  • the public key is usually used to encrypt the session key and verify the digital signature.
  • the public key can also be used to encrypt the data decrypted by the private key.
  • the public key It is composed of the target value and the first value.
  • the private key is the non-public part of the key pair.
  • the private key is usually used to decrypt the session key and verify the digital signature.
  • the private key can also be used to decrypt data encrypted by the public key.
  • the private key The key is composed of the target value and the second value.
  • the index represents a pointer to a key pair in a database table.
  • the generating unit 110 generating multiple key pairs includes:
  • the generating unit 110 obtains a preset number of bits, and generates a first pseudo random number and a second pseudo random number with the preset number of bits, and the generating unit 110 adopts the Fermat test method It is detected whether the first pseudo-random number and the second pseudo-random number are prime numbers, and when it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, the generating unit 110 will The first pseudo-random number and the second pseudo-random number are multiplied to obtain a target value, and the generating unit 110 calculates the least common multiple between the first pseudo-random number and the second pseudo-random number, The generating unit 110 uses a pseudo-random number generator to generate a first candidate value that is greater than a preset value and less than the least common multiple, and uses a toss and turns division method to determine the greatest commonality between the first candidate value and the least common multiple When it is detected that the greatest common divisor is the preset value, the generating unit 110 determines
  • the value of the preset number of digits is not limited in this application, for example, the preset number of digits may be 8 digits.
  • the value of the preset value is 1.
  • the generating unit 110 generating the first pseudo-random number with the preset number of bits includes:
  • the generating unit 110 obtains an arbitrary password from a password library. Further, the generating unit 110 inputs the arbitrary password into a one-way hash function to obtain a hash value, and the generating unit 110 determines the hash The first digit is obtained, and the difference between the preset digit and the first digit is determined as the second digit. The generating unit 110 uses a mixed linear congruence method to generate The arbitrary number of the second digit, and splicing the hash value with the arbitrary number to obtain the first pseudo-random number.
  • the index of the key pair is determined according to the generation order of the key pair, that is, the earlier the key pair is generated, the smaller the index of the key pair is.
  • index corresponding to key pair A is index 1
  • index corresponding to key pair B is index 2.
  • indexing the multiple key pairs not only the key pairs in the database table can be quickly accessed, but also the private key corresponding to the public key in the key pair can be determined according to the index.
  • the key pair and the corresponding index are stored and stored in the index library.
  • the storage format of the key pair and the corresponding index can be, index No. 1: ⁇ Key pair C C public key; C private key of key pair C ⁇ .
  • the extraction unit 111 extracts any key pair from the multiple key pairs, and obtains all the stock data from the configuration library.
  • the arbitrary key pair is randomly extracted from the multiple key pairs using a random method, and the specific random method is the prior art, and will not be described in detail in this application.
  • the inventory data to be encrypted is stored in the configuration library. Further, the inventory data may be a work key, which is not limited in this application.
  • the extracting unit 111 acquiring all the inventory data from the configuration library includes:
  • the extracting unit 111 uses multiple threads to read the storage log in the configuration library. Further, the extracting unit 111 parses the storage log to obtain all the inventory data.
  • the encryption unit 112 uses any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data.
  • the first ciphertext is a message obtained by using the arbitrary public key to perform a certain algorithm calculation on all the stock data.
  • the encryption unit 112 uses any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data including :
  • the encryption unit 112 determines any public key in the arbitrary key pair, and determines the first value and the target value of the arbitrary public key. Further, the encryption unit 112 uses a message digest algorithm to calculate the total inventory Data to obtain first data, the encryption unit 112 performs power operations on the first data the number of times to obtain the second data, and the encryption unit 112 combines the second data with the target Perform a remainder operation on the numerical value to obtain the first ciphertext.
  • the digest algorithm can increase the difficulty of decrypting the first ciphertext.
  • the encryption unit 112 uses a message digest algorithm to calculate all the stored data, and can obtain the first data of a fixed length, which facilitates subsequent exponentiation and remainder operations on the first data.
  • the private key needs to be used to calculate the ciphertext according to the decryption algorithm. Therefore, in this case, the first ciphertext is decrypted, except for obtaining the same public key as the arbitrary public key. In addition to the corresponding arbitrary private key, a decryption algorithm corresponding to the encryption algorithm needs to be obtained.
  • the encryption algorithm refers to an algorithm that converts all the stock data into the first ciphertext.
  • the determining unit 113 determines any private key corresponding to the any public key according to the index.
  • the rotation request may be triggered by the user, or it may be triggered automatically when certain conditions are met, which is not limited in the present application.
  • the meeting certain conditions includes, but is not limited to: meeting the configuration time, the determining unit 113 detects a data saving request, and the like.
  • the configuration time may include a time period (for example, the configuration time may be 10 days) and the like.
  • the determining unit 113 determining any private key corresponding to the any public key according to the index includes:
  • the determining unit 113 determines a target index corresponding to the arbitrary public key. Further, the determining unit 113 obtains a private key corresponding to the target index from the index library as the arbitrary private key.
  • any private key corresponding to the any public key can be accurately determined.
  • the generating unit 110 when a data saving request is detected, the generating unit 110 generates the rotation request according to the data saving request.
  • the determining unit 113 inserts monitoring code into the configuration library, and the monitoring code is used to detect whether a keypress event or a keydown event is generated in the configuration library.
  • the determining unit 113 determines the target key that generated the keypress event or the keydown event. Further, the determining unit 113 detects whether the target key is A save button, when it is detected that the target button is the save button, the determining unit 113 determines that a data saving request is generated on the configuration library.
  • the saving request on the configuration library can be monitored in real time, effectively avoiding the omission of the data saving request, and thus avoiding the omission of generating the rotation request.
  • the generating unit 110 When detecting that the validity period of the arbitrary key pair expires, the generating unit 110 generates the rotation request.
  • the determining unit 113 sets a validity period for each key pair, wherein the duration of the validity period is the same as the configuration time. The duration is the same.
  • the decryption unit 114 uses the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext.
  • the plaintext refers to the readable information that the sender wants the receiver to obtain.
  • the plaintext refers to the The data obtained after the text is decrypted, in fact, the plain text is all the stored data.
  • the decryption unit 114 uses the arbitrary private key to decrypt the first ciphertext to obtain the plaintext including:
  • the decryption unit 114 determines the second value and the target value of the arbitrary private key. Further, the decryption unit 114 performs operations on the first ciphertext to the power of the second value to obtain third data The decryption unit 114 performs a remainder operation on the third data and the target value to obtain fourth data, and the decryption unit 114 uses a message digest algorithm to calculate the fourth data to obtain the plaintext.
  • the fourth data refers to data corresponding to the first data.
  • the fourth data can be accurately obtained, and then the fourth data is processed through a message digest algorithm By calculation, the plaintext can be accurately obtained.
  • the extraction unit 111 extracts a target key pair from the plurality of key pairs.
  • the target key pair and the arbitrary key pair are not the same key pair.
  • the extraction unit 111 extracting a target key pair from the multiple key pairs includes:
  • the extraction unit 111 removes the arbitrary key pair from the multiple key pairs to obtain the current key pair. Further, the extraction unit 111 randomly extracts any key from the current key pair Yes, as the target key pair.
  • a target key pair different from the arbitrary key pair can be obtained, which avoids adopting the same key pair for rotation during the key rotation process, and improves the security of the key rotation.
  • the above-mentioned target key pair may also be stored in a node of a blockchain.
  • the encryption unit 112 uses the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  • the target public key refers to a key capable of encrypting the plaintext
  • the second ciphertext uses the target public key to perform a certain amount on the plaintext. The message obtained after algorithm calculation.
  • the obtaining unit 115 obtains the request number of the rotation request. Further, the generating unit 110 obtains the request number and the second ciphertext according to the request number and the second ciphertext.
  • the prompt information is generated, and the sending unit 116 sends the prompt information to the terminal device of the designated contact. When it is detected that the prompt information has not been received within a preset time, the sending unit 116 initiates a notification to the designated contact. voice.
  • the designated contact person refers to the person in charge of controlling the key rotation request.
  • the value of the preset time can be arbitrarily configured according to specific scenarios.
  • the designated contact person can be reminded of the receipt of the prompt information.
  • the obtaining unit 115 obtains the request number of the rotation request, and the generating unit 110 generates alarm information according to the request number, Further, the determining unit 113 determines an alarm form according to the alarm information, and the sending unit 116 sends the alarm information to the designated contact in the alarm form.
  • the alarm form includes: email form, voice form, short message form, etc.
  • a suitable alarm form can be determined to send the alarm information.
  • this application improves the security level of all the stock data by performing key rotation on all the stock data.
  • FIG. 3 it is a schematic structural diagram of an electronic device according to a preferred embodiment of the key rotation method according to the present application.
  • the electronic device 1 includes, but is not limited to, a memory 12, a processor 13, and a computer program stored in the memory 12 and running on the processor 13, such as Key rotation procedure.
  • the schematic diagram is only an example of the electronic device 1 and does not constitute a limitation on the electronic device 1.
  • the electronic device 1 may also include an input/output device, a network access device, a bus, and so on.
  • the processor 13 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc.
  • the processor 13 is the computing core and control center of the electronic device 1 and connects the entire electronic device with various interfaces and lines. Each part of 1, and obtain the operating system of the electronic device 1, and various installed applications, program codes, etc.
  • the processor 13 obtains the operating system of the electronic device 1 and various installed applications.
  • the processor 13 obtains the application program to implement the steps in the above-mentioned key rotation method embodiments, for example, the steps shown in FIG. 1.
  • the computer program may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and acquired by the processor 13 to complete this Application.
  • the one or more modules/units may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the acquisition process of the computer program in the electronic device 1.
  • the computer program may be divided into a generation unit 110, an extraction unit 111, an encryption unit 112, a determination unit 113, a decryption unit 114, an acquisition unit 115, and a transmission unit 116.
  • the memory 12 may be used to store the computer program and/or module, and the processor 13 runs or obtains the computer program and/or module stored in the memory 12 and calls the data stored in the memory 12, The various functions of the electronic device 1 are realized.
  • the memory 12 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Stores data, etc. created based on the use of electronic devices.
  • the memory 12 may include non-volatile memory and volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card.
  • SMC Smart Media Card
  • SD Secure Digital
  • flash Card at least one magnetic disk storage device, flash memory device, random access memory, or other storage device.
  • the memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a memory in a physical form, such as a memory stick, a TF card (Trans-flash Card), and so on.
  • TF card Trans-flash Card
  • the integrated module/unit of the electronic device 1 may be stored in a computer-readable storage medium, which may be non-easy.
  • a volatile storage medium can also be a volatile storage medium.
  • the blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm.
  • Blockchain is essentially a decentralized database. It is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and the generation of the next block.
  • the blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
  • the computer program includes computer program code
  • the computer program code may be in a source code form, an object code form, an obtainable file, or some intermediate form, etc.
  • the computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory) , Random access memory.
  • the memory 12 in the electronic device 1 stores multiple computer-readable instructions to implement a key rotation method
  • the processor 13 can acquire and execute the multiple computer-readable instructions to implement : Generate multiple key pairs, and index the multiple key pairs; extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library; use the arbitrary key pair Any public key in the key pair performs an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data; when a rotation request is received, any private key corresponding to the any public key is determined according to the index Use the arbitrary private key to decrypt the first ciphertext to obtain the plaintext; extract the target key pair from the multiple key pairs; use the target public key in the target key pair to Perform an encryption operation on the plain text to generate a second cipher text in response to the rotation request.
  • modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional modules in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional modules.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Finance (AREA)
  • Computer Hardware Design (AREA)
  • General Business, Economics & Management (AREA)
  • Software Systems (AREA)
  • Strategic Management (AREA)
  • Development Economics (AREA)
  • Technology Law (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present application pertains to information security, and provides a key rotation method. The method comprises: generating multiple key pairs, and establishing an index for the multiple key pairs; extracting a random key pair from the multiple key pairs, and acquiring all stock data from a configuration database; performing, by using a random public key of the random key pair, encryption computation on the entire stock data to obtain first ciphertext corresponding to the entire stock data; determining, upon receiving a rotation request, a private key corresponding to the public key according to the index; performing, by using the private key, decryption computation on the first ciphertext to obtain plaintext; extracting a target key pair from the multiple key pairs; and performing, by using a target public key in the target key pair, encryption computation on the plaintext, and generating second ciphertext to respond to the rotation request, thereby improving a security level of all of the stock data. The present application further relates to block chain technology, and the target key pair is stored in a block chain.

Description

密钥轮换方法、装置、电子设备及介质Key rotation method, device, electronic equipment and medium
本申请要求于2020年05月28日提交中国专利局,申请号为202010467085.X,发明名称为“密钥轮换方法、装置、电子设备及介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on May 28, 2020. The application number is 202010467085.X and the invention title is "Key rotation method, device, electronic equipment and medium". The entire content of the application is approved. The reference is incorporated in this application.
技术领域Technical field
本申请涉及信息安全的密码技术领域,尤其涉及一种密钥轮换方法、装置、电子设备及介质。This application relates to the technical field of information security cryptography, in particular to a key rotation method, device, electronic equipment and medium.
背景技术Background technique
在金融领域下,为了保证交易数据的安全,通常对交易数据对应的工作密钥进行加密,并存放于加密机中,然而,发明人意识到,随着互联网技术及人工智能技术的快速发展,工作密钥有可能从加密机中被导出,因此存在一定程度上的工作密钥泄露的风险。In the financial field, in order to ensure the security of transaction data, the working key corresponding to the transaction data is usually encrypted and stored in the encryption machine. However, the inventor realized that with the rapid development of Internet technology and artificial intelligence technology, The work key may be derived from the encryption machine, so there is a risk of leakage of the work key to a certain extent.
由于工作密钥的泄露会导致工作密钥加密的用户口令或密码等数据的泄露,因此,有必要提供一种工作密钥轮换方案,以提高加密数据的安全等级。Since the leakage of the work key can lead to the leakage of data such as the user password or password encrypted by the work key, it is necessary to provide a work key rotation scheme to improve the security level of the encrypted data.
发明内容Summary of the invention
鉴于以上内容,有必要提供一种密钥轮换方法、装置、电子设备及介质,能够提高所有存量数据的安全等级。In view of the above, it is necessary to provide a key rotation method, device, electronic equipment, and medium that can improve the security level of all stored data.
本申请的第一方面提供一种密钥轮换方法,所述密钥轮换方法包括:The first aspect of the present application provides a key rotation method, which includes:
生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
本申请的第二方面提供一种电子设备,所述电子设备包括处理器和存储器,所述处理器用于执行所述存储器中存储的计算机可读指令以实现以下步骤:A second aspect of the present application provides an electronic device including a processor and a memory, and the processor is configured to execute computer-readable instructions stored in the memory to implement the following steps:
生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
本申请的第三方面提供一种计算机可读存储介质,所述计算机可读存储介质上存储有至少一个计算机可读指令,所述至少一个计算机可读指令被处理器执行以实现以下步骤:A third aspect of the present application provides a computer-readable storage medium having at least one computer-readable instruction stored thereon, and the at least one computer-readable instruction is executed by a processor to implement the following steps:
生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
本申请的第四方面提供一种密钥轮换装置,所述密钥轮换装置包括:A fourth aspect of the present application provides a key rotation device, which includes:
生成单元,用于生成多个密钥对,并为所述多个密钥对建立索引;A generating unit, configured to generate multiple key pairs and establish indexes for the multiple key pairs;
提取单元,用于从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;The extraction unit is used to extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library;
加密单元,用于采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;An encryption unit, configured to use any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
确定单元,用于当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;The determining unit is configured to determine any private key corresponding to the any public key according to the index when the rotation request is received;
解密单元,用于采用所述任意私钥对所述第一密文进行解密运算,得到明文;A decryption unit, configured to use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
所述提取单元,还用于从所述多个密钥对中提取目标密钥对;The extraction unit is further configured to extract a target key pair from the multiple key pairs;
所述加密单元,还用于采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The encryption unit is further configured to use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
由以上技术方案可以看出,当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥,采用所述任意私钥对所述第一密文进行解密运算,得到明文,从所述多个密钥对中提取目标密钥对,进而采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,本申请能够在接收到轮换请求时,对所述所有存量数据进行密钥轮换,提高了所述所有存量数据的安全等级。It can be seen from the above technical solutions that when a rotation request is received, the arbitrary private key corresponding to the arbitrary public key is determined according to the index, and the arbitrary private key is used to decrypt the first ciphertext to obtain the plaintext. Extract a target key pair from the multiple key pairs, and then use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext. This application can be used when a rotation request is received , Perform key rotation on all the stock data, which improves the security level of all the stock data.
附图说明Description of the drawings
图1是本申请密钥轮换方法的较佳实施例的流程图。Fig. 1 is a flowchart of a preferred embodiment of the key rotation method of the present application.
图2是本申请密钥轮换装置的较佳实施例的功能模块图。Fig. 2 is a functional block diagram of a preferred embodiment of the key rotation device of the present application.
图3是本申请实现密钥轮换方法的较佳实施例的电子设备的结构示意图。FIG. 3 is a schematic structural diagram of an electronic device according to a preferred embodiment of the key rotation method according to the present application.
具体实施方式Detailed ways
为了使本申请的目的、技术方案和优点更加清楚,下面结合附图和具体实施例对本申请进行详细描述。In order to make the objectives, technical solutions, and advantages of the present application clearer, the following describes the present application in detail with reference to the accompanying drawings and specific embodiments.
如图1所示,是本申请密钥轮换方法的较佳实施例的流程图。根据不同的需求,该流程图中步骤的顺序可以改变,某些步骤可以省略。As shown in Figure 1, it is a flowchart of a preferred embodiment of the key rotation method of the present application. According to different needs, the order of the steps in the flowchart can be changed, and some steps can be omitted.
本申请应用于智慧安防场景中,从而推动智慧城市的建设。所述密钥轮换方法应用于一个或者多个电子设备中,所述电子设备是一种能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字处理器(Digital Signal Processor,DSP)、嵌入式设备等。This application is applied in smart security scenarios to promote the construction of smart cities. The key rotation method is applied to one or more electronic devices. The electronic device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. Its hardware includes but not Limited to microprocessors, application specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), digital processors (Digital Signal Processors, DSPs), embedded devices, etc.
所述电子设备可以是任何一种可与用户进行人机交互的电子产品,例如,个人计算机、平板电脑、智能手机、个人数字助理(Personal Digital Assistant,PDA)、游戏机、交互式网络电视(Internet Protocol Television,IPTV)、智能式穿戴式设备等。The electronic device may be any electronic product that can interact with a user with a human machine, for example, a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
所述电子设备还可以包括网络设备和/或用户设备。其中,所述网络设备包括,但不限于单个网络服务器、多个网络服务器组成的服务器组或基于云计算(Cloud Computing)的由大 量主机或网络服务器构成的云。The electronic equipment may also include network equipment and/or user equipment. Wherein, the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of hosts or network servers based on Cloud Computing.
所述电子设备所处的网络包括但不限于互联网、广域网、城域网、局域网、虚拟专用网络(Virtual Private Network,VPN)等。The network where the electronic device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), etc.
S10,生成多个密钥对,并为所述多个密钥对建立索引。S10: Generate multiple key pairs, and establish an index for the multiple key pairs.
在本申请的至少一个实施例中,每个密钥对是由公钥及私钥构成。所述公钥是密钥对中公开的部分,所述公钥通常用于加密会话密钥、验证数字签名,所述公钥还可以用于加密私钥解密的数据,另外,所述公钥是由目标数值及第一数值构成。所述私钥是密钥对中非公开的部分,所述私钥通常用于解密会话密钥、验证数字签名,所述私钥还可以用于解密公钥加密的数据,另外,所述私钥是由所述目标数值及第二数值构成。In at least one embodiment of the present application, each key pair is composed of a public key and a private key. The public key is the public part of the key pair. The public key is usually used to encrypt the session key and verify the digital signature. The public key can also be used to encrypt the data decrypted by the private key. In addition, the public key It is composed of the target value and the first value. The private key is the non-public part of the key pair. The private key is usually used to decrypt the session key and verify the digital signature. The private key can also be used to decrypt data encrypted by the public key. In addition, the private key The key is composed of the target value and the second value.
在本申请的至少一个实施例中,所述索引表征指向数据库表中的密钥对的指针。In at least one embodiment of the present application, the index represents a pointer to a key pair in a database table.
在本申请的至少一个实施例中,所述生成多个密钥对包括:In at least one embodiment of the present application, the generating multiple key pairs includes:
对于每个密钥对,所述电子设备获取预设位数,并生成具有所述预设位数的第一伪随机数及第二伪随机数,所述电子设备采用费马测试方法检测所述第一伪随机数及所述第二伪随机数是否为质数,当检测到所述第一伪随机数及所述第二伪随机数均为质数时,所述电子设备将所述第一伪随机数及所述第二伪随机数进行相乘运算,得到目标数值,所述电子设备计算所述第一伪随机数与所述第二伪随机数之间的最小公倍数,所述电子设备采用伪随机数生成器生成大于预设数值且小于所述最小公倍数的第一候选值,并采用辗转相除法确定所述第一候选值与所述最小公倍数之间的最大公约数,当检测到所述最大公约数为所述预设数值时,所述电子设备将所述第一候选值确定为第一数值,并将所述目标数值及所述第一数值确定为密钥对中的公钥,进一步地,所述电子设备采用伪随机数生成器生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值及所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数,当检测到所述余数为所述预设数值时,所述电子设备将所述第二候选值确定为第二数值,并将所述目标数值及所述第二数值确定为密钥对中的私钥。For each key pair, the electronic device obtains a preset number of bits, and generates a first pseudo random number and a second pseudo random number with the preset number of bits, and the electronic device uses the Fermat test method to detect the Whether the first pseudo-random number and the second pseudo-random number are prime numbers, when it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, the electronic device will The pseudo-random number and the second pseudo-random number are multiplied to obtain a target value, the electronic device calculates the least common multiple between the first pseudo-random number and the second pseudo-random number, the electronic device A pseudo-random number generator is used to generate a first candidate value that is greater than a preset value and less than the least common multiple, and the greatest common divisor between the first candidate value and the least common multiple is determined by the toss and turns division method, when it is detected When the greatest common divisor is the preset value, the electronic device determines the first candidate value as a first value, and determines the target value and the first value as the common value in the key pair Further, the electronic device uses a pseudo-random number generator to generate a second candidate value that is greater than the preset value and less than the least common multiple, and the product of the second candidate value and the first value is added to The least common multiple performs a remainder operation to obtain a remainder, and when it is detected that the remainder is the preset value, the electronic device determines the second candidate value as a second value, and sets the target value and The second value is determined as the private key in the key pair.
其中,所述预设位数的取值是在本申请中不作限制,例如,所述预设位数可以是8位。Wherein, the value of the preset number of digits is not limited in this application, for example, the preset number of digits may be 8 digits.
进一步地,一般情况下,所述预设数值的取值为1。Further, in general, the value of the preset value is 1.
通过上述实施方式,能够生成互逆的公私钥,使得生成的私钥能够对公钥加密的数据进行解密。Through the foregoing implementation manners, reciprocal public and private keys can be generated, so that the generated private key can decrypt data encrypted by the public key.
在本申请的至少一个实施例中,所述生成具有所述预设位数的第一伪随机数包括:In at least one embodiment of the present application, the generating the first pseudo-random number with the preset number of bits includes:
所述电子设备从口令库中获取任意口令,进一步地,所述电子设备将所述任意口令输入至单向散列函数中,得到散列值,所述电子设备确定所述散列值的位数,得到第一位数,并将所述预设位数与所述第一位数的差值确定为第二位数,所述电子设备采用混合线性同余法生成具有所述第二位数的任意数,并将所述散列值与所述任意数进行拼接,得到所述第一伪随机数。The electronic device obtains an arbitrary password from a password library, and further, the electronic device inputs the arbitrary password into a one-way hash function to obtain a hash value, and the electronic device determines the position of the hash value The first digit is obtained, and the difference between the preset digit and the first digit is determined as the second digit, and the electronic device uses a mixed linear congruential method to generate the second digit And concatenate the hash value with the arbitrary number to obtain the first pseudo-random number.
通过上述实施方式,能够生成位数为所述预设位数的第一伪随机数。Through the foregoing implementation manner, it is possible to generate the first pseudo-random number whose number of digits is the preset number of digits.
在本申请的至少一个实施例中,根据密钥对的生成顺序确定密钥对的索引,也就是说,密钥对越早生成,密钥对的索引越小。In at least one embodiment of the present application, the index of the key pair is determined according to the generation order of the key pair, that is, the earlier the key pair is generated, the smaller the index of the key pair is.
例如:在生成密钥对A后,生成密钥对B,密钥对A对应的索引为1号索引,密钥对B对应的索引为2号索引。For example: after key pair A is generated, key pair B is generated, the index corresponding to key pair A is index 1, and the index corresponding to key pair B is index 2.
通过对所述多个密钥对建立索引,不仅能够快速访问数据库表中的密钥对,还能够根据所述索引确定密钥对中的公钥对应的私钥。By indexing the multiple key pairs, not only the key pairs in the database table can be quickly accessed, but also the private key corresponding to the public key in the key pair can be determined according to the index.
在为密钥对建立索引后,将密钥对及对应的索引进行存储,并存储于索引库中,密钥对及对应的索引的存储格式可以为,1号索引:{密钥对C的C公钥;密钥对C的C私钥}。After the key pair is indexed, the key pair and the corresponding index are stored and stored in the index library. The storage format of the key pair and the corresponding index can be, index No. 1: {Key pair C C public key; C private key of key pair C}.
S11,从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据。S11: Extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library.
在本申请的至少一个实施例中,所述任意密钥对是采用随机法从所述多个密钥对中随机提取的,具体的随机方式是现有技术,在本申请不作具体阐述。In at least one embodiment of the present application, the arbitrary key pair is randomly extracted from the multiple key pairs using a random method, and the specific random method is the prior art, and will not be described in detail in this application.
进一步地,所述配置库中存储着待加密的存量数据,进一步地,所述存量数据可以是工 作密钥,本申请不作限制。Further, the inventory data to be encrypted is stored in the configuration library. Further, the inventory data may be a work key, which is not limited in this application.
在本申请的至少一个实施例中,所述从配置库中获取所有存量数据包括:In at least one embodiment of the present application, the obtaining all the inventory data from the configuration library includes:
所述电子设备采用多线程读取所述配置库中的存储日志,进一步地,所述电子设备解析所述存储日志,得到所述所有存量数据。The electronic device uses multiple threads to read the storage log in the configuration library, and further, the electronic device parses the storage log to obtain all the inventory data.
通过上述实施方式,能够避免存量数据的遗漏,进而确保所述所有存量数据的完整性。Through the foregoing implementation manners, the omission of the stock data can be avoided, and the integrity of all the stock data can be ensured.
S12,采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文。S12. Use any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data.
在本申请的至少一个实施例中,所述第一密文是采用所述任意公钥对所述所有存量数据进行一定的算法计算后得到的报文。In at least one embodiment of the present application, the first ciphertext is a message obtained by using the arbitrary public key to perform a certain algorithm calculation on all the stock data.
在本申请的至少一个实施例中,所述采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文包括:In at least one embodiment of the present application, the use of any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data includes:
所述电子设备确定所述任意密钥对中的任意公钥,并确定所述任意公钥的第一数值及目标数值,进一步地,所述电子设备采用消息摘要算法计算所述所有存量数据,得到第一数据,所述电子设备对所述第一数据进行次数为所述第一数值的幂运算,得到第二数据,所述电子设备将所述第二数据与所述目标数值进行取余运算,得到所述第一密文。The electronic device determines any public key in the any key pair, and determines the first value and the target value of the any public key. Further, the electronic device uses a message digest algorithm to calculate all the inventory data, To obtain first data, the electronic device performs a power operation on the first data for the number of times to obtain second data, and the electronic device takes the remainder of the second data and the target value Operate to obtain the first ciphertext.
通过上述实施方式,能够将所述所有存量数据转换成所述第一密文,防止所述所有存量数据被不具有权限的用户篡改,提高了所述所有存量数据的安全性,另外,采用消息摘要算法能够加大所述第一密文的解密难度。Through the above-mentioned implementation manners, it is possible to convert all the stock data into the first ciphertext, prevent all the stock data from being tampered with by users without authority, and improve the security of all the stock data. In addition, the use of messages The digest algorithm can increase the difficulty of decrypting the first ciphertext.
具体地,所述电子设备采用消息摘要算法计算所述所有存量数据,能够得到固定长度的第一数据,便于后续对所述第一数据进行幂运算及取余运算。Specifically, the electronic device uses a message digest algorithm to calculate all the stored data, and can obtain the first data of a fixed length, which facilitates subsequent exponentiation and remainder operations on the first data.
可以理解的是,由于在解密的过程中,需要使用私钥对密文按照解密算法进行计算,因此,在本案中,对所述第一密文进行解密,除了获取到与所述任意公钥对应的任意私钥外,还需获取到与加密算法对应的解密算法。It is understandable that, in the decryption process, the private key needs to be used to calculate the ciphertext according to the decryption algorithm. Therefore, in this case, the first ciphertext is decrypted, except for obtaining the same public key as the arbitrary public key. In addition to the corresponding arbitrary private key, a decryption algorithm corresponding to the encryption algorithm needs to be obtained.
其中,所述加密算法是指将所述所有存量数据转换成所述第一密文的算法。Wherein, the encryption algorithm refers to an algorithm that converts all the stock data into the first ciphertext.
S13,当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥。S13: When the rotation request is received, determine any private key corresponding to the any public key according to the index.
在本申请的至少一个实施例中,所述轮换请求可以由用户触发,也可以在满足一定条件时自动触发,本申请不限制。In at least one embodiment of the present application, the rotation request may be triggered by the user, or it may be triggered automatically when certain conditions are met, which is not limited in the present application.
其中,所述满足一定条件包括,但不限于:满足配置时间、所述电子设备检测到数据保存请求等。Wherein, the meeting certain conditions includes, but is not limited to: meeting the configuration time, the electronic device detects a data saving request, and the like.
所述配置时间可以包括一个时间段(例如:所述配置时间可以是10天)等。The configuration time may include a time period (for example, the configuration time may be 10 days) and the like.
在本申请的至少一个实施例中,所述根据索引确定所述任意公钥对应的任意私钥包括:In at least one embodiment of the present application, the determining any private key corresponding to the any public key according to an index includes:
所述电子设备确定与所述任意公钥对应的目标索引,进一步地,所述电子设备从所述索引库中获取与所述目标索引对应的私钥,作为所述任意私钥。The electronic device determines a target index corresponding to the arbitrary public key, and further, the electronic device obtains a private key corresponding to the target index from the index library as the arbitrary private key.
通过上述实施方式,能够准确地确定与所述任意公钥对应的任意私钥。Through the foregoing implementation manners, any private key corresponding to the any public key can be accurately determined.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
(1)当检测到数据保存请求时,所述电子设备根据所述数据保存请求生成所述轮换请求。(1) When a data saving request is detected, the electronic device generates the rotation request according to the data saving request.
在本申请的至少一个实施例中,所述电子设备在所述配置库中***监视代码,所述监视代码用于检测所述配置库中是否有keypress事件或者keydown事件产生,当所述配置库中有所述keypress事件或者所述keydown事件产生时,所述电子设备确定产生所述keypress事件或者所述keydown事件的目标按键,进一步地,所述电子设备检测所述目标按键是否为保存按键,当检测到所述目标按键为所述保存按键时,所述电子设备确定所述配置库上有数据保存请求产生。In at least one embodiment of the present application, the electronic device inserts monitoring code into the configuration library, and the monitoring code is used to detect whether a keypress event or keydown event is generated in the configuration library. When the keypress event or the keydown event is generated, the electronic device determines the target button that generated the keypress event or the keydown event, and further, the electronic device detects whether the target button is a save button, When detecting that the target button is the save button, the electronic device determines that a data save request is generated on the configuration library.
通过上述实施方式,能够实时监听所述配置库上的保存请求,有效地避免了数据保存请求的遗漏,进而避免遗漏生成所述轮换请求。Through the foregoing implementation manners, the saving request on the configuration library can be monitored in real time, effectively avoiding the omission of the data saving request, and thus avoiding the omission of generating the rotation request.
(2)当检测到所述任意密钥对的有效期届满时,所述电子设备生成所述轮换请求。(2) When detecting that the validity period of the arbitrary key pair expires, the electronic device generates the rotation request.
在本申请的至少一个实施例中,为了避免私钥在所述配置时间内被泄露,因此,所述电 子设备为每个密钥对设置了有效期,其中,有效期的时长与所述配置时间的时长是一致的。当所述电子设备检测到所述任意密钥对的有效期届满时,将会触发生成所述轮换请求。In at least one embodiment of the present application, in order to prevent the private key from being leaked during the configuration time, the electronic device sets a validity period for each key pair, wherein the length of the validity period is equal to the length of the configuration time. The duration is consistent. When the electronic device detects that the validity period of the arbitrary key pair has expired, it will trigger the generation of the rotation request.
S14,采用所述任意私钥对所述第一密文进行解密运算,得到明文。S14, using the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext.
在本申请的至少一个实施例中,在密码学中,所述明文是指传送方想要接收方获得的可读信息,具体地,在本案中,所述明文是指对所述第一密文进行解密后获得的数据,实际上,所述明文为所述所有存量数据。In at least one embodiment of the present application, in cryptography, the plaintext refers to the readable information that the sender wants the receiver to obtain. Specifically, in this case, the plaintext refers to the The data obtained after the text is decrypted, in fact, the plain text is all the stored data.
在本申请的至少一个实施例中,所述采用所述任意私钥对所述第一密文进行解密运算,得到明文包括:In at least one embodiment of the present application, the use of the arbitrary private key to decrypt the first ciphertext to obtain the plaintext includes:
所述电子设备确定所述任意私钥的第二数值及目标数值,进一步地,所述电子设备对所述第一密文进行次数为所述第二数值的幂运算,得到第三数据,所述电子设备将所述第三数据与所述目标数值进行取余运算,得到第四数据,所述电子设备采用消息摘要算法计算所述第四数据,得到所述明文。The electronic device determines the second value and the target value of the arbitrary private key, and further, the electronic device performs operations on the first ciphertext to the power of the second value to obtain third data, so The electronic device performs a remainder operation on the third data and the target value to obtain fourth data, and the electronic device uses a message digest algorithm to calculate the fourth data to obtain the plaintext.
其中,所述第四数据是指与所述第一数据对应的数据。Wherein, the fourth data refers to data corresponding to the first data.
通过采用与所述任意公钥对应的任意私钥,对所述第一密文进行幂运算及取余运算,能够准确得到所述第四数据,进而通过消息摘要算法对所述第四数据进行计算,能够准确地获取到所述明文。By using an arbitrary private key corresponding to the arbitrary public key to perform exponentiation and remainder operations on the first ciphertext, the fourth data can be accurately obtained, and then the fourth data is processed through a message digest algorithm By calculation, the plaintext can be accurately obtained.
S15,从所述多个密钥对中提取目标密钥对。S15. Extract a target key pair from the multiple key pairs.
在本申请的至少一个实施例中,所述目标密钥对与所述任意密钥对不是同一密钥对。In at least one embodiment of the present application, the target key pair and the arbitrary key pair are not the same key pair.
在本申请的至少一个实施例中,所述从所述多个密钥对中提取目标密钥对包括:In at least one embodiment of the present application, the extracting a target key pair from the multiple key pairs includes:
所述电子设备从所述多个密钥对中剔除所述任意密钥对,得到当前密钥对,进一步地,所述电子设备从所述当前密钥对中随机提取任一密钥对,作为所述目标密钥对。The electronic device removes the arbitrary key pair from the multiple key pairs to obtain the current key pair. Further, the electronic device randomly extracts any key pair from the current key pair, As the target key pair.
通过上述实施方式,能够得到与所述任意密钥对不同的目标密钥对,避免在进行密钥轮换的过程中采取同一密钥对进行轮换,提高了密钥轮换的安全性。Through the foregoing implementation manners, a target key pair different from the arbitrary key pair can be obtained, which avoids adopting the same key pair for rotation during the key rotation process, and improves the security of the key rotation.
需要强调的是,为进一步保证上述目标密钥对的私密和安全性,上述目标密钥对还可以存储于一区块链的节点中。It should be emphasized that, in order to further ensure the privacy and security of the above-mentioned target key pair, the above-mentioned target key pair may also be stored in a node of a blockchain.
S16,采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。S16. Use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
在本申请的至少一个实施例中,所述目标公钥是指能够对所述明文进行加密的钥匙,进一步地,所述第二密文是采用所述目标公钥对所述明文进行一定的算法计算后得到的报文。In at least one embodiment of the present application, the target public key refers to a key capable of encrypting the plaintext, and further, the second ciphertext uses the target public key to perform a certain amount on the plaintext. The message obtained after algorithm calculation.
在本申请的至少一个实施例中,在生成第二密文后,所述方法还包括:In at least one embodiment of the present application, after the second ciphertext is generated, the method further includes:
所述电子设备获取所述轮换请求的请求编号,进一步地,所述电子设备根据所述请求编号及所述第二密文生成提示信息,并将所述提示信息发送至指定联系人的终端设备,当检测到所述提示信息在预设时间内未被接收时,所述电子设备向所述指定联系人发起语音。The electronic device obtains the request number of the rotation request, and further, the electronic device generates prompt information according to the request number and the second ciphertext, and sends the prompt information to the terminal device of the designated contact When it is detected that the prompt information has not been received within a preset time, the electronic device initiates a voice to the designated contact.
其中,所述指定联系人是指控制密钥轮换请求的负责人。Wherein, the designated contact person refers to the person in charge of controlling the key rotation request.
进一步地,所述预设时间的取值可以根据具体场景进行任意配置。Further, the value of the preset time can be arbitrarily configured according to specific scenarios.
通过上述实施方式,能够提醒所述指定联系人对所述提示信息的接收。Through the foregoing implementation manners, the designated contact person can be reminded of the receipt of the prompt information.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
当检测到所述轮换请求响应不成功时,所述电子设备获取所述轮换请求的请求编号,并根据所述请求编号生成告警信息,进一步地,所述电子设备根据所述告警信息确定告警形式,以所述告警形式向所述指定联系人发送所述告警信息。When it is detected that the response to the rotation request is unsuccessful, the electronic device obtains the request number of the rotation request, and generates alarm information according to the request number. Further, the electronic device determines an alarm form according to the alarm information , Sending the alarm information to the designated contact in the alarm form.
其中,所述告警形式包括:邮件形式、语音形式、短信形式等。Wherein, the alarm form includes: email form, voice form, short message form, etc.
通过上述实施方式,能够确定合适的告警形式发送所述告警信息。Through the foregoing implementation manners, a suitable alarm form can be determined to send the alarm information.
由以上技术方案可以看出,本申请通过对所述所有存量数据进行密钥轮换,提高了所述所有存量数据的安全等级。It can be seen from the above technical solutions that this application improves the security level of all the stock data by performing key rotation on all the stock data.
如图2所示,是本申请密钥轮换装置的较佳实施例的功能模块图。所述密钥轮换装置11 包括生成单元110、提取单元111、加密单元112、确定单元113、解密单元114、获取单元115及发送单元116。本申请所称的模块/单元是指一种能够被处理器13所获取,并且能够完成固定功能的一系列计算机程序段,其存储在存储器12中。在本实施例中,关于各模块/单元的功能将在后续的实施例中详述。As shown in FIG. 2, it is a functional module diagram of a preferred embodiment of the key rotation device of the present application. The key rotation device 11 includes a generation unit 110, an extraction unit 111, an encryption unit 112, a determination unit 113, a decryption unit 114, an acquisition unit 115, and a sending unit 116. The module/unit referred to in this application refers to a series of computer program segments that can be acquired by the processor 13 and can complete fixed functions, and are stored in the memory 12. In this embodiment, the functions of each module/unit will be described in detail in subsequent embodiments.
生成单元110生成多个密钥对,并为所述多个密钥对建立索引。The generating unit 110 generates a plurality of key pairs, and establishes an index for the plurality of key pairs.
在本申请的至少一个实施例中,每个密钥对是由公钥及私钥构成。所述公钥是密钥对中公开的部分,所述公钥通常用于加密会话密钥、验证数字签名,所述公钥还可以用于加密私钥解密的数据,另外,所述公钥是由目标数值及第一数值构成。所述私钥是密钥对中非公开的部分,所述私钥通常用于解密会话密钥、验证数字签名,所述私钥还可以用于解密公钥加密的数据,另外,所述私钥是由所述目标数值及第二数值构成。In at least one embodiment of the present application, each key pair is composed of a public key and a private key. The public key is the public part of the key pair. The public key is usually used to encrypt the session key and verify the digital signature. The public key can also be used to encrypt the data decrypted by the private key. In addition, the public key It is composed of the target value and the first value. The private key is the non-public part of the key pair. The private key is usually used to decrypt the session key and verify the digital signature. The private key can also be used to decrypt data encrypted by the public key. In addition, the private key The key is composed of the target value and the second value.
在本申请的至少一个实施例中,所述索引表征指向数据库表中的密钥对的指针。In at least one embodiment of the present application, the index represents a pointer to a key pair in a database table.
在本申请的至少一个实施例中,所述生成单元110生成多个密钥对包括:In at least one embodiment of the present application, the generating unit 110 generating multiple key pairs includes:
对于每个密钥对,所述生成单元110获取预设位数,并生成具有所述预设位数的第一伪随机数及第二伪随机数,所述生成单元110采用费马测试方法检测所述第一伪随机数及所述第二伪随机数是否为质数,当检测到所述第一伪随机数及所述第二伪随机数均为质数时,所述生成单元110将所述第一伪随机数及所述第二伪随机数进行相乘运算,得到目标数值,所述生成单元110计算所述第一伪随机数与所述第二伪随机数之间的最小公倍数,所述生成单元110采用伪随机数生成器生成大于预设数值且小于所述最小公倍数的第一候选值,并采用辗转相除法确定所述第一候选值与所述最小公倍数之间的最大公约数,当检测到所述最大公约数为所述预设数值时,所述生成单元110将所述第一候选值确定为第一数值,并将所述目标数值及所述第一数值确定为密钥对中的公钥,进一步地,所述生成单元110采用伪随机数生成器生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值及所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数,当检测到所述余数为所述预设数值时,所述生成单元110将所述第二候选值确定为第二数值,并将所述目标数值及所述第二数值确定为密钥对中的私钥。For each key pair, the generating unit 110 obtains a preset number of bits, and generates a first pseudo random number and a second pseudo random number with the preset number of bits, and the generating unit 110 adopts the Fermat test method It is detected whether the first pseudo-random number and the second pseudo-random number are prime numbers, and when it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, the generating unit 110 will The first pseudo-random number and the second pseudo-random number are multiplied to obtain a target value, and the generating unit 110 calculates the least common multiple between the first pseudo-random number and the second pseudo-random number, The generating unit 110 uses a pseudo-random number generator to generate a first candidate value that is greater than a preset value and less than the least common multiple, and uses a toss and turns division method to determine the greatest commonality between the first candidate value and the least common multiple When it is detected that the greatest common divisor is the preset value, the generating unit 110 determines the first candidate value as a first value, and determines the target value and the first value as For the public key in the key pair, further, the generating unit 110 uses a pseudo-random number generator to generate a second candidate value that is greater than the preset value and less than the least common multiple, and compares the second candidate value to the Perform a remainder operation on the product of the first value and the least common multiple to obtain a remainder. When it is detected that the remainder is the preset value, the generating unit 110 determines the second candidate value as a second value , And determine the target value and the second value as the private key in the key pair.
其中,所述预设位数的取值是在本申请中不作限制,例如,所述预设位数可以是8位。Wherein, the value of the preset number of digits is not limited in this application, for example, the preset number of digits may be 8 digits.
进一步地,一般情况下,所述预设数值的取值为1。Further, in general, the value of the preset value is 1.
通过上述实施方式,能够生成互逆的公私钥,使得生成的私钥能够对公钥加密的数据进行解密。Through the foregoing implementation manners, reciprocal public and private keys can be generated, so that the generated private key can decrypt data encrypted by the public key.
在本申请的至少一个实施例中,所述生成单元110生成具有所述预设位数的第一伪随机数包括:In at least one embodiment of the present application, the generating unit 110 generating the first pseudo-random number with the preset number of bits includes:
所述生成单元110从口令库中获取任意口令,进一步地,所述生成单元110将所述任意口令输入至单向散列函数中,得到散列值,所述生成单元110确定所述散列值的位数,得到第一位数,并将所述预设位数与所述第一位数的差值确定为第二位数,所述生成单元110采用混合线性同余法生成具有所述第二位数的任意数,并将所述散列值与所述任意数进行拼接,得到所述第一伪随机数。The generating unit 110 obtains an arbitrary password from a password library. Further, the generating unit 110 inputs the arbitrary password into a one-way hash function to obtain a hash value, and the generating unit 110 determines the hash The first digit is obtained, and the difference between the preset digit and the first digit is determined as the second digit. The generating unit 110 uses a mixed linear congruence method to generate The arbitrary number of the second digit, and splicing the hash value with the arbitrary number to obtain the first pseudo-random number.
通过上述实施方式,能够生成位数为所述预设位数的第一伪随机数。Through the foregoing implementation manner, it is possible to generate the first pseudo-random number whose number of digits is the preset number of digits.
在本申请的至少一个实施例中,根据密钥对的生成顺序确定密钥对的索引,也就是说,密钥对越早生成,密钥对的索引越小。In at least one embodiment of the present application, the index of the key pair is determined according to the generation order of the key pair, that is, the earlier the key pair is generated, the smaller the index of the key pair is.
例如:在生成密钥对A后,生成密钥对B,密钥对A对应的索引为1号索引,密钥对B对应的索引为2号索引。For example: after key pair A is generated, key pair B is generated, the index corresponding to key pair A is index 1, and the index corresponding to key pair B is index 2.
通过对所述多个密钥对建立索引,不仅能够快速访问数据库表中的密钥对,还能够根据所述索引确定密钥对中的公钥对应的私钥。By indexing the multiple key pairs, not only the key pairs in the database table can be quickly accessed, but also the private key corresponding to the public key in the key pair can be determined according to the index.
在为密钥对建立索引后,将密钥对及对应的索引进行存储,并存储于索引库中,密钥对及对应的索引的存储格式可以为,1号索引:{密钥对C的C公钥;密钥对C的C私钥}。After the key pair is indexed, the key pair and the corresponding index are stored and stored in the index library. The storage format of the key pair and the corresponding index can be, index No. 1: {Key pair C C public key; C private key of key pair C}.
提取单元111从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据。The extraction unit 111 extracts any key pair from the multiple key pairs, and obtains all the stock data from the configuration library.
在本申请的至少一个实施例中,所述任意密钥对是采用随机法从所述多个密钥对中随机提取的,具体的随机方式是现有技术,在本申请不作具体阐述。In at least one embodiment of the present application, the arbitrary key pair is randomly extracted from the multiple key pairs using a random method, and the specific random method is the prior art, and will not be described in detail in this application.
进一步地,所述配置库中存储着待加密的存量数据,进一步地,所述存量数据可以是工作密钥,本申请不作限制。Further, the inventory data to be encrypted is stored in the configuration library. Further, the inventory data may be a work key, which is not limited in this application.
在本申请的至少一个实施例中,所述提取单元111从配置库中获取所有存量数据包括:In at least one embodiment of the present application, the extracting unit 111 acquiring all the inventory data from the configuration library includes:
所述提取单元111采用多线程读取所述配置库中的存储日志,进一步地,所述提取单元111解析所述存储日志,得到所述所有存量数据。The extracting unit 111 uses multiple threads to read the storage log in the configuration library. Further, the extracting unit 111 parses the storage log to obtain all the inventory data.
通过上述实施方式,能够避免存量数据的遗漏,进而确保所述所有存量数据的完整性。Through the foregoing implementation manners, the omission of the stock data can be avoided, and the integrity of all the stock data can be ensured.
加密单元112采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文。The encryption unit 112 uses any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data.
在本申请的至少一个实施例中,所述第一密文是采用所述任意公钥对所述所有存量数据进行一定的算法计算后得到的报文。In at least one embodiment of the present application, the first ciphertext is a message obtained by using the arbitrary public key to perform a certain algorithm calculation on all the stock data.
在本申请的至少一个实施例中,所述加密单元112采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文包括:In at least one embodiment of the present application, the encryption unit 112 uses any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data including :
所述加密单元112确定所述任意密钥对中的任意公钥,并确定所述任意公钥的第一数值及目标数值,进一步地,所述加密单元112采用消息摘要算法计算所述所有存量数据,得到第一数据,所述加密单元112对所述第一数据进行次数为所述第一数值的幂运算,得到第二数据,所述加密单元112将所述第二数据与所述目标数值进行取余运算,得到所述第一密文。The encryption unit 112 determines any public key in the arbitrary key pair, and determines the first value and the target value of the arbitrary public key. Further, the encryption unit 112 uses a message digest algorithm to calculate the total inventory Data to obtain first data, the encryption unit 112 performs power operations on the first data the number of times to obtain the second data, and the encryption unit 112 combines the second data with the target Perform a remainder operation on the numerical value to obtain the first ciphertext.
通过上述实施方式,能够将所述所有存量数据转换成所述第一密文,防止所述所有存量数据被不具有权限的用户篡改,提高了所述所有存量数据的安全性,另外,采用消息摘要算法能够加大所述第一密文的解密难度。Through the above-mentioned implementation manners, it is possible to convert all the stock data into the first ciphertext, prevent all the stock data from being tampered with by users without authority, and improve the security of all the stock data. In addition, the use of messages The digest algorithm can increase the difficulty of decrypting the first ciphertext.
具体地,所述加密单元112采用消息摘要算法计算所述所有存量数据,能够得到固定长度的第一数据,便于后续对所述第一数据进行幂运算及取余运算。Specifically, the encryption unit 112 uses a message digest algorithm to calculate all the stored data, and can obtain the first data of a fixed length, which facilitates subsequent exponentiation and remainder operations on the first data.
可以理解的是,由于在解密的过程中,需要使用私钥对密文按照解密算法进行计算,因此,在本案中,对所述第一密文进行解密,除了获取到与所述任意公钥对应的任意私钥外,还需获取到与加密算法对应的解密算法。It is understandable that, in the decryption process, the private key needs to be used to calculate the ciphertext according to the decryption algorithm. Therefore, in this case, the first ciphertext is decrypted, except for obtaining the same public key as the arbitrary public key. In addition to the corresponding arbitrary private key, a decryption algorithm corresponding to the encryption algorithm needs to be obtained.
其中,所述加密算法是指将所述所有存量数据转换成所述第一密文的算法。Wherein, the encryption algorithm refers to an algorithm that converts all the stock data into the first ciphertext.
当接收到轮换请求时,确定单元113根据索引确定所述任意公钥对应的任意私钥。When the rotation request is received, the determining unit 113 determines any private key corresponding to the any public key according to the index.
在本申请的至少一个实施例中,所述轮换请求可以由用户触发,也可以在满足一定条件时自动触发,本申请不限制。In at least one embodiment of the present application, the rotation request may be triggered by the user, or it may be triggered automatically when certain conditions are met, which is not limited in the present application.
其中,所述满足一定条件包括,但不限于:满足配置时间、所述确定单元113检测到数据保存请求等。Wherein, the meeting certain conditions includes, but is not limited to: meeting the configuration time, the determining unit 113 detects a data saving request, and the like.
所述配置时间可以包括一个时间段(例如:所述配置时间可以是10天)等。The configuration time may include a time period (for example, the configuration time may be 10 days) and the like.
在本申请的至少一个实施例中,所述确定单元113根据索引确定所述任意公钥对应的任意私钥包括:In at least one embodiment of the present application, the determining unit 113 determining any private key corresponding to the any public key according to the index includes:
所述确定单元113确定与所述任意公钥对应的目标索引,进一步地,所述确定单元113从所述索引库中获取与所述目标索引对应的私钥,作为所述任意私钥。The determining unit 113 determines a target index corresponding to the arbitrary public key. Further, the determining unit 113 obtains a private key corresponding to the target index from the index library as the arbitrary private key.
通过上述实施方式,能够准确地确定与所述任意公钥对应的任意私钥。Through the foregoing implementation manners, any private key corresponding to the any public key can be accurately determined.
在本申请的至少一个实施例中,(1)当检测到数据保存请求时,所述生成单元110根据所述数据保存请求生成所述轮换请求。In at least one embodiment of the present application, (1) when a data saving request is detected, the generating unit 110 generates the rotation request according to the data saving request.
在本申请的至少一个实施例中,所述确定单元113在所述配置库中***监视代码,所述监视代码用于检测所述配置库中是否有keypress事件或者keydown事件产生,当所述配置库中有所述keypress事件或者所述keydown事件产生时,所述确定单元113确定产生所述keypress事件或者所述keydown事件的目标按键,进一步地,所述确定单元113检测所述目标按键是否为保存按键,当检测到所述目标按键为所述保存按键时,所述确定单元113确定所述配置库上有数据保存请求产生。In at least one embodiment of the present application, the determining unit 113 inserts monitoring code into the configuration library, and the monitoring code is used to detect whether a keypress event or a keydown event is generated in the configuration library. When the keypress event or the keydown event is generated in the library, the determining unit 113 determines the target key that generated the keypress event or the keydown event. Further, the determining unit 113 detects whether the target key is A save button, when it is detected that the target button is the save button, the determining unit 113 determines that a data saving request is generated on the configuration library.
通过上述实施方式,能够实时监听所述配置库上的保存请求,有效地避免了数据保存请求的遗漏,进而避免遗漏生成所述轮换请求。Through the foregoing implementation manners, the saving request on the configuration library can be monitored in real time, effectively avoiding the omission of the data saving request, and thus avoiding the omission of generating the rotation request.
(2)当检测到所述任意密钥对的有效期届满时,所述生成单元110生成所述轮换请求。(2) When detecting that the validity period of the arbitrary key pair expires, the generating unit 110 generates the rotation request.
在本申请的至少一个实施例中,为了避免私钥在所述配置时间内被泄露,因此,所述确定单元113为每个密钥对设置了有效期,其中,有效期的时长与所述配置时间的时长是一致的。当检测到所述任意密钥对的有效期届满时,将会触发生成所述轮换请求。In at least one embodiment of the present application, in order to prevent the private key from being leaked during the configuration time, the determining unit 113 sets a validity period for each key pair, wherein the duration of the validity period is the same as the configuration time. The duration is the same. When it is detected that the validity period of the arbitrary key pair has expired, the generation of the rotation request will be triggered.
解密单元114采用所述任意私钥对所述第一密文进行解密运算,得到明文。The decryption unit 114 uses the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext.
在本申请的至少一个实施例中,在密码学中,所述明文是指传送方想要接收方获得的可读信息,具体地,在本案中,所述明文是指对所述第一密文进行解密后获得的数据,实际上,所述明文为所述所有存量数据。In at least one embodiment of the present application, in cryptography, the plaintext refers to the readable information that the sender wants the receiver to obtain. Specifically, in this case, the plaintext refers to the The data obtained after the text is decrypted, in fact, the plain text is all the stored data.
在本申请的至少一个实施例中,所述解密单元114采用所述任意私钥对所述第一密文进行解密运算,得到明文包括:In at least one embodiment of the present application, the decryption unit 114 uses the arbitrary private key to decrypt the first ciphertext to obtain the plaintext including:
所述解密单元114确定所述任意私钥的第二数值及目标数值,进一步地,所述解密单元114对所述第一密文进行次数为所述第二数值的幂运算,得到第三数据,所述解密单元114将所述第三数据与所述目标数值进行取余运算,得到第四数据,所述解密单元114采用消息摘要算法计算所述第四数据,得到所述明文。The decryption unit 114 determines the second value and the target value of the arbitrary private key. Further, the decryption unit 114 performs operations on the first ciphertext to the power of the second value to obtain third data The decryption unit 114 performs a remainder operation on the third data and the target value to obtain fourth data, and the decryption unit 114 uses a message digest algorithm to calculate the fourth data to obtain the plaintext.
其中,所述第四数据是指与所述第一数据对应的数据。Wherein, the fourth data refers to data corresponding to the first data.
通过采用与所述任意公钥对应的任意私钥,对所述第一密文进行幂运算及取余运算,能够准确得到所述第四数据,进而通过消息摘要算法对所述第四数据进行计算,能够准确地获取到所述明文。By using an arbitrary private key corresponding to the arbitrary public key to perform exponentiation and remainder operations on the first ciphertext, the fourth data can be accurately obtained, and then the fourth data is processed through a message digest algorithm By calculation, the plaintext can be accurately obtained.
所述提取单元111从所述多个密钥对中提取目标密钥对。The extraction unit 111 extracts a target key pair from the plurality of key pairs.
在本申请的至少一个实施例中,所述目标密钥对与所述任意密钥对不是同一密钥对。In at least one embodiment of the present application, the target key pair and the arbitrary key pair are not the same key pair.
在本申请的至少一个实施例中,所述提取单元111从所述多个密钥对中提取目标密钥对包括:In at least one embodiment of the present application, the extraction unit 111 extracting a target key pair from the multiple key pairs includes:
所述提取单元111从所述多个密钥对中剔除所述任意密钥对,得到当前密钥对,进一步地,所述提取单元111从所述当前密钥对中随机提取任一密钥对,作为所述目标密钥对。The extraction unit 111 removes the arbitrary key pair from the multiple key pairs to obtain the current key pair. Further, the extraction unit 111 randomly extracts any key from the current key pair Yes, as the target key pair.
通过上述实施方式,能够得到与所述任意密钥对不同的目标密钥对,避免在进行密钥轮换的过程中采取同一密钥对进行轮换,提高了密钥轮换的安全性。Through the foregoing implementation manners, a target key pair different from the arbitrary key pair can be obtained, which avoids adopting the same key pair for rotation during the key rotation process, and improves the security of the key rotation.
需要强调的是,为进一步保证上述目标密钥对的私密和安全性,上述目标密钥对还可以存储于一区块链的节点中。It should be emphasized that, in order to further ensure the privacy and security of the above-mentioned target key pair, the above-mentioned target key pair may also be stored in a node of a blockchain.
所述加密单元112采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The encryption unit 112 uses the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
在本申请的至少一个实施例中,所述目标公钥是指能够对所述明文进行加密的钥匙,进一步地,所述第二密文是采用所述目标公钥对所述明文进行一定的算法计算后得到的报文。In at least one embodiment of the present application, the target public key refers to a key capable of encrypting the plaintext, and further, the second ciphertext uses the target public key to perform a certain amount on the plaintext. The message obtained after algorithm calculation.
在本申请的至少一个实施例中,在生成第二密文后,获取单元115获取所述轮换请求的请求编号,进一步地,所述生成单元110根据所述请求编号及所述第二密文生成提示信息,发送单元116将所述提示信息发送至指定联系人的终端设备,当检测到所述提示信息在预设时间内未被接收时,所述发送单元116向所述指定联系人发起语音。In at least one embodiment of the present application, after generating the second ciphertext, the obtaining unit 115 obtains the request number of the rotation request. Further, the generating unit 110 obtains the request number and the second ciphertext according to the request number and the second ciphertext. The prompt information is generated, and the sending unit 116 sends the prompt information to the terminal device of the designated contact. When it is detected that the prompt information has not been received within a preset time, the sending unit 116 initiates a notification to the designated contact. voice.
其中,所述指定联系人是指控制密钥轮换请求的负责人。Wherein, the designated contact person refers to the person in charge of controlling the key rotation request.
进一步地,所述预设时间的取值可以根据具体场景进行任意配置。Further, the value of the preset time can be arbitrarily configured according to specific scenarios.
通过上述实施方式,能够提醒所述指定联系人对所述提示信息的接收。Through the foregoing implementation manners, the designated contact person can be reminded of the receipt of the prompt information.
在本申请的至少一个实施例中,当检测到所述轮换请求响应不成功时,所述获取单元115获取所述轮换请求的请求编号,所述生成单元110根据所述请求编号生成告警信息,进一步地,所述确定单元113根据所述告警信息确定告警形式,所述发送单元116以所述告警形式向所述指定联系人发送所述告警信息。In at least one embodiment of the present application, when it is detected that the rotation request response is unsuccessful, the obtaining unit 115 obtains the request number of the rotation request, and the generating unit 110 generates alarm information according to the request number, Further, the determining unit 113 determines an alarm form according to the alarm information, and the sending unit 116 sends the alarm information to the designated contact in the alarm form.
其中,所述告警形式包括:邮件形式、语音形式、短信形式等。Wherein, the alarm form includes: email form, voice form, short message form, etc.
通过上述实施方式,能够确定合适的告警形式发送所述告警信息。Through the foregoing implementation manners, a suitable alarm form can be determined to send the alarm information.
由以上技术方案可以看出,本申请通过对所述所有存量数据进行密钥轮换,提高了所述所有存量数据的安全等级。It can be seen from the above technical solutions that this application improves the security level of all the stock data by performing key rotation on all the stock data.
如图3所示,是本申请实现密钥轮换方法的较佳实施例的电子设备的结构示意图。As shown in FIG. 3, it is a schematic structural diagram of an electronic device according to a preferred embodiment of the key rotation method according to the present application.
在本申请的一个实施例中,所述电子设备1包括,但不限于,存储器12、处理器13,以及存储在所述存储器12中并可在所述处理器13上运行的计算机程序,例如密钥轮换程序。In an embodiment of the present application, the electronic device 1 includes, but is not limited to, a memory 12, a processor 13, and a computer program stored in the memory 12 and running on the processor 13, such as Key rotation procedure.
本领域技术人员可以理解,所述示意图仅仅是电子设备1的示例,并不构成对电子设备1的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述电子设备1还可以包括输入输出设备、网络接入设备、总线等。Those skilled in the art can understand that the schematic diagram is only an example of the electronic device 1 and does not constitute a limitation on the electronic device 1. Components, for example, the electronic device 1 may also include an input/output device, a network access device, a bus, and so on.
所述处理器13可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等,所述处理器13是所述电子设备1的运算核心和控制中心,利用各种接口和线路连接整个电子设备1的各个部分,及获取所述电子设备1的操作***以及安装的各类应用程序、程序代码等。The processor 13 may be a central processing unit (Central Processing Unit, CPU), other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor can also be any conventional processor, etc. The processor 13 is the computing core and control center of the electronic device 1 and connects the entire electronic device with various interfaces and lines. Each part of 1, and obtain the operating system of the electronic device 1, and various installed applications, program codes, etc.
所述处理器13获取所述电子设备1的操作***以及安装的各类应用程序。所述处理器13获取所述应用程序以实现上述各个密钥轮换方法实施例中的步骤,例如图1所示的步骤。The processor 13 obtains the operating system of the electronic device 1 and various installed applications. The processor 13 obtains the application program to implement the steps in the above-mentioned key rotation method embodiments, for example, the steps shown in FIG. 1.
示例性的,所述计算机程序可以被分割成一个或多个模块/单元,所述一个或者多个模块/单元被存储在所述存储器12中,并由所述处理器13获取,以完成本申请。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机可读指令段,该指令段用于描述所述计算机程序在所述电子设备1中的获取过程。例如,所述计算机程序可以被分割成生成单元110、提取单元111、加密单元112、确定单元113、解密单元114、获取单元115及发送单元116。Exemplarily, the computer program may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and acquired by the processor 13 to complete this Application. The one or more modules/units may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the acquisition process of the computer program in the electronic device 1. For example, the computer program may be divided into a generation unit 110, an extraction unit 111, an encryption unit 112, a determination unit 113, a decryption unit 114, an acquisition unit 115, and a transmission unit 116.
所述存储器12可用于存储所述计算机程序和/或模块,所述处理器13通过运行或获取存储在所述存储器12内的计算机程序和/或模块,以及调用存储在存储器12内的数据,实现所述电子设备1的各种功能。所述存储器12可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作***、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据电子设备的使用所创建的数据等。此外,存储器12可以包括非易失性存储器和易失性存储器,例如硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、随机存取存储器、或其他存储器件。The memory 12 may be used to store the computer program and/or module, and the processor 13 runs or obtains the computer program and/or module stored in the memory 12 and calls the data stored in the memory 12, The various functions of the electronic device 1 are realized. The memory 12 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Stores data, etc. created based on the use of electronic devices. In addition, the memory 12 may include non-volatile memory and volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, and a flash memory card. (Flash Card), at least one magnetic disk storage device, flash memory device, random access memory, or other storage device.
所述存储器12可以是电子设备1的外部存储器和/或内部存储器。进一步地,所述存储器12可以是具有实物形式的存储器,如内存条、TF卡(Trans-flash Card)等等。The memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a memory in a physical form, such as a memory stick, a TF card (Trans-flash Card), and so on.
所述电子设备1集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中,所述计算机可读存储介质可以是非易失性的存储介质,也可以是易失性的存储介质。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器获取时,可实现上述各个方法实施例的步骤。If the integrated module/unit of the electronic device 1 is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a computer-readable storage medium, which may be non-easy. A volatile storage medium can also be a volatile storage medium. Based on this understanding, this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through a computer program. The computer program can be stored in a computer-readable storage medium. When the program is acquired by the processor, it can implement the steps of the foregoing method embodiments.
本申请所指区块链是分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。区块链(Blockchain),本质上是一个去中心化的数据库,是一串使用密码学方法相关联产生的数据块,每一个数据块中包含了一批次网络交易的信息,用于验证其信息的有效性(防伪)和生成下一个区块。区块链可以包括区块链底层平台、平台产品服务层以及应用服务层等。The blockchain referred to in this application is a new application mode of computer technology such as distributed data storage, point-to-point transmission, consensus mechanism, and encryption algorithm. Blockchain is essentially a decentralized database. It is a series of data blocks associated with cryptographic methods. Each data block contains a batch of network transaction information for verification. The validity of the information (anti-counterfeiting) and the generation of the next block. The blockchain can include the underlying platform of the blockchain, the platform product service layer, and the application service layer.
其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、 对象代码形式、可获取文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器。Wherein, the computer program includes computer program code, and the computer program code may be in a source code form, an object code form, an obtainable file, or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory) , Random access memory.
结合图1,所述电子设备1中的所述存储器12存储多个计算机可读指令以实现一种密钥轮换方法,所述处理器13可获取及执行所述多个计算机可读指令从而实现:生成多个密钥对,并为所述多个密钥对建立索引;从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;采用所述任意私钥对所述第一密文进行解密运算,得到明文;从所述多个密钥对中提取目标密钥对;采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。With reference to FIG. 1, the memory 12 in the electronic device 1 stores multiple computer-readable instructions to implement a key rotation method, and the processor 13 can acquire and execute the multiple computer-readable instructions to implement : Generate multiple key pairs, and index the multiple key pairs; extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library; use the arbitrary key pair Any public key in the key pair performs an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data; when a rotation request is received, any private key corresponding to the any public key is determined according to the index Use the arbitrary private key to decrypt the first ciphertext to obtain the plaintext; extract the target key pair from the multiple key pairs; use the target public key in the target key pair to Perform an encryption operation on the plain text to generate a second cipher text in response to the rotation request.
具体地,所述处理器13对上述指令的具体实现方法可参考图1对应实施例中相关步骤的描述,在此不赘述。Specifically, for the specific implementation method of the above-mentioned instructions by the processor 13, reference may be made to the description of the relevant steps in the embodiment corresponding to FIG. 1, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的***,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the modules is only a logical function division, and there may be other division methods in actual implementation.
所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The modules described as separate components may or may not be physically separated, and the components displayed as modules may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules can be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能模块可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。In addition, the functional modules in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of hardware plus software functional modules.
因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本申请的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本申请内。不应将权利要求中的任何附关联图标记视为限制所涉及的权利要求。Therefore, no matter from which point of view, the embodiments should be regarded as exemplary and non-restrictive. The scope of this application is defined by the appended claims rather than the above description, and therefore it is intended to fall into the claims. All changes in the meaning and scope of the equivalent elements of are included in this application. Any reference signs in the claims should not be regarded as limiting the claims involved.
此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。说明书中陈述的多个单元或装置也可以由一个单元或装置通过软件或者硬件来实现。第一、第二等词语用来表示名称,而并不表示任何特定的顺序。In addition, it is obvious that the word "including" does not exclude other units or steps, and the singular does not exclude the plural. Multiple units or devices stated in the specification can also be implemented by one unit or device through software or hardware. Words such as first and second are used to denote names, but do not denote any specific order.
最后应说明的是,以上实施例仅用以说明本申请的技术方案而非限制,尽管参照较佳实施例对本申请进行了详细说明,本领域的普通技术人员应当理解,可以对本申请的技术方案进行修改或等同替换,而不脱离本申请技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the application and not to limit them. Although the application has been described in detail with reference to the preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the application can be Make modifications or equivalent replacements without departing from the spirit and scope of the technical solution of the present application.

Claims (20)

  1. 一种密钥轮换方法,其中,所述密钥轮换方法包括:A key rotation method, wherein the key rotation method includes:
    生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
    从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
    采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
    当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
    采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
    从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
    采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  2. 根据权利要求1所述的密钥轮换方法,其中,所述生成多个密钥对包括:The method for key rotation according to claim 1, wherein said generating a plurality of key pairs comprises:
    对于每个密钥对,获取预设位数,并生成具有所述预设位数的第一伪随机数及第二伪随机数;For each key pair, obtain a preset number of bits, and generate a first pseudo random number and a second pseudo random number with the preset number of bits;
    采用费马测试方法检测所述第一伪随机数及所述第二伪随机数是否为质数;Adopting the Fermat test method to detect whether the first pseudo-random number and the second pseudo-random number are prime numbers;
    当检测到所述第一伪随机数及所述第二伪随机数均为质数时,将所述第一伪随机数及所述第二伪随机数进行相乘运算,得到目标数值;When it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, multiplying the first pseudo-random number and the second pseudo-random number to obtain a target value;
    计算所述第一伪随机数与所述第二伪随机数之间的最小公倍数;Calculating the least common multiple between the first pseudo-random number and the second pseudo-random number;
    采用伪随机数生成器生成大于预设数值且小于所述最小公倍数的第一候选值,并采用辗转相除法确定所述第一候选值与所述最小公倍数之间的最大公约数;Using a pseudo-random number generator to generate a first candidate value that is greater than a preset value and less than the least common multiple, and determining the greatest common divisor between the first candidate value and the least common multiple by using a toss and turns division method;
    当检测到所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并将所述目标数值及所述第一数值确定为密钥对中的公钥;When it is detected that the greatest common divisor is the preset value, the first candidate value is determined as a first value, and the target value and the first value are determined as the public key in the key pair ;
    采用伪随机数生成器生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值及所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;A pseudo-random number generator is used to generate a second candidate value greater than the preset value and less than the least common multiple, and the product of the second candidate value and the first value and the least common multiple are subjected to a remainder operation, Get the remainder
    当检测到所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并将所述目标数值及所述第二数值确定为密钥对中的私钥。When it is detected that the remainder is the preset value, the second candidate value is determined as a second value, and the target value and the second value are determined as the private key in the key pair.
  3. 根据权利要求2所述的密钥轮换方法,其中,所述生成具有所述预设位数的第一伪随机数包括:The method for key rotation according to claim 2, wherein said generating a first pseudo-random number with said preset number of bits comprises:
    从口令库中获取任意口令;Obtain any password from the password database;
    将所述任意口令输入至单向散列函数中,得到散列值;Input the arbitrary password into a one-way hash function to obtain a hash value;
    确定所述散列值的位数,得到第一位数,并将所述预设位数与所述第一位数的差值确定为第二位数;Determining the number of digits of the hash value to obtain the first number of digits, and determining the difference between the preset number of digits and the first number of digits as the second number of digits;
    采用混合线性同余法生成具有所述第二位数的任意数;Using a mixed linear congruence method to generate any number with the second digit;
    将所述散列值与所述任意数进行拼接,得到所述第一伪随机数。The hash value and the arbitrary number are spliced together to obtain the first pseudo-random number.
  4. 根据权利要求1所述的密钥轮换方法,其中,所述采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文包括:The method for key rotation according to claim 1, wherein said any public key in said arbitrary key pair is used to perform an encryption operation on said all stock data to obtain the first ciphertext corresponding to said all stock data include:
    确定所述任意密钥对中的任意公钥,并确定所述任意公钥的第一数值及目标数值;Determine any public key in the any key pair, and determine the first value and the target value of the any public key;
    采用消息摘要算法计算所述所有存量数据,得到第一数据;Calculate all the stock data using a message digest algorithm to obtain the first data;
    对所述第一数据进行次数为所述第一数值的幂运算,得到第二数据;Performing power operations on the first data to obtain the second data;
    将所述第二数据与所述目标数值进行取余运算,得到所述第一密文。Perform a remainder operation on the second data and the target value to obtain the first ciphertext.
  5. 根据权利要求1所述的密钥轮换方法,其中,所述密钥轮换方法还包括:The key rotation method according to claim 1, wherein the key rotation method further comprises:
    当检测到数据保存请求时,根据所述数据保存请求生成所述轮换请求;及/或When a data saving request is detected, the rotation request is generated according to the data saving request; and/or
    当检测到所述任意密钥对的有效期届满时,生成所述轮换请求。When it is detected that the validity period of the arbitrary key pair has expired, the rotation request is generated.
  6. 根据权利要求1所述的密钥轮换方法,其中,所述采用所述任意私钥对所述第一密 文进行解密运算,得到明文包括:The method for key rotation according to claim 1, wherein said using said arbitrary private key to perform a decryption operation on said first ciphertext to obtain a plaintext comprises:
    确定所述任意私钥的第二数值及目标数值;Determine the second value and the target value of the arbitrary private key;
    对所述第一密文进行次数为所述第二数值的幂运算,得到第三数据;Performing power operations on the first ciphertext with the number of times the second value to obtain third data;
    将所述第三数据与所述目标数值进行取余运算,得到第四数据;Performing a remainder operation on the third data and the target value to obtain fourth data;
    采用消息摘要算法计算所述第四数据,得到所述明文。A message digest algorithm is used to calculate the fourth data to obtain the plaintext.
  7. 根据权利要求1所述的密钥轮换方法,其中,在生成第二密文后,所述密钥轮换方法还包括:The key rotation method according to claim 1, wherein, after the second ciphertext is generated, the key rotation method further comprises:
    获取所述轮换请求的请求编号;Acquiring the request number of the rotation request;
    根据所述请求编号及所述第二密文生成提示信息;Generating prompt information according to the request number and the second ciphertext;
    将所述提示信息发送至指定联系人的终端设备;Sending the prompt information to the terminal device of the designated contact;
    当检测到所述提示信息在预设时间内未被接收时,向所述指定联系人发起语音。When it is detected that the prompt information has not been received within a preset time, a voice is initiated to the designated contact.
  8. 一种密钥轮换装置,其中,所述密钥轮换装置包括:A key rotation device, wherein the key rotation device includes:
    生成单元,用于生成多个密钥对,并为所述多个密钥对建立索引;A generating unit, configured to generate multiple key pairs and establish indexes for the multiple key pairs;
    提取单元,用于从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;The extraction unit is used to extract any key pair from the multiple key pairs, and obtain all the stock data from the configuration library;
    加密单元,用于采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;An encryption unit, configured to use any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
    确定单元,用于当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;The determining unit is configured to determine any private key corresponding to the any public key according to the index when the rotation request is received;
    解密单元,用于采用所述任意私钥对所述第一密文进行解密运算,得到明文;A decryption unit, configured to use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
    所述提取单元,还用于从所述多个密钥对中提取目标密钥对;The extraction unit is further configured to extract a target key pair from the multiple key pairs;
    所述加密单元,还用于采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The encryption unit is further configured to use the target public key in the target key pair to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  9. 一种电子设备,其中,所述电子设备包括处理器和存储器,所述处理器用于执行存储器中存储的至少一个计算机可读指令以实现以下步骤:An electronic device, wherein the electronic device includes a processor and a memory, and the processor is configured to execute at least one computer-readable instruction stored in the memory to implement the following steps:
    生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
    从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
    采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
    当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
    采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
    从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
    采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  10. 根据权利要求9所述的电子设备,其中,在所述生成多个密钥对时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The electronic device according to claim 9, wherein, when the plurality of key pairs are generated, the processor executes the at least one computer-readable instruction to implement the following steps:
    对于每个密钥对,获取预设位数,并生成具有所述预设位数的第一伪随机数及第二伪随机数;For each key pair, obtain a preset number of bits, and generate a first pseudo random number and a second pseudo random number with the preset number of bits;
    采用费马测试方法检测所述第一伪随机数及所述第二伪随机数是否为质数;Adopting the Fermat test method to detect whether the first pseudo-random number and the second pseudo-random number are prime numbers;
    当检测到所述第一伪随机数及所述第二伪随机数均为质数时,将所述第一伪随机数及所述第二伪随机数进行相乘运算,得到目标数值;When it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, multiplying the first pseudo-random number and the second pseudo-random number to obtain a target value;
    计算所述第一伪随机数与所述第二伪随机数之间的最小公倍数;Calculating the least common multiple between the first pseudo-random number and the second pseudo-random number;
    采用伪随机数生成器生成大于预设数值且小于所述最小公倍数的第一候选值,并采用辗转相除法确定所述第一候选值与所述最小公倍数之间的最大公约数;Using a pseudo-random number generator to generate a first candidate value that is greater than a preset value and less than the least common multiple, and determining the greatest common divisor between the first candidate value and the least common multiple by using a toss and turns division method;
    当检测到所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并将所述目标数值及所述第一数值确定为密钥对中的公钥;When it is detected that the greatest common divisor is the preset value, the first candidate value is determined as a first value, and the target value and the first value are determined as the public key in the key pair ;
    采用伪随机数生成器生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值及所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;A pseudo-random number generator is used to generate a second candidate value greater than the preset value and less than the least common multiple, and the product of the second candidate value and the first value and the least common multiple are subjected to a remainder operation, Get the remainder
    当检测到所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并将所述目标数值及所述第二数值确定为密钥对中的私钥。When it is detected that the remainder is the preset value, the second candidate value is determined as a second value, and the target value and the second value are determined as the private key in the key pair.
  11. 根据权利要求10所述的电子设备,其中,在所述生成具有所述预设位数的第一伪随机数时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The electronic device according to claim 10, wherein, when the first pseudo-random number having the preset number of bits is generated, the processor executes the at least one computer-readable instruction to implement the following steps:
    从口令库中获取任意口令;Obtain any password from the password database;
    将所述任意口令输入至单向散列函数中,得到散列值;Input the arbitrary password into a one-way hash function to obtain a hash value;
    确定所述散列值的位数,得到第一位数,并将所述预设位数与所述第一位数的差值确定为第二位数;Determining the number of digits of the hash value to obtain the first number of digits, and determining the difference between the preset number of digits and the first number of digits as the second number of digits;
    采用混合线性同余法生成具有所述第二位数的任意数;Using a mixed linear congruence method to generate any number with the second digit;
    将所述散列值与所述任意数进行拼接,得到所述第一伪随机数。The hash value and the arbitrary number are spliced together to obtain the first pseudo-random number.
  12. 根据权利要求9所述的电子设备,其中,在所述采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The electronic device according to claim 9, wherein when the first ciphertext corresponding to all the inventory data is obtained by using any public key in the arbitrary key pair to perform an encryption operation on the all inventory data , The processor executes the at least one computer-readable instruction to implement the following steps:
    确定所述任意密钥对中的任意公钥,并确定所述任意公钥的第一数值及目标数值;Determine any public key in the any key pair, and determine the first value and the target value of the any public key;
    采用消息摘要算法计算所述所有存量数据,得到第一数据;Calculate all the stock data using a message digest algorithm to obtain the first data;
    对所述第一数据进行次数为所述第一数值的幂运算,得到第二数据;Performing power operations on the first data to obtain the second data;
    将所述第二数据与所述目标数值进行取余运算,得到所述第一密文。Perform a remainder operation on the second data and the target value to obtain the first ciphertext.
  13. 根据权利要求9所述的电子设备,其中,所述处理器执行所述至少一个计算机可读指令还用以实现以下步骤:The electronic device according to claim 9, wherein the execution of the at least one computer-readable instruction by the processor is further configured to implement the following steps:
    当检测到数据保存请求时,根据所述数据保存请求生成所述轮换请求;及/或When a data saving request is detected, the rotation request is generated according to the data saving request; and/or
    当检测到所述任意密钥对的有效期届满时,生成所述轮换请求。When it is detected that the validity period of the arbitrary key pair has expired, the rotation request is generated.
  14. 根据权利要求9所述的电子设备,其中,在所述采用所述任意私钥对所述第一密文进行解密运算,得到明文时,所述处理器执行所述至少一个计算机可读指令以实现以下步骤:The electronic device according to claim 9, wherein, when the first ciphertext is decrypted by using the arbitrary private key to obtain the plaintext, the processor executes the at least one computer-readable instruction to Implement the following steps:
    确定所述任意私钥的第二数值及目标数值;Determine the second value and the target value of the arbitrary private key;
    对所述第一密文进行次数为所述第二数值的幂运算,得到第三数据;Performing power operations on the first ciphertext with the number of times the second value to obtain third data;
    将所述第三数据与所述目标数值进行取余运算,得到第四数据;Performing a remainder operation on the third data and the target value to obtain fourth data;
    采用消息摘要算法计算所述第四数据,得到所述明文。A message digest algorithm is used to calculate the fourth data to obtain the plaintext.
  15. 一种计算机可读存储介质,其中,所述计算机可读存储介质存储有至少一个计算机可读指令,所述至少一个计算机可读指令被处理器执行时实现以下步骤:A computer-readable storage medium, wherein the computer-readable storage medium stores at least one computer-readable instruction, and when the at least one computer-readable instruction is executed by a processor, the following steps are implemented:
    生成多个密钥对,并为所述多个密钥对建立索引;Generating a plurality of key pairs, and establishing an index for the plurality of key pairs;
    从所述多个密钥对中提取任意密钥对,并从配置库中获取所有存量数据;Extract any key pair from the plurality of key pairs, and obtain all the stock data from the configuration library;
    采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文;Using any public key in the arbitrary key pair to perform an encryption operation on all the stock data to obtain the first ciphertext corresponding to all the stock data;
    当接收到轮换请求时,根据索引确定所述任意公钥对应的任意私钥;When a rotation request is received, determine any private key corresponding to the any public key according to the index;
    采用所述任意私钥对所述第一密文进行解密运算,得到明文;Use the arbitrary private key to perform a decryption operation on the first ciphertext to obtain a plaintext;
    从所述多个密钥对中提取目标密钥对;Extracting a target key pair from the plurality of key pairs;
    采用所述目标密钥对中的目标公钥对所述明文进行加密运算,生成第二密文,以响应所述轮换请求。The target public key in the target key pair is used to perform an encryption operation on the plaintext to generate a second ciphertext in response to the rotation request.
  16. 根据权利要求15所述的存储介质,其中,在所述生成多个密钥对时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:15. The storage medium according to claim 15, wherein, when the plurality of key pairs are generated, the at least one computer readable instruction is executed by a processor to implement the following steps:
    对于每个密钥对,获取预设位数,并生成具有所述预设位数的第一伪随机数及第二伪随机数;For each key pair, obtain a preset number of bits, and generate a first pseudo random number and a second pseudo random number with the preset number of bits;
    采用费马测试方法检测所述第一伪随机数及所述第二伪随机数是否为质数;Adopting the Fermat test method to detect whether the first pseudo-random number and the second pseudo-random number are prime numbers;
    当检测到所述第一伪随机数及所述第二伪随机数均为质数时,将所述第一伪随机数及所述第二伪随机数进行相乘运算,得到目标数值;When it is detected that the first pseudo-random number and the second pseudo-random number are both prime numbers, multiplying the first pseudo-random number and the second pseudo-random number to obtain a target value;
    计算所述第一伪随机数与所述第二伪随机数之间的最小公倍数;Calculating the least common multiple between the first pseudo-random number and the second pseudo-random number;
    采用伪随机数生成器生成大于预设数值且小于所述最小公倍数的第一候选值,并采用辗转相除法确定所述第一候选值与所述最小公倍数之间的最大公约数;Using a pseudo-random number generator to generate a first candidate value that is greater than a preset value and less than the least common multiple, and determining the greatest common divisor between the first candidate value and the least common multiple by using a toss and turns division method;
    当检测到所述最大公约数为所述预设数值时,将所述第一候选值确定为第一数值,并将所述目标数值及所述第一数值确定为密钥对中的公钥;When it is detected that the greatest common divisor is the preset value, the first candidate value is determined as a first value, and the target value and the first value are determined as the public key in the key pair ;
    采用伪随机数生成器生成大于所述预设数值且小于所述最小公倍数的第二候选值,将所述第二候选值及所述第一数值的乘积与所述最小公倍数进行取余运算,得到余数;A pseudo-random number generator is used to generate a second candidate value greater than the preset value and less than the least common multiple, and the product of the second candidate value and the first value and the least common multiple are subjected to a remainder operation, Get the remainder
    当检测到所述余数为所述预设数值时,将所述第二候选值确定为第二数值,并将所述目标数值及所述第二数值确定为密钥对中的私钥。When it is detected that the remainder is the preset value, the second candidate value is determined as a second value, and the target value and the second value are determined as the private key in the key pair.
  17. 根据权利要求16所述的存储介质,其中,在所述生成具有所述预设位数的第一伪随机数时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:The storage medium according to claim 16, wherein, when the first pseudo-random number having the preset number of bits is generated, the at least one computer-readable instruction is executed by a processor to implement the following steps:
    从口令库中获取任意口令;Obtain any password from the password database;
    将所述任意口令输入至单向散列函数中,得到散列值;Input the arbitrary password into a one-way hash function to obtain a hash value;
    确定所述散列值的位数,得到第一位数,并将所述预设位数与所述第一位数的差值确定为第二位数;Determining the number of digits of the hash value to obtain the first number of digits, and determining the difference between the preset number of digits and the first number of digits as the second number of digits;
    采用混合线性同余法生成具有所述第二位数的任意数;Using a mixed linear congruence method to generate any number with the second digit;
    将所述散列值与所述任意数进行拼接,得到所述第一伪随机数。The hash value and the arbitrary number are spliced together to obtain the first pseudo-random number.
  18. 根据权利要求15所述的存储介质,其中,在所述采用所述任意密钥对中的任意公钥对所述所有存量数据进行加密运算,得到所述所有存量数据对应的第一密文时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:The storage medium according to claim 15, wherein, when the first ciphertext corresponding to all the stock data is obtained by using any public key in the arbitrary key pair to perform an encryption operation on the all stock data , The at least one computer-readable instruction is executed by the processor to implement the following steps:
    确定所述任意密钥对中的任意公钥,并确定所述任意公钥的第一数值及目标数值;Determine any public key in the any key pair, and determine the first value and the target value of the any public key;
    采用消息摘要算法计算所述所有存量数据,得到第一数据;Calculate all the stock data using a message digest algorithm to obtain the first data;
    对所述第一数据进行次数为所述第一数值的幂运算,得到第二数据;Performing power operations on the first data to obtain the second data;
    将所述第二数据与所述目标数值进行取余运算,得到所述第一密文。Perform a remainder operation on the second data and the target value to obtain the first ciphertext.
  19. 根据权利要求15所述的存储介质,其中,所述至少一个计算机可读指令被处理器执行时还用以实现以下步骤:The storage medium according to claim 15, wherein the at least one computer-readable instruction is further used to implement the following steps when executed by the processor:
    当检测到数据保存请求时,根据所述数据保存请求生成所述轮换请求;及/或When a data saving request is detected, the rotation request is generated according to the data saving request; and/or
    当检测到所述任意密钥对的有效期届满时,生成所述轮换请求。When it is detected that the validity period of the arbitrary key pair has expired, the rotation request is generated.
  20. 根据权利要求15所述的存储介质,其中,在所述采用所述任意私钥对所述第一密文进行解密运算,得到明文时,所述至少一个计算机可读指令被处理器执行以实现以下步骤:The storage medium according to claim 15, wherein, when the first ciphertext is decrypted by using the arbitrary private key to obtain the plaintext, the at least one computer-readable instruction is executed by a processor to realize The following steps:
    确定所述任意私钥的第二数值及目标数值;Determine the second value and the target value of the arbitrary private key;
    对所述第一密文进行次数为所述第二数值的幂运算,得到第三数据;Performing power operations on the first ciphertext with the number of times the second value to obtain third data;
    将所述第三数据与所述目标数值进行取余运算,得到第四数据;Performing a remainder operation on the third data and the target value to obtain fourth data;
    采用消息摘要算法计算所述第四数据,得到所述明文。A message digest algorithm is used to calculate the fourth data to obtain the plaintext.
PCT/CN2021/096434 2020-05-28 2021-05-27 Key rotation method, device, electronic apparatus, and medium WO2021239059A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010467085.X 2020-05-28
CN202010467085.XA CN111698088B (en) 2020-05-28 2020-05-28 Key alternation method, key alternation device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
WO2021239059A1 true WO2021239059A1 (en) 2021-12-02

Family

ID=72478684

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/096434 WO2021239059A1 (en) 2020-05-28 2021-05-27 Key rotation method, device, electronic apparatus, and medium

Country Status (2)

Country Link
CN (1) CN111698088B (en)
WO (1) WO2021239059A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785501A (en) * 2022-05-30 2022-07-22 建信金融科技有限责任公司 Data judging method, device and storage medium
CN116755940A (en) * 2023-08-15 2023-09-15 深圳市东信时代信息技术有限公司 File restoration method, device, equipment and medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111698088B (en) * 2020-05-28 2022-10-18 平安科技(深圳)有限公司 Key alternation method, key alternation device, electronic equipment and medium
CN112651034A (en) * 2020-12-21 2021-04-13 山东山大鸥玛软件股份有限公司 One-time pad replaceable encryption algorithm, assembly and equipment based on codebook
CN112751852B (en) * 2020-12-29 2022-10-11 平安普惠企业管理有限公司 Data transmission method and related equipment
CN112948851A (en) * 2021-02-25 2021-06-11 深圳壹账通智能科技有限公司 User authentication method, device, server and storage medium
CN113162678B (en) * 2021-03-31 2022-04-26 北京微纳星空科技有限公司 Method, terminal, electronic device and medium for key switching and data transmission
CN114554486B (en) * 2022-01-06 2024-04-30 北京全路通信信号研究设计院集团有限公司 Secret key management method and system for information security transmission

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721393A (en) * 2014-12-02 2016-06-29 阿里巴巴集团控股有限公司 Data security encryption method and data security encryption device
CN107526974A (en) * 2017-08-03 2017-12-29 致象尔微电子科技(上海)有限公司 A kind of information password protection device and method
US20180351740A1 (en) * 2017-06-01 2018-12-06 International Business Machines Corporation Slice-level keyed encryption with support for efficient rekeying
CN108965279A (en) * 2018-07-04 2018-12-07 北京车和家信息技术有限公司 Data processing method, device, terminal device and computer readable storage medium
CN111698088A (en) * 2020-05-28 2020-09-22 平安科技(深圳)有限公司 Key alternation method, key alternation device, electronic equipment and medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103744976B (en) * 2014-01-13 2017-02-22 北京工业大学 Secure image retrieval method based on homomorphic encryption
BR112017017425B1 (en) * 2015-02-14 2024-04-30 Valimail Inc NON-TRAINER COMPUTER READABLE STORAGE MEDIUM CONFIGURED TO STORE COMPUTER-IMPLEMENTED METHOD AND PROCESS INSTRUCTIONS
US20180123781A1 (en) * 2016-10-28 2018-05-03 Microsoft Technology Licensing, Llc Fault tolerant automatic secret rotation
CN110233736B (en) * 2019-06-19 2020-05-08 核芯互联(北京)科技有限公司 Digital signature generation method, verification method, device, equipment and medium
CN110798315B (en) * 2019-11-11 2021-04-13 腾讯科技(深圳)有限公司 Data processing method and device based on block chain and terminal
CN110839026B (en) * 2019-11-12 2022-04-01 深圳市迅雷网络技术有限公司 Data processing method based on block chain and related equipment
CN110839035A (en) * 2019-11-19 2020-02-25 深圳前海环融联易信息科技服务有限公司 Path access control method and device, computer equipment and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721393A (en) * 2014-12-02 2016-06-29 阿里巴巴集团控股有限公司 Data security encryption method and data security encryption device
US20180351740A1 (en) * 2017-06-01 2018-12-06 International Business Machines Corporation Slice-level keyed encryption with support for efficient rekeying
CN107526974A (en) * 2017-08-03 2017-12-29 致象尔微电子科技(上海)有限公司 A kind of information password protection device and method
CN108965279A (en) * 2018-07-04 2018-12-07 北京车和家信息技术有限公司 Data processing method, device, terminal device and computer readable storage medium
CN111698088A (en) * 2020-05-28 2020-09-22 平安科技(深圳)有限公司 Key alternation method, key alternation device, electronic equipment and medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114785501A (en) * 2022-05-30 2022-07-22 建信金融科技有限责任公司 Data judging method, device and storage medium
CN114785501B (en) * 2022-05-30 2024-05-17 建信金融科技有限责任公司 Data judging method, device and storage medium
CN116755940A (en) * 2023-08-15 2023-09-15 深圳市东信时代信息技术有限公司 File restoration method, device, equipment and medium
CN116755940B (en) * 2023-08-15 2024-03-22 深圳市东信时代信息技术有限公司 File restoration method, device, equipment and medium

Also Published As

Publication number Publication date
CN111698088B (en) 2022-10-18
CN111698088A (en) 2020-09-22

Similar Documents

Publication Publication Date Title
WO2021239059A1 (en) Key rotation method, device, electronic apparatus, and medium
US9686248B2 (en) Secure shared key sharing systems and methods
CN112751852B (en) Data transmission method and related equipment
WO2020237868A1 (en) Data transmission method, electronic device, server and storage medium
US7546327B2 (en) Platform independent randomness accumulator for network applications
US9722795B2 (en) Digitally signing JSON messages
WO2022179115A1 (en) User authentication method and apparatus, server and storage medium
US10887104B1 (en) Methods and systems for cryptographically secured decentralized testing
JP2021533426A (en) Systems and methods for authenticated control of content delivery
US11409907B2 (en) Methods and systems for cryptographically secured decentralized testing
CN114884697A (en) Data encryption and decryption method based on state cryptographic algorithm and related equipment
CN111404892B (en) Data supervision method and device and server
US11676111B1 (en) Apparatuses and methods for determining and processing dormant user data in a job resume immutable sequential listing
CN115580396A (en) System and method for inquiring hiding trace
WO2021151308A1 (en) Login verification method, apparatus, and computer-readable storage medium
CN113822675A (en) Block chain based message processing method, device, equipment and storage medium
CN114257366A (en) Information homomorphic processing method, device, equipment and computer readable storage medium
TW202139674A (en) Method and device for uploading and downloading file, computer device and medium
CN113378224B (en) Medical image storage method, device, equipment and storage medium
CN115361198A (en) Decryption method, encryption method, device, computer equipment and storage medium
WO2021088451A1 (en) Methods and devices for preventing denial-of-service attack on blockchain system
CN117499159B (en) Block chain-based data transaction method and device and electronic equipment
KR102562178B1 (en) Prevention of data manipulation of communication network measurements and protection of user privacy
CN112863040B (en) Voting result generation, statistics and acquisition method and device and electronic equipment
WO2021082404A1 (en) Information monitoring method, system, device, and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21814438

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21814438

Country of ref document: EP

Kind code of ref document: A1