A key management method

By generating recordable keys and evaluating their security ratings, the lack of oversight in key management mechanisms is addressed, thereby enhancing the security of enterprise management systems.

CN116010981BActive Publication Date: 2026-06-05HUANENG INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HUANENG INFORMATION TECH CO LTD
Filing Date
2022-12-23
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing key management mechanisms lack oversight of key usage in enterprise management systems, leading to abnormal key application when user accounts are leaked or the system is attacked, thus reducing system security.

Method used

By generating an initial key and combining it with the required coded segments to form a recordable key, scanning and analyzing key usage, evaluating security ratings, and deactivating the key when it falls below a preset value, secure control over the key is achieved.

Benefits of technology

It enables monitoring and anomaly detection of key usage, improving the security of enterprise management systems and preventing security risks caused by abnormal key application.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116010981B_ABST
    Figure CN116010981B_ABST
Patent Text Reader

Abstract

The key management method disclosed in the application relates to the technical field of key management, generates an initial key according to key application information, combines the initial key with a use requirement coding section, generates a recordable key, and in subsequent decryption of the encrypted package, the use of the recordable key can be determined according to the use requirement coding section, and then the security state of the recordable key is judged; according to the data processing flow requirement, the behavior characteristics of the user in the data application process are analyzed and judged, and then the key use requirement is determined; by comparing and analyzing the current decryption state with the key use requirement, and according to the comparison and analysis result, the security evaluation value of the recordable key is evaluated, if the security evaluation value of the recordable key is lower than the preset value, the recordable key is disabled, and the security control of the recordable key is realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of system key management technology, and in particular to a key management method. Background Technology

[0002] A key is a parameter input into algorithms that convert plaintext to ciphertext or vice versa. Keys are categorized as symmetric or asymmetric. Symmetric key encryption, also known as private key encryption or session key encryption, uses the same key for both encryption and decryption. Its biggest advantage is its fast encryption / decryption speed, making it suitable for encrypting large amounts of data, but key management is difficult. Asymmetric key encryption systems, also known as public key encryption, require different keys for encryption and decryption. One key is publicly released (the public key), while the other is kept secret by the user (the private key). The sender uses the public key to encrypt the information, while the receiver uses the private key to decrypt it. Public key mechanisms are flexible, but encryption and decryption are much slower than symmetric key encryption.

[0003] For enterprise management systems, key management mechanisms are often used to improve the security of data applications and process integration. Conventional key management mechanisms generate key pairs through a key management center, send the key pairs to a database of in-use keys, package and sign the information, and then send it to the user. This enables users and the system to cooperate in encrypting and decrypting the corresponding data when using the key. As the volume of management tasks in enterprise management systems increases, the number of places where keys are needed will inevitably increase. Although the above key management mechanisms achieve key encryption, they lack supervision over key usage. Especially when user accounts are leaked or the system is attacked, key usage will become abnormal, thereby reducing the security of the enterprise management system. To avoid this situation, a key management method that can detect and identify abnormal key usage is needed. Summary of the Invention

[0004] The purpose of this invention is to provide a key management method that can monitor key usage.

[0005] Therefore, this invention discloses a key management method, including:

[0006] Obtain key request information, generate an initial key based on the key request information, and encrypt the data to be processed using the initial key to generate an encrypted packet;

[0007] Obtain data request information, determine data processing flow requirements based on the data request information, and determine key usage requirements based on the data processing flow requirements;

[0008] The key usage requirements are translated according to pre-set encoding and translation rules to generate usage requirement encoding segments;

[0009] The usage requirement code segment is combined with the initial key to generate a recordable key;

[0010] When decrypting the encrypted packet using the recordable key:

[0011] The recordable key is scanned and analyzed according to the encoding and translation rules to determine the key usage requirements of the recordable key. The key usage requirements of the recordable key are then compared and analyzed with the current decryption status to obtain the comparison and analysis results.

[0012] Based on the comparative analysis results, the security evaluation value of the recordable key is determined;

[0013] If the security evaluation value of the recordable key is lower than a preset value, then the recordable key is deactivated.

[0014] In some embodiments of this application, a specific method for generating the recordable key is disclosed, which includes combining the usage requirement code segment with the initial key.

[0015] Establish a character encoding correspondence set, which includes the characters required for the key usage and the corresponding encoding segments of the characters;

[0016] The key usage requirements are scanned and analyzed to obtain the first key character segment, and the first key character segment is translated into the first key character encoding segment according to the character encoding correspondence set;

[0017] The first identification code segment is added to both ends of the first key character code segment to form the code segment required for use.

[0018] In some embodiments of this application, the key usage requirements are disclosed, including:

[0019] The key requires a specified time period, number of times it can be used, the user who can use it, the terminal that can use it, and the location in which it can exist.

[0020] In some embodiments of this application, a method for determining the security evaluation value of the recordable key is disclosed in order to determine whether to disable the recordable key. The method for determining the security evaluation value of the recordable key includes:

[0021] Obtain the current key usage time, calculate the time difference between the current key usage time and the boundary value of the key required usage time period, and construct a time-based security evaluation factor based on the time difference;

[0022] Obtain the current number of times the key is used, calculate the difference between the current number of times the key is used and the upper limit of the number of times the key is required to be used, and construct a usage frequency security evaluation factor based on the difference.

[0023] Obtain the current key user and compare and analyze the consistency between the current key user and the key request user, and construct a user security evaluation factor based on the comparison results;

[0024] Obtain the currently used terminal and compare and analyze the consistency between the currently used terminal and the terminal required by the key, and construct a terminal security evaluation factor based on the comparison results;

[0025] Obtain the current key application stage, compare and analyze the consistency between the current key application stage and the key possible existence stage, and construct the application stage security evaluation factor based on the comparison results;

[0026] A multi-factor conversion relationship is established, and the time-based security evaluation factor, frequency-based security evaluation factor, user security evaluation factor, terminal security evaluation factor, and application-level security evaluation factor are used as input parameters and substituted into the multi-factor conversion relationship to obtain the security evaluation value.

[0027] In some embodiments of this application, a multi-factor conversion relationship is disclosed in order to obtain the security evaluation value. The expression of the multi-factor conversion relationship is as follows:

[0028] y=k1*x1+k2*x2+k3*x3+k4*x4+k5*x5;

[0029] Where y is the security evaluation value, k1 is the time security conversion factor, k2 is the frequency security conversion factor, k3 is the user conversion factor, k4 is the terminal security conversion factor, k5 is the application security conversion factor, x1 is the time security evaluation factor, x2 is the frequency security evaluation factor, x3 is the user security evaluation factor, x4 is the terminal security evaluation factor, and x5 is the application security evaluation factor.

[0030] In some embodiments of this application, in order to continuously monitor the usage of the recordable key, the structure of the recordable key has been improved. The recordable key further includes a key usage log encoding segment, which is used to record the usage information of each use of the recordable key and update the original usage information records. The usage information includes the key usage time, the number of times the key is used, the user of the key, the terminal of the key, and the key application stage.

[0031] In some embodiments of this application, a method for generating the key using log-coded segments is disclosed, the method comprising:

[0032] The character encoding segment correspondence set also includes the characters applied to the usage information of the recordable key, and the encoding segments corresponding to the characters;

[0033] The system acquires usage information when using the recordable key, updates the original usage information record based on the changes in the usage information, and scans and analyzes the updated usage information to obtain the second key character segment.

[0034] The second key character segment is translated into a second key character encoding segment according to the character encoding correspondence set;

[0035] A second identification encoding segment is added before and after the second key character encoding segment to form a key usage log encoding segment.

[0036] In some embodiments of this application, a method for generating an initial key is disclosed in order to generate an initial key based on the key application information. The method for generating the initial key includes:

[0037] A key management center is established, which is used to determine the required key type based on the key application information in order to generate the initial key.

[0038] In some embodiments of this application, in order to enable both the system and the user to decrypt or encrypt the data to be processed, the content of the initial key is disclosed. The initial key includes a system application key and a user usage key. The system application key is reserved for the system, and the user usage key is sent to the user terminal.

[0039] In some embodiments of this application, a specific method for generating a system application key and a user access key is disclosed. The method for generating the system application key and the user access key includes:

[0040] Establish a key backup repository and a key in-use repository;

[0041] Obtain key request information and verify the legality of the key request information;

[0042] If the key application information passes the validity verification, then determine whether the key backup library has a backup key;

[0043] If it is determined that there is a spare key in the key backup library, then the system application key and the user usage key are sent to the key in use library;

[0044] If it is determined that there is no backup key in the key backup library, the generation interface is called to generate a system application key and a user key, and the system application key and the user key are sent to the key in use library.

[0045] This application discloses a key management method, which has the following advantages compared to general key management methods:

[0046] 1. Based on the key application information, an initial key is generated, and the data to be processed is encrypted using the initial key to generate an encrypted packet. Subsequently, the initial key is improved by combining it with a required coding segment to generate a recordable key. In the subsequent decryption of the encrypted packet, the usage of the recordable key can be determined based on the use of the required coding segment, thereby judging the security status of the recordable key.

[0047] 2. Based on the data request information, the data processing flow requirements are determined. Based on the data processing flow requirements, the behavioral characteristics of the user in the process of applying data are analyzed and judged, and then the key usage requirements are determined. By comparing and analyzing the current decryption status with the key usage requirements, and based on the comparison and analysis results, the security evaluation value of the recordable key is evaluated. If the security evaluation value of the recordable key is lower than the preset value, the recordable key is deactivated, thus realizing the security control of the recordable key.

[0048] The technical solution of the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description

[0049] Figure 1 This is a flowchart illustrating the steps of a key management method according to an embodiment of this application.

[0050] Figure 2 This is a step diagram illustrating a method for combining a required coded segment with an initial key according to an embodiment of this application;

[0051] Figure 3 The embodiments of this application include a step diagram of a method for determining the security evaluation value of a recordable key. Detailed Implementation

[0052] The technical solution of the present invention will be further described below with reference to the accompanying drawings and embodiments.

[0053] The technical solution of the present invention will be clearly and completely described below with reference to the accompanying drawings and specific embodiments. It should be understood that the preferred embodiments described herein are only for illustration and explanation of the present invention and should not be construed as limiting the scope of protection of the present invention. Those skilled in the art can make some non-essential improvements and adjustments based on the following content of the present invention. In the present invention, unless otherwise expressly specified and limited, the technical terms used in this application should have the ordinary meaning understood by those skilled in the art. The terms "connected," "linked," "fixed," "set," etc., should be interpreted broadly, and can refer to fixed connection, detachable connection, or integral connection; can refer to direct connection or indirect connection through an intermediate medium; can refer to mechanical connection or electrical connection, unless otherwise expressly limited. For those skilled in the art, the specific meaning of the above terms in the present invention can be understood according to the specific circumstances. Unless otherwise expressly specified and limited, "above" or "below" the second feature can mean that the first and second features are in direct contact, or that the first and second features are in indirect contact through an intermediate medium. Moreover, "above," "on top of," or "on the second feature" can mean that the first feature is directly above or diagonally above the second feature, or simply indicates that the first feature is at a higher horizontal level than the second feature. The phrase "below," "under," or "beneath" the second feature can mean that the first feature is directly below or diagonally below the second feature, or simply that the first feature is at a lower horizontal level than the second feature. Relational terms such as "first," "second," etc., are used merely to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. It should be noted that similar labels and letters in the following figures denote similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0054] Example:

[0055] For enterprise management systems, key management mechanisms are often used to improve the security of data applications and process integration. Conventional key management mechanisms generate key pairs through a key management center, send the key pairs to a database of in-use keys, package and sign the information, and then send it to the user. This enables users and the system to cooperate in encrypting and decrypting the corresponding data when using the key. As the volume of management tasks in enterprise management systems increases, the number of places where keys are needed will inevitably increase. Although the above key management mechanisms achieve key encryption, they lack supervision over key usage. Especially when user accounts are leaked or the system is attacked, key usage will become abnormal, thereby reducing the security of the enterprise management system. To avoid this situation, a key management method that can detect and identify abnormal key usage is needed.

[0056] See Figure 1 Therefore, this invention discloses a key management method, comprising:

[0057] Step S100: Obtain key application information, generate an initial key based on the key application information, and encrypt the data to be processed based on the initial key to generate an encrypted packet.

[0058] The key request information can be generated by the user sending the key request information or by the system automatically generating the key request information according to a predetermined process.

[0059] Step S200: Obtain data request information, determine data processing flow requirements based on data request information, and determine key usage requirements based on data processing flow requirements.

[0060] It's important to understand that data request information can originate from the user's end. Based on the data selected by the user, the data processing requirements can be determined according to pre-defined data types, standard data processing procedures, and specific data processing needs. These requirements include the data processing terminal, the time frame for data application, and the nodes involved in data processing. Corresponding to these requirements, since data needs to be decrypted each time it's used, the key usage requirements can be determined based on the data processing procedure.

[0061] Step S300: Translate the key usage requirements according to the preset encoding and translation rules to generate the usage requirement encoding segment.

[0062] Step S400: Combine the usage requirement code segment with the initial key to generate a recordable key.

[0063] When decrypting the encrypted packet using the recordable key:

[0064] Step S500: Scan and analyze the recordable key according to the encoding and translation rules to determine the key usage requirements of the recordable key, and compare and analyze the key usage requirements of the recordable key with the current decryption status to obtain the comparison and analysis results.

[0065] Step S600: Determine the security evaluation value of the recordable key based on the comparison and analysis results.

[0066] It should be understood that the more times the current decryption status matches the key usage requirements, the higher the application security of the recordable key; conversely, the fewer times the current decryption status matches the key usage requirements, the lower the application security of the recordable key. The security evaluation value is a dynamic variable used to evaluate the security status of the recordable key.

[0067] Step S700: If the security evaluation value of the recordable key is lower than a preset value, then the recordable key is deactivated.

[0068] In some embodiments of this application, in order to generate the recordable key, see [reference needed]. Figure 2 The present invention discloses a specific method for generating the recordable key, wherein the method for combining the usage requirement coded segment with the initial key includes:

[0069] Step S301: Establish a character encoding correspondence set, which includes the characters used in the key usage requirements and the corresponding encoding segments of the characters.

[0070] Step S302: Scan and analyze the key usage requirements to obtain the first key character segment, and translate the first key character segment into the first key character encoding segment according to the character encoding correspondence set.

[0071] Step S303: Supplement the first identification code segment at both ends of the first key character code segment to form the usage requirement code segment.

[0072] In some embodiments of this application, the key usage requirements are disclosed, including:

[0073] The key requires a specified time period, number of times it can be used, the user who can use it, the terminal that can use it, and the location in which it can exist.

[0074] It should be understood that the key usage time period refers to the time range in which the key is used, the key usage count refers to the number of times the key is used for decryption, the key user refers to the user account using the key, the key terminal refers to the terminal using the key, and the key may exist in a stage refers to the stage in which the key is used, such as the stage in which data is transferred between system terminals during collaborative operation.

[0075] In some embodiments of this application, a method for determining the security evaluation value of the recordable key is disclosed in order to determine whether to disable the recordable key; see reference [link to relevant documentation]. Figure 3 The method for determining the security evaluation value of the recordable key includes:

[0076] Step S701: Obtain the current key usage time, calculate the time difference between the current key usage time and the boundary value of the key required usage time period, and construct a time-based security evaluation factor based on the time difference.

[0077] Step S702: Obtain the current number of times the key is used, calculate the difference between the current number of times the key is used and the upper limit of the number of times the key is required to be used, and construct a usage frequency security evaluation factor based on the difference.

[0078] Step S703: Obtain the current key user and compare and analyze the consistency between the current key user and the key request user, and construct a user security evaluation factor based on the comparison results.

[0079] Step S704: Obtain the currently used terminal, compare and analyze the consistency between the currently used terminal and the terminal required by the key, and construct a terminal security evaluation factor based on the comparison results.

[0080] Step S705: Obtain the current key application stage, compare and analyze the consistency between the current key application stage and the key possible existence stage, and construct the application stage security evaluation factor based on the comparison results.

[0081] Step S706: Establish a multi-factor conversion relationship, and substitute the time-based security evaluation factor, frequency-based security evaluation factor, user security evaluation factor, terminal security evaluation factor, and application-related security evaluation factor as input parameters into the multi-factor conversion relationship to obtain the security evaluation value.

[0082] In some embodiments of this application, in order to obtain the security evaluation value, a multi-factor conversion relationship is disclosed, the expression of which is: y=k1*x1+k2*x2+k3*x3+k4*x4+k5*x5.

[0083] Where y is the security evaluation value, k1 is the time security conversion factor, k2 is the frequency security conversion factor, k3 is the user conversion factor, k4 is the terminal security conversion factor, k5 is the application security conversion factor, x1 is the time security evaluation factor, x2 is the frequency security evaluation factor, x3 is the user security evaluation factor, x4 is the terminal security evaluation factor, and x5 is the application security evaluation factor.

[0084] The time security conversion factor k1, frequency security conversion factor k2, user security evaluation factor k3, terminal security conversion factor k4, and application security conversion factor k5 are set according to the overall impact of the corresponding factors on the security of key application. This setting can be made by professionals based on their daily experience.

[0085] In some embodiments of this application, in order to continuously monitor the usage of the recordable key, the structure of the recordable key has been improved. The recordable key further includes a key usage log encoding segment, which is used to record the usage information of each use of the recordable key and update the original usage information records. The usage information includes the key usage time, the number of times the key is used, the user of the key, the terminal of the key, and the key application stage.

[0086] In some embodiments of this application, a method for generating the key using log-coded segments is disclosed, the method comprising:

[0087] The character encoding segment correspondence set also includes the characters used in the usage information of the recordable key, and the encoding segments corresponding to the characters; obtain the usage information when using the recordable key, and update the original usage information record according to the changes in the usage information, and scan and analyze the updated usage information to obtain the second key character segment; translate the second key character segment into a second key character encoding segment according to the character encoding correspondence set; supplement the second identification encoding segment before and after the second key character encoding segment to form the key usage log encoding segment.

[0088] In some embodiments of this application, in order to generate an initial key based on the key application information, a method for generating an initial key is disclosed. The method for generating the initial key includes: establishing a key management center, which is used to determine the required key type based on the key application information in order to generate the initial key.

[0089] The key management center can be understood as a key generation program, which contains several encryption algorithms.

[0090] In some embodiments of this application, in order to enable both the system and the user to decrypt or encrypt the data to be processed, the content of the initial key is disclosed. The initial key includes a system application key and a user usage key. The system application key is reserved for the system, and the user usage key is sent to the user terminal.

[0091] In some embodiments of this application, a specific method for generating a system application key and a user access key is disclosed. The method for generating the system application key and the user access key includes:

[0092] The first step is to establish a key backup repository and a key in-use repository.

[0093] The second step is to obtain the key application information and verify its legitimacy.

[0094] The third step is to determine whether the key application information passes the legality verification if the key backup library has a backup key if the key application information passes the legality verification.

[0095] Fourth step: If it is determined that there is a backup key in the key backup library, then the system application key and the user usage key are sent to the key in use library.

[0096] Fifth step: If it is determined that there is no spare key in the key backup library, the generation interface is called to generate a system application key and a user usage key, and the system application key and the user usage key are sent to the key in use library.

[0097] This application discloses a key management method, which has the following advantages compared to general key management methods:

[0098] 1. Based on the key application information, an initial key is generated, and the data to be processed is encrypted using the initial key to generate an encrypted packet. Subsequently, the initial key is improved by combining it with a required coding segment to generate a recordable key. In the subsequent decryption of the encrypted packet, the usage of the recordable key can be determined based on the use of the required coding segment, thereby judging the security status of the recordable key.

[0099] 2. Based on the data request information, the data processing flow requirements are determined. Based on the data processing flow requirements, the behavioral characteristics of the user in the process of applying data are analyzed and judged, and then the key usage requirements are determined. By comparing and analyzing the current decryption status with the key usage requirements, and based on the comparison and analysis results, the security evaluation value of the recordable key is evaluated. If the security evaluation value of the recordable key is lower than the preset value, the recordable key is deactivated, thus realizing the security control of the recordable key.

[0100] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the technical solutions of the present invention, and these modifications or equivalent substitutions cannot cause the modified technical solutions to deviate from the spirit and scope of the technical solutions of the present invention.

Claims

1. A key management method, characterized in that, include: Obtain key request information, generate an initial key based on the key request information, and encrypt the data to be processed using the initial key to generate an encrypted packet; Obtain data request information, determine data processing flow requirements based on the data request information, and determine key usage requirements based on the data processing flow requirements; The key usage requirements are translated according to pre-set encoding and translation rules to generate usage requirement encoding segments; The usage requirement code segment is combined with the initial key to generate a recordable key; When decrypting the encrypted packet using the recordable key: The recordable key is scanned and analyzed according to the encoding and translation rules to determine the key usage requirements of the recordable key. The key usage requirements of the recordable key are then compared and analyzed with the current decryption status to obtain the comparison and analysis results. Based on the comparative analysis results, the security evaluation value of the recordable key is determined; If the security evaluation value of the recordable key is lower than a preset value, then the recordable key is deactivated.

2. The key management method according to claim 1, characterized in that, The method of combining the usage requirement coded segment with the initial key includes: Establish a character encoding correspondence set, which includes the characters required for the key usage and the corresponding encoding segments of the characters; The key usage requirements are scanned and analyzed to obtain the first key character segment, and the first key character segment is translated into the first key character encoding segment according to the character encoding correspondence set; The first identification code segment is added to both ends of the first key character code segment to form the code segment required for use.

3. The key management method according to claim 2, characterized in that, The key usage requirements include: The key requires a specified time period, number of times it can be used, the user who can use it, the terminal that can use it, and the location in which it can exist.

4. The key management method according to claim 3, characterized in that, The method for determining the security evaluation value of the recordable key includes: Obtain the current key usage time, calculate the time difference between the current key usage time and the boundary value of the key required usage time period, and construct a time-based security evaluation factor based on the time difference; Obtain the current number of times the key is used, calculate the difference between the current number of times the key is used and the upper limit of the number of times the key is required to be used, and construct a usage frequency security evaluation factor based on the difference. Obtain the current key user and compare and analyze the consistency between the current key user and the key request user, and construct a user security evaluation factor based on the comparison results; Obtain the currently used terminal and compare and analyze the consistency between the currently used terminal and the terminal required by the key, and construct a terminal security evaluation factor based on the comparison results; Obtain the current key application stage, compare and analyze the consistency between the current key application stage and the key possible existence stage, and construct the application stage security evaluation factor based on the comparison results; A multi-factor conversion relationship is established, and the time-based security evaluation factor, frequency-based security evaluation factor, user security evaluation factor, terminal security evaluation factor, and application-level security evaluation factor are used as input parameters and substituted into the multi-factor conversion relationship to obtain the security evaluation value.

5. A key management method according to claim 4, characterized in that, The expression for the multi-factor conversion relationship is as follows: y=k1*x1+k2*x2+k3*x3+k4*x4+k5*x5; Where y is the security evaluation value, k1 is the time security conversion factor, k2 is the frequency security conversion factor, k3 is the user conversion factor, k4 is the terminal security conversion factor, k5 is the application security conversion factor, x1 is the time security evaluation factor, x2 is the frequency security evaluation factor, x3 is the user security evaluation factor, x4 is the terminal security evaluation factor, and x5 is the application security evaluation factor.

6. The key management method according to claim 4, characterized in that, The recordable key also includes a key usage log encoding segment, which is used to record usage information for each use of the recordable key and update the original usage information records. The usage information includes the key usage time, the number of times the key is used, the user who uses the key, the terminal that uses the key, and the application stage of the key.

7. A key management method according to claim 6, characterized in that, The method for generating the key using log-coded segments includes: The character encoding segment correspondence set also includes the characters applied to the usage information of the recordable key, and the encoding segments corresponding to the characters; The system acquires usage information when using the recordable key, updates the original usage information record based on the changes in the usage information, and scans and analyzes the updated usage information to obtain the second key character segment. The second key character segment is translated into a second key character encoding segment according to the character encoding correspondence set; A second identification encoding segment is added before and after the second key character encoding segment to form a key usage log encoding segment.

8. A key management method according to claim 1, characterized in that, The method for generating the initial key includes: A key management center is established, which is used to determine the required key type based on the key application information in order to generate the initial key.

9. A key management method according to claim 8, characterized in that, The initial key includes a system application key and a user usage key. The system application key is reserved for use in the system, and the user usage key is sent to the user terminal.

10. A key management method according to claim 9, characterized in that, Methods for generating system application keys and user access keys include: Establish a key backup repository and a key in-use repository; Obtain key request information and verify the legality of the key request information; If the key application information passes the validity verification, then determine whether the key backup library has a backup key; If it is determined that there is a spare key in the key backup library, then the system application key and the user usage key are sent to the key in use library; If it is determined that there is no backup key in the key backup library, the generation interface is called to generate a system application key and a user key, and the system application key and the user key are sent to the key in use library.