[go: up one dir, main page]

CN105227566A - Cipher key processing method, key handling device and key handling system - Google Patents

Cipher key processing method, key handling device and key handling system Download PDF

Info

Publication number
CN105227566A
CN105227566A CN201510672476.4A CN201510672476A CN105227566A CN 105227566 A CN105227566 A CN 105227566A CN 201510672476 A CN201510672476 A CN 201510672476A CN 105227566 A CN105227566 A CN 105227566A
Authority
CN
China
Prior art keywords
key
server
cloud
fragment
message ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510672476.4A
Other languages
Chinese (zh)
Inventor
李文杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201510672476.4A priority Critical patent/CN105227566A/en
Publication of CN105227566A publication Critical patent/CN105227566A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供一种密钥处理方法、密钥处理装置及密钥处理系统,属于通信技术领域,其可解决现有的密钥处理方法安全性低的问题。本发明的密钥处理方法包括如下步骤:接收密钥生成请求,生成一对公钥和私钥,并将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥;通过公钥对数据进行加密,形成消息密文,并上传至云端数据服务器;接收查询消息密文的请求,获取云端数据服务器的消息密文,并从云端密钥服务器中获取至少一份辅碎片,从本地密钥服务器获取主碎片,重构私钥以对消息密文进行解密。

The invention provides a key processing method, a key processing device and a key processing system, which belong to the technical field of communication and can solve the problem of low security of the existing key processing method. The key processing method of the present invention includes the following steps: receiving a key generation request, generating a pair of public key and private key, and dividing the private key into a primary fragment and N secondary fragments, and uploading one of the primary fragments To the local key server, upload N copies of auxiliary fragments to at least one cloud key server; N is an integer greater than or equal to 1, and the private key must have a primary fragment and at least one auxiliary fragment; Encrypt the data with the key to form a message ciphertext, and upload it to the cloud data server; receive a request for querying the message ciphertext, obtain the message ciphertext of the cloud data server, and obtain at least one secondary fragment from the cloud key server, from The local key server obtains the master fragment and reconstructs the private key to decrypt the message ciphertext.

Description

密钥处理方法、密钥处理装置及密钥处理系统Key processing method, key processing device and key processing system

技术领域technical field

本发明属于通信技术领域,具体涉及一种密钥处理方法、密钥处理装置及密钥处理系统。The invention belongs to the technical field of communication, and in particular relates to a key processing method, a key processing device and a key processing system.

背景技术Background technique

随着信息化和数字化的普及,密钥安全性问题越来越受到人们的关注。普通的业务交流活动等无一例外都是以私钥的安全性为基础的,也就是说所有网上活动的安全性都依赖于私钥,因此保护私钥的安全是网络安全至关重要的部分。With the popularization of informatization and digitization, the issue of key security has attracted more and more attention. Ordinary business communication activities are all based on the security of the private key without exception, that is to say, the security of all online activities depends on the private key, so protecting the security of the private key is a crucial part of network security .

现有技术中存在如下问题:数据拥有者上传数据时通常采用集中式存储的单一密钥(该密钥通常是存储在本地服务器上)的方式对数据进行加密和解密,此时密钥的安全决定于物理设备的安全。但物联网节点及云端设备容易遭受物理攻击,攻击者实施物理破坏使节点无法正常工作,或盗取设备获取敏感信息。攻击者对网络中传输的数据和信令进行拦截、篡改、伪造时,若获取存储在设备中的唯一通信密钥,就可进一步获取用户敏感信息或导致信息传输错误。The following problems exist in the prior art: when the data owner uploads the data, the data is usually encrypted and decrypted by means of a single key stored in a centralized manner (the key is usually stored on a local server). At this time, the security of the key Depends on the security of the physical device. However, IoT nodes and cloud devices are vulnerable to physical attacks. Attackers implement physical damage to make nodes unable to work normally, or steal devices to obtain sensitive information. When an attacker intercepts, tampers, or forges data and signaling transmitted in the network, if he obtains the unique communication key stored in the device, he can further obtain sensitive user information or cause information transmission errors.

发明内容Contents of the invention

本发明针对现有密钥处理方法存在的上述问题,提供一种安全性高的密钥处理方法、密钥处理装置即密钥处理系统。The present invention aims at the above-mentioned problems existing in the existing key processing method, and provides a highly secure key processing method and a key processing device, that is, a key processing system.

本发明解决的技术问题所采用的技术方案是一种密钥处理方法,包括如下步骤:The technical scheme that the technical problem that the present invention solves adopts is a kind of key processing method, comprises the following steps:

接收密钥生成请求,生成一对公钥和私钥,并将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;其中,N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥;Receive a key generation request, generate a pair of public key and private key, and divide the private key into a primary fragment and N secondary fragments, and upload one of the primary fragments to the local key server, and N secondary fragments The fragments are uploaded to at least one cloud key server; where, N is an integer greater than or equal to 1, and there must be a primary fragment and at least one secondary fragment to reconstruct the private key;

通过公钥对数据进行加密,形成消息密文,并上传至云端数据服务器;Encrypt the data with the public key to form message ciphertext and upload it to the cloud data server;

接收查询消息密文的请求,获取云端数据服务器的消息密文,并从云端密钥服务器中获取至少一份辅碎片,从本地密钥服务器获取主碎片,重构私钥以对消息密文进行解密。Receive the request for querying the message ciphertext, obtain the message ciphertext of the cloud data server, obtain at least one secondary fragment from the cloud key server, obtain the primary fragment from the local key server, and reconstruct the private key to process the message ciphertext. decrypt.

优选的是,所述云端密钥服务器的个数为N,且每一个云端密钥服务器中存储一份私钥碎片。Preferably, the number of said cloud key servers is N, and a private key fragment is stored in each cloud key server.

优选的是,所述接收查询消息密文的请求包括:Preferably, the request for receiving the ciphertext of the query message includes:

接收密文检索方式的消息密文查询请求。Receive message ciphertext query request in ciphertext retrieval mode.

优选的是,所述通过公钥对数据进行加密之后还包括:Preferably, after encrypting the data with the public key, it also includes:

将所述公钥销毁,或者将所述公钥存储至本地密钥服务器中的步骤。A step of destroying the public key, or storing the public key in a local key server.

优选的是,所述生成一对公钥和私钥,包括:Preferably, said generating a pair of public key and private key includes:

采用密钥生成函数,根据设定的参数,随机生成公钥和私钥;Use the key generation function to randomly generate public and private keys according to the set parameters;

所述通过公钥对数据进行加密,包括:The encryption of data through the public key includes:

采用加密函数,将数据加密为消息密文;Encryption function is used to encrypt data into message ciphertext;

所述重构私钥,包括:The reconstructed private key includes:

采用重构函数,根据接收到的至少一份存储在云端密钥服务器中的碎片和一份存储在本地密钥服务器中的碎片,重构私钥;Use the reconstruction function to reconstruct the private key according to the received at least one fragment stored in the cloud key server and one fragment stored in the local key server;

所述对消息密文进行解密包括:The decrypting of the message ciphertext includes:

采用解密函数,根据重构的私钥,将消息密文解密。Use the decryption function to decrypt the message ciphertext according to the reconstructed private key.

本发明解决的技术问题所采用的技术方案是一种密钥处理装置,包括:The technical solution adopted by the technical problem solved by the present invention is a kind of key processing device, comprising:

密钥生成模块,用于根据密钥生成请求,生成一对公钥和私钥;A key generation module, configured to generate a pair of public key and private key according to the key generation request;

密钥管理模块,用于将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;其中,N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥;The key management module is used to divide the private key into a primary fragment and N secondary fragments, upload one of the primary fragments to the local key server, and upload N secondary fragments to at least one cloud key server Among them, N is an integer greater than or equal to 1, and there must be a primary fragment and at least one secondary fragment to reconstruct the private key;

加密模块,用于通过所述公钥对数据进行加密,形成消息密文,并将所述消息密文上传至云端数据服务器;An encryption module, configured to encrypt data through the public key to form a message ciphertext, and upload the message ciphertext to a cloud data server;

重构模块,用于从云端密钥服务器中获取至少一份辅碎片,从本地密钥服务器获取主碎片,重构私钥;The reconstruction module is used to obtain at least one secondary fragment from the cloud key server, obtain the primary fragment from the local key server, and reconstruct the private key;

解密模块,用于根据所接收的查询消息密文的请求,获取云端数据服务器的消息密文,并通过重构的私钥对消息密文进行解密。The decryption module is configured to obtain the message ciphertext of the cloud data server according to the received request for querying the message ciphertext, and decrypt the message ciphertext through the reconstructed private key.

优选的是,所述密钥处理装置还包括:索引模块,Preferably, the key processing device further includes: an index module,

所述索引模块,用于对上传至云端数据服务器的消息密文进行索引The indexing module is used to index the message ciphertext uploaded to the cloud data server

优选的是,所述密钥管理模块还用于将所述公钥销毁,或者将所述公钥存储至本地密钥服务器中。Preferably, the key management module is also used to destroy the public key, or store the public key in a local key server.

优选的是,所述密钥管理模块用于将N份私钥的辅碎片上传至N个云端密钥服务器中,且每一个云端密钥服务器中存储一份辅碎片。Preferably, the key management module is configured to upload N private key secondary fragments to N cloud key servers, and each cloud key server stores a secondary fragment.

本发明解决的技术问题所采用的技术方案是一种密钥处理系统,包括上述的的密钥处理装置,以及本地数据服务器、本地密钥服务器和至少一个云端密钥服务器。The technical solution adopted to solve the technical problem of the present invention is a key processing system, including the above-mentioned key processing device, a local data server, a local key server and at least one cloud key server.

本发明具有如下有益效果:The present invention has following beneficial effects:

本发明的密钥处理方法,将私钥分割成多个碎片,即一份主碎片和N份辅碎片,且采用分布式存储方式将私钥存储在不同的服务器中,以确保私钥的存储的安全性。而且将私钥辅碎片存在云端密钥服务器中,可以缓解本地密钥服务器的存储压力。The key processing method of the present invention divides the private key into multiple fragments, that is, one primary fragment and N auxiliary fragments, and uses a distributed storage method to store the private key in different servers to ensure the storage of the private key security. Moreover, storing the private key auxiliary fragments in the cloud key server can relieve the storage pressure of the local key server.

本发明中的密钥处理装置中密钥管理模块将将私钥分割成多个碎片,即一份主碎片和N份辅碎片,且采用分布式存储方式将私钥存储在不同的服务器中,以确保私钥的存储的安全性。而且将私钥辅碎片存在云端密钥服务器中,可以缓解本地密钥服务器的存储压力。The key management module in the key processing device of the present invention will divide the private key into multiple fragments, that is, one primary fragment and N secondary fragments, and store the private key in different servers in a distributed storage manner, To ensure the security of the storage of the private key. Moreover, storing the private key auxiliary fragments in the cloud key server can relieve the storage pressure of the local key server.

本发明中的密钥处理系统包括上述的密钥处理装置,故其安全性较高。The key processing system in the present invention includes the above-mentioned key processing device, so its security is relatively high.

附图说明Description of drawings

图1为本发明的实施例1的密钥处理方法的流程图;Fig. 1 is the flowchart of the key processing method of embodiment 1 of the present invention;

图2为本发明的实施例3的密钥处理系统的示意图。FIG. 2 is a schematic diagram of a key processing system according to Embodiment 3 of the present invention.

具体实施方式detailed description

为使本领域技术人员更好地理解本发明的技术方案,下面结合附图和具体实施方式对本发明作进一步详细描述。In order to enable those skilled in the art to better understand the technical solutions of the present invention, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

实施例1:Example 1:

如图1所示,本实施例提供一种密钥处理方法,其包括如下步骤:As shown in Figure 1, the present embodiment provides a key processing method, which includes the following steps:

步骤S1、接收密钥生成请求,生成密钥对,即生成一对公钥和私钥,并将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;其中,N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥。Step S1: Receive a key generation request, generate a key pair, that is, generate a pair of public key and private key, and divide the private key into a primary fragment and N secondary fragments, and upload one of the primary fragments to the local In the key server, upload N secondary fragments to at least one cloud key server; wherein, N is an integer greater than or equal to 1, and there must be a primary fragment and at least one secondary fragment to reconstruct the private key.

在该步骤中,具体的当本地数据拥有者欲将数据(消息明文)上传至云端数据服务器时,密钥生成模块使用密钥生成函数G,根据设定的参数α,随机生成公钥pk和私钥sk,即G(α)—>(pk,sk);其中,公钥pk用于加密,私钥sk用于解密。其中,密钥生成函数采用的是ElGamal算法,当然也可以采用其他本领域技术人员公知的算法。In this step, specifically when the local data owner wants to upload the data (message plaintext) to the cloud data server, the key generation module uses the key generation function G to randomly generate the public key pk and The private key sk is G(α)—>(pk, sk); among them, the public key pk is used for encryption, and the private key sk is used for decryption. Wherein, the key generation function uses the ElGamal algorithm, and of course other algorithms known to those skilled in the art may also be used.

其中,在步骤S1中优选的将N份辅碎片上传至N个云端密钥服务器中,且每个云端密钥服务器中存储一份辅碎片,该种存储方式使得辅碎片的存储更加安全。例如说,设定重构私钥时需要3份辅碎片和一份主碎片,若将三份辅碎片存储在三个云端密钥服务器中,则需要击破三个云端密钥服务器和一个本地密钥服务器才能够重构私钥,若将三份辅碎片存储在一个云端密钥服务器中,则仅需要击破一个云端密钥服务器和一个本地密钥服务器即可重构私钥,因此,不难看出将辅碎片分别存在不同的云端服务器中更加安全。Wherein, in step S1, it is preferable to upload N copies of auxiliary fragments to N cloud key servers, and store a copy of auxiliary fragments in each cloud key server. This storage method makes the storage of auxiliary fragments more secure. For example, when setting and reconstructing the private key, three secondary fragments and one primary fragment are required. If the three secondary fragments are stored in three cloud key servers, it is necessary to break three cloud key servers and one local key server. Only the private key server can reconstruct the private key. If the three secondary fragments are stored in a cloud key server, only one cloud key server and one local key server need to be broken to reconstruct the private key. Therefore, it is not ugly It is safer to store the secondary fragments in different cloud servers.

其中,步骤S1中必须要有主碎片和至少一份辅碎片才能重构私钥是指:从多个密钥服务器中获得至少一份私钥sk的辅碎片,并且获得本地密钥服务器中存储的一份私钥sk的主碎片,即可以推导计算出完整的私钥sk;而若未能从本地密钥服务器中获取一份私钥的主碎片和/或未能获取到存储在云端密钥服务器中的私钥辅碎片则不能重构完整的私钥sk以对消息密文进行解密。Among them, in step S1, there must be a primary fragment and at least one secondary fragment to reconstruct the private key refers to: obtaining at least one secondary fragment of the private key sk from multiple key servers, and obtaining the secondary fragment stored in the local key server The master fragment of a private key sk can be deduced and calculated from the complete private key sk; and if the master fragment of a private key cannot be obtained from the local key server and/or the key stored in the cloud cannot be obtained If the secondary fragment of the private key in the key server cannot reconstruct the complete private key sk to decrypt the message ciphertext.

步骤S2、通过公钥对数据进行加密,形成消息密文,并上传至云端数据服务器。Step S2, encrypt the data with the public key to form message ciphertext, and upload it to the cloud data server.

在该步骤中,具体的加密模块根据密钥生成模块所生成的公钥pk,使用加密函数E,将数据(消息明文)m加密,形成消息密文c,此时生成的消息密文c通过消息存储模块,被存储至云端数据服务器中,其中加密函数采用的是ElGamal算法,当然也可以采用其他本领域技术人员公知的算法。In this step, the specific encryption module uses the encryption function E to encrypt the data (message plaintext) m according to the public key pk generated by the key generation module to form a message ciphertext c, and the generated message ciphertext c is passed through The message storage module is stored in the cloud data server, where the encryption function uses the ElGamal algorithm, and of course other algorithms known to those skilled in the art can also be used.

其中,公钥在对数据加密完成后,公钥将会被销毁或者将公钥存储在本地密钥服务器中。Wherein, after the public key encrypts the data, the public key will be destroyed or stored in the local key server.

步骤S3、接收查询消息密文的请求,获取云端数据服务器的消息密文,并向存储私钥碎片的本地服务器和至少部分云端密钥服务器中获取私钥碎片,重构私钥以对消息密文进行解密;其中,Step S3, receiving the request for querying the message ciphertext, obtaining the message ciphertext of the cloud data server, and obtaining the private key fragments from the local server storing the private key fragments and at least some cloud key servers, and reconstructing the private key to encrypt the message. The text is decrypted; among them,

当从云端密钥服务器中获取至少一份辅碎片,并且获取本地服务器中的主碎片,此时重构的私钥则用以对消息密文解密;否则反之。When at least one secondary fragment is obtained from the cloud key server and the primary fragment is obtained from the local server, the reconstructed private key is used to decrypt the message ciphertext; otherwise, the reverse is true.

在该步骤中,具体的当已认证的合法用户需要访问云端数据时,索引模块采用密文检索方式发送查询请求,此时接收到该查询请求,从云端数据服务器获得消息密文c;密钥重构模块向存储私钥碎片的多个云端服务器发送至少部分查询请求,至少部分云端服务器接收到查询请求后,向重构模块返回各自拥有的密钥碎片。重构模块采用重构函数R,由接收到的t份辅碎片以及本地存储的一份主碎片,其中1≤t≤N,重新生成私钥sk,即R(t,1)—>sk;解密模块通过解密函数D,将消息密文c解码为消息明文m,即D(c,sk)—>m;用户即可获得想要访问的消息明文m,其中重构函数为获取私钥辅碎片的矩阵变化算法;解密函数采用的是ElGamal算法,当然也可以采用其他本领域技术人员公知的算法。在该步骤中可以通过调节t值的大小,以增加该方法的安全性,t值越大,安全性越高。In this step, specifically, when an authenticated legal user needs to access cloud data, the index module sends a query request by means of ciphertext retrieval. At this time, the query request is received, and the message ciphertext c is obtained from the cloud data server; the key The reconstruction module sends at least some query requests to multiple cloud servers storing private key fragments, and at least some cloud servers return the key fragments they own to the reconstruction module after receiving the query requests. The reconstruction module adopts the reconstruction function R to regenerate the private key sk from the received t secondary fragments and a primary fragment stored locally, where 1≤t≤N, that is, R(t,1)—>sk; The decryption module decodes the message ciphertext c into the message plaintext m through the decryption function D, that is, D(c,sk)—>m; the user can obtain the message plaintext m that he wants to access, and the reconstruction function is to obtain the private key auxiliary The matrix change algorithm of the fragments; the decryption function uses the ElGamal algorithm, and of course other algorithms known to those skilled in the art can also be used. In this step, the value of t can be adjusted to increase the security of the method, and the larger the value of t, the higher the security.

综上所述,在本实施例的密钥处理方法中,将私钥分割成多个碎片,即一份主碎片和N份辅碎片,且采用分布式存储方式将私钥存储在不同的服务器中,以确保私钥的存储的安全性;而且本领域技术人员公知的是,存储在本地密钥服务器中的数据较云端密钥服务器中而言更加安全,在本实施例中将其中主碎片存储在本地服务器中,且在最后对私钥重构时务必要找到该主碎片才能够解密(当然还要找到至少一个存储在云端密钥服务器中的辅碎片),从而使得本实施例的方法的安全性能更高。同时,在现有技术中采用单一密钥的方式,也就是说仅包括一个私钥,因此无论该私钥是存储在本地服务器还是云端服务器,只要一个服务器被击破即可找到该私钥,故安全性能低,而在本实施例的密钥处理方法中至少要击破两个以上的服务器才能获取完整的私钥,以对数据密文进行解密,从而提高了密钥的安全性,而且还可以调整获取云端密钥服务器中碎片的个数,以增加密钥安全性。在此需要说明的是,虽然在现有技术中将私钥完全存储在本地密钥服务器中会较为安全些,但是完全将私钥文件存储在本地密钥服务器中会造成本地密钥服务器的存储压力较大的问题,而在本实施例中采用分布式存储私钥的方式则可以很好的缓解本地密钥服务器的存储压力。To sum up, in the key processing method of this embodiment, the private key is divided into multiple fragments, that is, one primary fragment and N secondary fragments, and the private key is stored in different servers in a distributed storage manner In order to ensure the security of the storage of the private key; and it is well known to those skilled in the art that the data stored in the local key server is more secure than the cloud key server, and in this embodiment the primary fragment It is stored in the local server, and when the private key is finally reconstructed, it is necessary to find the primary fragment before it can be decrypted (of course, at least one secondary fragment stored in the cloud key server must be found), so that the method of this embodiment Higher safety performance. At the same time, the single key method is adopted in the prior art, that is to say, only one private key is included, so no matter whether the private key is stored in a local server or a cloud server, as long as one server is compromised, the private key can be found, so The security performance is low, and in the key processing method of this embodiment at least two or more servers must be broken to obtain a complete private key to decrypt the data ciphertext, thereby improving the security of the key, and can also Adjust the number of shards obtained from the cloud key server to increase key security. What needs to be explained here is that although it is safer to completely store the private key in the local key server in the prior art, completely storing the private key file in the local key server will cause the storage of the local key server However, in this embodiment, the storage pressure of the local key server can be well relieved by adopting the method of distributed storage of private keys.

实施例2:Example 2:

如图2所示,本实施例提供一种密钥处理装置,包括:密钥生成模块、密钥管理模块、加密模块、解密模块、重构模块;其中,密钥生成模块,用于根据密钥生成请求,生成一对公钥和私钥;密钥管理模块,用于将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;其中,N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥;加密模块,用于通过所述公钥对数据进行加密,形成消息密文,并将所述消息密文上传至云端数据服务器;重构模块,用于从云端密钥服务器中获取至少一份辅碎片,从本地密钥服务器获取主碎片,重构私钥;解密模块,用于根据所接收的查询消息密文的请求,获取云端数据服务器的消息密文,并通过重构的私钥对消息密文进行解密。As shown in Figure 2, this embodiment provides a key processing device, including: a key generation module, a key management module, an encryption module, a decryption module, and a reconstruction module; Key generation request, generate a pair of public key and private key; key management module, used to divide the private key into a primary fragment and N secondary fragments, and upload one of the primary fragments to the local key server, Upload N secondary fragments to at least one cloud key server; wherein, N is an integer greater than or equal to 1, and the private key must be reconstructed with primary fragments and at least one secondary fragment; the encryption module is used to pass all Encrypt the data with the public key to form a message ciphertext, and upload the message ciphertext to the cloud data server; the reconstruction module is used to obtain at least one secondary fragment from the cloud key server, and from the local key server Obtain the main fragment and reconstruct the private key; the decryption module is used to obtain the message ciphertext of the cloud data server according to the received request for querying the message ciphertext, and decrypt the message ciphertext through the reconstructed private key.

在本实施例的密钥处理装置中,密钥管理模块将私钥分割成一份主碎片和N份辅碎片,并将其中的一份主碎片上传至本地密钥服务器中,将N份辅碎片上传至至少一个云端密钥服务器中;其中,N为大于等于1的整数,且必须要有主碎片和至少一份辅碎片才能重构私钥,简言之,密钥管理模块将私钥分割成多个碎片,且多个碎片存储在多个服务器中,在重构私钥进行解密时要击破多个服务器,故本实施例的密钥处理装置的安全性较高。而且在本实施例中密钥管理模块将主碎片上传至本地密钥服务器中不仅可以提高安全性还可以减缓本地密钥服务器的存储压力。In the key processing device of this embodiment, the key management module divides the private key into a primary fragment and N secondary fragments, and uploads one of the primary fragments to the local key server, and the N secondary fragments Upload to at least one cloud key server; where N is an integer greater than or equal to 1, and there must be a primary fragment and at least one secondary fragment to reconstruct the private key. In short, the key management module divides the private key and the multiple fragments are stored in multiple servers, and multiple servers need to be broken when reconstructing the private key for decryption, so the security of the key processing device in this embodiment is relatively high. Moreover, in this embodiment, the key management module uploads the master fragment to the local key server, which can not only improve security but also reduce the storage pressure of the local key server.

优选的,本实施例密钥处理装置还包括索引模块,用于对上传至云端数据服务器的消息密文进行索引。Preferably, the key processing device in this embodiment further includes an indexing module, configured to index the message ciphertext uploaded to the cloud data server.

具体的,当已认证的合法用户需要访问云端数据时,用户可以通过索引模块采用密文检索方式发送查询请求,从云端数据服务器上获取消息密文。Specifically, when an authenticated legitimate user needs to access cloud data, the user can send a query request through the index module by means of ciphertext retrieval to obtain message ciphertext from the cloud data server.

优选的,本实施例中的密钥管理模块还用于将公钥销毁,或者将公钥存储至本地密钥服务器中。其中,将公钥销毁是最为安全的方式。Preferably, the key management module in this embodiment is also used to destroy the public key, or store the public key in a local key server. Among them, destroying the public key is the safest way.

优选的,本实施例的密钥管理模块用于将N份私钥的辅碎片上传至N个云端密钥服务器中,且每一个云端密钥服务器中存储一份辅碎片,以使得辅碎片的存储更加安全。Preferably, the key management module of this embodiment is used to upload N private key secondary fragments to N cloud key servers, and each cloud key server stores a secondary fragment, so that the secondary fragments Storage is more secure.

实施例3:Example 3:

如图2所示,本实施例提供一种密钥处理系统,其包括实施例2中密钥处理装置,以及本地数据服务器、本地密钥服务器和至少一个云端密钥服务器。其中,本地数据服务器用于存储消息密文,云端密钥服务器用于存储私钥的辅碎片,本地密钥服务器用于存储私钥的主碎片和公钥。As shown in FIG. 2 , this embodiment provides a key processing system, which includes the key processing device in Embodiment 2, a local data server, a local key server, and at least one cloud key server. Among them, the local data server is used to store the message ciphertext, the cloud key server is used to store the secondary fragment of the private key, and the local key server is used to store the primary fragment and the public key of the private key.

由于本实施例的密钥处理系统包括实施例2中密钥处理装置,故其安全性更好。Since the key processing system in this embodiment includes the key processing device in Embodiment 2, its security is better.

可以理解的是,以上实施方式仅仅是为了说明本发明的原理而采用的示例性实施方式,然而本发明并不局限于此。对于本领域内的普通技术人员而言,在不脱离本发明的精神和实质的情况下,可以做出各种变型和改进,这些变型和改进也视为本发明的保护范围。It can be understood that, the above embodiments are only exemplary embodiments adopted for illustrating the principle of the present invention, but the present invention is not limited thereto. For those skilled in the art, various modifications and improvements can be made without departing from the spirit and essence of the present invention, and these modifications and improvements are also regarded as the protection scope of the present invention.

Claims (10)

1. A method of key processing, comprising the steps of:
receiving a key generation request, generating a pair of a public key and a private key, dividing the private key into a main fragment and N auxiliary fragments, uploading one of the main fragments and the N auxiliary fragments to a local key server, and uploading the N auxiliary fragments to at least one cloud key server; wherein N is an integer greater than or equal to 1, and the private key can be reconstructed only by the main fragment and at least one auxiliary fragment;
encrypting data through a public key to form a message ciphertext, and uploading the message ciphertext to a cloud data server;
the method comprises the steps of receiving a request for inquiring a message ciphertext, obtaining the message ciphertext of a cloud data server, obtaining at least one auxiliary fragment from a cloud key server, obtaining a main fragment from a local key server, and reconstructing a private key to decrypt the message ciphertext.
2. The key processing method of claim 1, wherein the number of the cloud key servers is N, and each cloud key server stores a piece of private key fragment.
3. The key processing method of claim 1, wherein the receiving a request for query message ciphertext comprises:
and receiving a message ciphertext query request in a ciphertext retrieval mode.
4. The key processing method according to claim 1, further comprising, after encrypting the data by the public key:
and destroying the public key, or storing the public key into a local key server.
5. The key processing method of claim 1, wherein the generating a pair of a public key and a private key comprises:
a key generation function is adopted to randomly generate a public key and a private key according to set parameters;
the encrypting data by the public key includes:
encrypting the data into a message ciphertext by adopting an encryption function;
the reconstruction private key comprises:
reconstructing a private key according to at least one received fragment stored in a cloud key server and one received fragment stored in a local key server by adopting a reconstruction function; the decrypting the message ciphertext comprises:
and decrypting the message ciphertext according to the reconstructed private key by adopting a decryption function.
6. A key processing apparatus, comprising:
the key generation module is used for generating a pair of public key and private key according to the key generation request;
the key management module is used for dividing the private key into a main fragment and N auxiliary fragments, uploading one of the main fragments to a local key server, and uploading the N auxiliary fragments to at least one cloud key server; wherein N is an integer greater than or equal to 1, and the private key can be reconstructed only by the main fragment and at least one auxiliary fragment;
the encryption module is used for encrypting data through the public key to form a message ciphertext and uploading the message ciphertext to the cloud data server;
the reconstruction module is used for acquiring at least one auxiliary fragment from the cloud key server, acquiring a main fragment from the local key server and reconstructing a private key;
and the decryption module is used for acquiring the message ciphertext of the cloud data server according to the received request for inquiring the message ciphertext and decrypting the message ciphertext through the reconstructed private key.
7. The key processing apparatus according to claim 6, wherein the key processing apparatus further comprises: an index module for the index module, wherein the index module is used for indexing the index module,
and the index module is used for indexing the message ciphertext uploaded to the cloud end data server.
8. The key processing apparatus of claim 6, wherein the key management module is further configured to destroy the public key or store the public key in a local key server.
9. The key processing apparatus of claim 6, wherein the key management module is configured to upload the shards of the N private keys to N cloud key servers, and each cloud key server stores one shard.
10. A key processing system comprising the key processing apparatus of any one of claims 6 to 9, and a local data server, a local key server, and at least one cloud key server.
CN201510672476.4A 2015-10-16 2015-10-16 Cipher key processing method, key handling device and key handling system Pending CN105227566A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510672476.4A CN105227566A (en) 2015-10-16 2015-10-16 Cipher key processing method, key handling device and key handling system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510672476.4A CN105227566A (en) 2015-10-16 2015-10-16 Cipher key processing method, key handling device and key handling system

Publications (1)

Publication Number Publication Date
CN105227566A true CN105227566A (en) 2016-01-06

Family

ID=54996245

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510672476.4A Pending CN105227566A (en) 2015-10-16 2015-10-16 Cipher key processing method, key handling device and key handling system

Country Status (1)

Country Link
CN (1) CN105227566A (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161449A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 Transmission method without key authentication and system
CN106357401A (en) * 2016-11-11 2017-01-25 武汉理工大学 Private key storage method and private key use method
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
CN107276752A (en) * 2016-06-27 2017-10-20 收付宝科技有限公司 The methods, devices and systems that limitation key is decrypted are paid to cloud
CN109462608A (en) * 2018-12-19 2019-03-12 杭州安恒信息技术股份有限公司 Data encryption processing method, apparatus and system
CN110069949A (en) * 2019-04-19 2019-07-30 浙江鲸腾网络科技有限公司 A kind of electronic contract signature method, apparatus, equipment and medium
WO2020063354A1 (en) * 2018-09-28 2020-04-02 北京金山安全软件有限公司 Block chain private key storage and recovery method, device and system
CN111143863A (en) * 2019-12-22 2020-05-12 浪潮电子信息产业股份有限公司 A data processing method, apparatus, device and computer-readable storage medium
CN111245597A (en) * 2020-01-17 2020-06-05 众安信息技术服务有限公司 Key management method, system and equipment
CN111723390A (en) * 2020-06-28 2020-09-29 天津理工大学 A business data protection method and system based on supply chain management
CN112468514A (en) * 2020-12-15 2021-03-09 天津普泽工程咨询有限责任公司 System and method for realizing electronic bidding encryption in VPN (virtual private network)
CN113434905A (en) * 2021-07-05 2021-09-24 网易(杭州)网络有限公司 Data sharing method and device, computer equipment and storage medium
CN113434904A (en) * 2021-07-02 2021-09-24 网易(杭州)网络有限公司 Data processing method and device, computer equipment and storage medium
CN119646843A (en) * 2024-11-21 2025-03-18 广西数字金服科技有限公司 Processing methods and systems for agricultural data

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8561211B1 (en) * 2001-07-31 2013-10-15 Marvell International Ltd. System and method for enhanced piracy protection in a wireless personal communication device
CN103595793A (en) * 2013-11-13 2014-02-19 华中科技大学 Cloud data safe deleting system and method without support of trusted third party

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8561211B1 (en) * 2001-07-31 2013-10-15 Marvell International Ltd. System and method for enhanced piracy protection in a wireless personal communication device
CN103595793A (en) * 2013-11-13 2014-02-19 华中科技大学 Cloud data safe deleting system and method without support of trusted third party

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LING FANG ZENG 等: "SeDas:A Self-Destructing Data System Based on Active Storage Framework", 《IEEE TRANSACTIONS ON MAGNETICS》 *
陈世斌: "基于分布式对象存储系统的数据自毁研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276752A (en) * 2016-06-27 2017-10-20 收付宝科技有限公司 The methods, devices and systems that limitation key is decrypted are paid to cloud
CN107276752B (en) * 2016-06-27 2020-10-30 吕文华 Method, device and system for decrypting cloud payment restriction key
CN106161449A (en) * 2016-07-19 2016-11-23 青松智慧(北京)科技有限公司 Transmission method without key authentication and system
CN106357401A (en) * 2016-11-11 2017-01-25 武汉理工大学 Private key storage method and private key use method
CN106357401B (en) * 2016-11-11 2019-09-10 武汉理工大学 A kind of storage of private key and application method
CN106961336B (en) * 2017-04-18 2019-11-26 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithm
CN106961336A (en) * 2017-04-18 2017-07-18 北京百旺信安科技有限公司 A kind of key components trustship method and system based on SM2 algorithms
WO2020063354A1 (en) * 2018-09-28 2020-04-02 北京金山安全软件有限公司 Block chain private key storage and recovery method, device and system
CN109462608A (en) * 2018-12-19 2019-03-12 杭州安恒信息技术股份有限公司 Data encryption processing method, apparatus and system
CN110069949A (en) * 2019-04-19 2019-07-30 浙江鲸腾网络科技有限公司 A kind of electronic contract signature method, apparatus, equipment and medium
CN111143863A (en) * 2019-12-22 2020-05-12 浪潮电子信息产业股份有限公司 A data processing method, apparatus, device and computer-readable storage medium
CN111245597A (en) * 2020-01-17 2020-06-05 众安信息技术服务有限公司 Key management method, system and equipment
CN111245597B (en) * 2020-01-17 2023-09-15 众安信息技术服务有限公司 Key management method, system and equipment
CN111723390A (en) * 2020-06-28 2020-09-29 天津理工大学 A business data protection method and system based on supply chain management
CN111723390B (en) * 2020-06-28 2023-04-07 天津理工大学 Commercial data protection method and system based on supply chain management
CN112468514A (en) * 2020-12-15 2021-03-09 天津普泽工程咨询有限责任公司 System and method for realizing electronic bidding encryption in VPN (virtual private network)
CN113434904A (en) * 2021-07-02 2021-09-24 网易(杭州)网络有限公司 Data processing method and device, computer equipment and storage medium
CN113434905A (en) * 2021-07-05 2021-09-24 网易(杭州)网络有限公司 Data sharing method and device, computer equipment and storage medium
CN119646843A (en) * 2024-11-21 2025-03-18 广西数字金服科技有限公司 Processing methods and systems for agricultural data

Similar Documents

Publication Publication Date Title
CN105227566A (en) Cipher key processing method, key handling device and key handling system
AU2018367363B2 (en) Processing data queries in a logically sharded data store
US10873450B2 (en) Cryptographic key generation for logically sharded data stores
CN106534092B (en) A message-dependent key-based encryption method for private data
Barsoum et al. Enabling dynamic data and indirect mutual trust for cloud computing storage systems
Li et al. Rekeying for encrypted deduplication storage
EP3062261B1 (en) Community-based de-duplication for encrypted data
KR102555164B1 (en) Enabling access to data
US20180013555A1 (en) Data transmission method and apparatus
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
US11316671B2 (en) Accelerated encryption and decryption of files with shared secret and method therefor
CA2747891C (en) Method for generating an encryption/decryption key
BR112019013130A2 (en) dynamic symmetric searchable encryption method and system unrelated to search patterns
KR102656403B1 (en) Generate keys for use in secure communications
CN105939191A (en) Client secure deduplication method of ciphertext data in cloud storage
CA3065767C (en) Cryptographic key generation for logically sharded data stores
CN106254342A (en) The secure cloud storage method of file encryption is supported under Android platform
CN112740615A (en) Multi-party computed key management
KR20120132708A (en) Distributed access priviledge management apparatus and method in cloud computing environments
Hussien et al. Scheme for ensuring data security on cloud data storage in a semi-trusted third party auditor
Pushpa Enhancing Data Security by Adapting Network Security and Cryptographic Paradigms
KR20170077003A (en) Light Encryption/Decryption Method and System using a Symmetric Cryptographic Algorithm
Jacob et al. Secured and reliable file sharing system with de-duplication using erasure correction code
Saini et al. Cryptographic hybrid model-an advancement in cloud computing security: a survey
Abdulrahman et al. Privacy preservation, sharing and collection of patient records using cryptographic techniques for cross-clinical secondary analytics

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160106

RJ01 Rejection of invention patent application after publication