A secret key management method and system based on security check

By constructing a five-dimensional full-link verification model and dynamic behavior profile, combined with modular architecture and machine learning algorithms, the problems of insufficient security and poor adaptability of existing key management technologies are solved, realizing intelligent and multi-dimensional security protection throughout the key management lifecycle, and adapting to security needs in complex scenarios.

CN122160131APending Publication Date: 2026-06-05SHANGHAI UNI SENTRY INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHANGHAI UNI SENTRY INTELLIGENT TECH CO LTD
Filing Date
2026-03-11
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing key management technologies suffer from problems such as limited security verification dimensions, lagging behavior monitoring, rigid key lifecycle management, poor scenario adaptability, and incomplete key technical verification. These issues make it difficult to cope with key security threats in complex scenarios and can easily lead to security incidents such as key leakage, unauthorized access, and business interruption.

Method used

We construct a key management method based on security verification, including a five-dimensional full-link verification model, dynamic behavior profiling, intelligent management mode, and modular configurable architecture. This enables multiple verifications and dynamic adjustments throughout the key's lifecycle. We combine machine learning algorithms and Gaussian mixture models for real-time risk analysis, adopt a modular architecture to adapt to different scenario requirements, and perform algorithm compliance verification and secondary encrypted storage.

Benefits of technology

It achieves end-to-end, multi-dimensional security protection for key management, improves security and intelligent control levels, can quickly identify abnormal operations and new types of attacks, adapts to various scenario requirements, and ensures the security and reliability of keys.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160131A_ABST
    Figure CN122160131A_ABST
Patent Text Reader

Abstract

The application provides a secret key management method and system based on security verification, belongs to the technical field of secret key management, collects multi-scene characteristic data, quantifies security requirements and threat characteristics; constructs a five-dimensional full-link verification model, carries out multi-verification of the whole life cycle of the secret key; constructs a dynamic behavior portrait based on machine learning, quantitatively analyzes the abnormality and classifies the disposal; dynamically adjusts the secret key update cycle and self-verification frequency according to multi-dimensional risk parameters, realizes intelligent management of the whole life cycle; adopts a modular configurable architecture to adapt to multiple scenes; completes full-dimensional verification and storage protection of the secret key technology, and forms a whole-process secret key security management and control. The application adopts the secret key management method and system based on security verification, solves the problems of single security verification dimension, lagging behavior monitoring, rigid secret key life cycle management, poor scene adaptability and incomplete secret key technology level verification of the existing secret key management technology.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of key management technology, and in particular to a key management method and system based on security verification. Background Technology

[0002] In today's era of rapid digitalization and networking, the security of key management, as the core carrier of information security, directly determines the security boundaries of information systems and data assets. Currently, the scale of interconnected devices across various fields continues to expand, and the frequency of key operations throughout their entire lifecycle—from generation and storage to use, updating, and destruction—is increasing exponentially. Meanwhile, cyberattack methods are constantly evolving, and security threats such as theft, forgery, misuse, and tampering of keys are becoming increasingly prominent, posing a severe challenge to information security across various industries.

[0003] Existing key management technologies have several significant shortcomings, failing to meet the high security demands of today's complex scenarios. Current security verification dimensions are mostly focused on single-stage or single-dimensional protection, lacking a comprehensive, multi-dimensional verification system covering the entire key lifecycle, making them prone to single points of vulnerability. Furthermore, behavioral monitoring is lagging, primarily relying on post-event auditing, unable to identify abnormal operations and new attacks in real time, only able to passively respond to security threats, and unable to achieve proactive prevention. Key lifecycle management models are rigid, often employing fixed update cycles and management strategies, lacking intelligent adaptation capabilities based on dynamic risk adjustments, resulting in insufficient control efficiency and reliability. Existing technologies are mostly fixed architectures, unable to flexibly adapt to the differentiated security needs and resource constraints of heterogeneous scenarios such as IoT, fintech, and industrial control systems, easily leading to an imbalance between security and practicality. Key technology-level verification is incomplete, lacking standardized processes for verifying core technical indicators such as algorithm compliance and key randomness, and storage protection methods are simplistic, resulting in insufficient basic key security.

[0004] The aforementioned problems directly lead to frequent security incidents such as key leaks, unauthorized access, and business interruptions, necessitating a key management technology with end-to-end security protection capabilities. Summary of the Invention

[0005] The purpose of this invention is to provide a key management method and system based on security verification, which solves the problems of existing key management technologies, such as single security verification dimension, lagging behavior monitoring, rigid key lifecycle management, poor scenario adaptability, and incomplete key technology-level verification. These technologies are unable to cope with key security threats in current complex scenarios and are prone to security incidents such as key leakage, unauthorized access, and business interruption.

[0006] To achieve the above objectives, the present invention provides a key management method based on security verification, comprising the following steps: S1. Collect feature data from multiple scenarios to quantify security requirements and threat characteristics; S2. Construct a five-dimensional full-link verification model of "identity-authority-operation-key-behavior" and perform multiple verifications at each stage of the key's lifecycle; S3. Construct dynamic behavior profiles based on machine learning algorithms, quantify the degree of behavior abnormality, and trigger graded handling measures. S4. Based on multi-dimensional risk parameters, dynamically adjust the key update cycle and self-verification frequency to achieve intelligent management of the entire key lifecycle. S5 adopts a modular and configurable architecture, supporting scenario-based module selection and fine-tuning of parameters; S6. Implements full-dimensional verification and storage protection at the execution key technology level, including algorithm compliance verification, randomness verification, secondary encryption storage, and hardware protection.

[0007] Preferably, the specific implementation of the five-dimensional full-link verification model includes: The five-dimensional verification indicators are broken down into identity, permission, operation, key, and behavior dimensions. Each dimension corresponds to 1-3 core verification indicators and is assigned weights. Receive scenario-based verification strategy parameter configuration data, adjust the thresholds of various dimensional indicators, and generate five-dimensional verification model instances adapted to different scenarios. For the five lifecycle stages of key generation, storage, use, update and destruction, five-dimensional verification is performed respectively, a comprehensive verification score is calculated, and anomaly levels are classified according to the score, triggering early warning or interception operations.

[0008] Preferably, the construction and updating of dynamic behavioral profiles includes: Real-time collection of key operation behavior data, structured into a behavior feature dataset; Feature extraction and dimensionality reduction are performed on real-time behavioral data to generate normalized behavioral feature vectors; A Gaussian mixture model is used, with historical behavioral feature data as the training set, to build a user / device behavior profile model, and the profile parameters are updated hourly. The deviation between real-time behavioral characteristics and dynamic behavioral profiles is calculated using the Mahalanobis distance formula to determine the level of behavioral risk and trigger corresponding response measures.

[0009] Preferably, intelligent management of the entire key lifecycle includes: Collect multi-dimensional risk parameters, including behavioral risk parameters, attack risk parameters, algorithm risk parameters, business risk parameters, and verification risk parameters; Construct a multiple linear regression model, taking multidimensional risk parameters as input and key update cycle and self-verification frequency as output; The personalized update cycle for each key is calculated using a dynamic update cycle formula, and the integrity and validity of the key are verified based on the self-verification frequency. Based on the verification results, the key repair or seamless rotation operation is automatically performed, and the key lifecycle status is updated in real time.

[0010] Preferred implementations of the modular, configurable architecture include: The core key management function is broken down into six independent configurable modules: identity authentication module, five-dimensional verification module, behavior monitoring module, lifecycle management module, technical verification module, and storage protection module. The adaptability of each module to the scene is calculated using the scene adaptability formula, and the module combination is automatically selected. Adjust the core parameters of each module according to the security level and resource limitations of the scenario to achieve scenario-based fine-grained configuration; The design incorporates standardized input / output interfaces, supporting hot-swapping and dynamic adjustment of modules.

[0011] Preferably, comprehensive verification and storage protection at the key technology level includes: Collect core technical characteristic data during the key generation and storage stages, including encryption algorithm type, key length, random number seed, storage medium type, and access control list; Verify whether the algorithm used for the key conforms to the security standards specified in the scenario; if it does not conform, reject the key generation request. The entropy value of the key is calculated using the Shannon entropy formula to evaluate the randomness of the key. If the entropy value is lower than a preset threshold, the key is regenerated. The keys in the "in use" state are encrypted twice and stored using the national standard SM4 symmetric encryption algorithm, and are preferentially stored in the device security chip / TPM; Access control lists are used to verify the permissions of the access subjects, and the health status of the key storage medium and access logs are monitored in real time.

[0012] A key management system based on security verification, the system comprising: The scenario requirements collection and analysis module is responsible for collecting feature data from multiple scenarios and quantifying security requirements and threat characteristics. The five-dimensional full-link verification module constructs and executes a five-dimensional verification model of "identity-authority-operation-key-behavior"; The real-time dynamic behavior risk verification module builds dynamic behavior profiles based on machine learning algorithms and quantitatively analyzes the degree of behavior abnormality. The key lifecycle intelligent management module dynamically adjusts the key update cycle and self-verification frequency based on multi-dimensional risk parameters. Modular and configurable architecture modules, core functions are split into independent modules, supporting scenario-based module selection and parameter adjustment; The key technology verification and storage protection module performs algorithm compliance verification, randomness verification, secondary encryption storage, and hardware protection.

[0013] Preferably, the system also includes: The data preprocessing module cleans and normalizes the collected multi-dimensional heterogeneous data to eliminate dimensional differences. The problem identification and prioritization module, based on demand-technology matching metric analysis and K-means clustering algorithm, accurately identifies core technical problems that existing technologies cannot meet the needs of the scenario, and calculates the problem priority; The log auditing and compliance check module records key management operation logs.

[0014] Therefore, the present invention employs the above-mentioned key management method and system based on security verification, and the technical effects are as follows: 1. Significantly enhanced security: The constructed end-to-end five-dimensional verification system covers five dimensions: identity, permissions, operations, keys, and behaviors, spanning the entire key lifecycle. Through a real-time dynamic behavior risk verification mechanism, it can quickly intercept abnormal operations and new types of attacks.

[0015] 2. Significantly improved level of intelligent management and control: The risk-driven intelligent key lifecycle management model dynamically calculates personalized update cycles and self-verification frequencies based on multi-dimensional risk parameters, enabling automatic repair and seamless rotation of abnormal keys without manual intervention.

[0016] 3. Balancing scenario adaptability and practicality: The modular and configurable architecture supports hot-swapping of 6 core functional modules and scenario-based parameter adjustment, enabling rapid adaptation to the heterogeneous needs of 5 core scenarios, including the Internet of Things, fintech, and industrial control systems. Attached Figure Description

[0017] Figure 1 This is a flowchart of a key management method based on security verification according to the present invention. Detailed Implementation

[0018] The technical solution of the present invention will be further described below with reference to the accompanying drawings and embodiments.

[0019] Unless otherwise defined, the technical or scientific terms used in this invention shall have the ordinary meaning as understood by one of ordinary skill in the art to which this invention pertains.

[0020] Example 1 like Figure 1As shown, this invention provides a key management method based on security verification. It takes the entire data processing process as the framework, connects cross-step data transmission, incorporates quantitative calculation formulas, and realizes full-link, quantifiable, and scenario-based security control of key management. It accurately solves the shortcomings of existing technologies in terms of adaptability, protection, and management flexibility.

[0021] First, multi-dimensional data collection and preprocessing were conducted to provide quantitative basis for subsequent solution design. Regarding the collection of scenario characteristics and security requirements, the number of device nodes was collected for five core scenarios, including the Internet of Things and cloud computing. Key usage frequency Basic parameters, and quantified data confidentiality levels in accordance with industry security standards. The safety requirements indicators range from level 1 to level 5.

[0022] Based on cybersecurity threat intelligence from the past three years, the frequency of key theft attacks was analyzed. Threat characteristics and corresponding impact levels All collected data, after cleaning, were normalized using the following linear normalization formula: ; in, Normalized value The original data, and These are the minimum and maximum values ​​of the indicator, respectively. Mapping to the [0,1] interval eliminates the difference in dimensions, and finally outputs the normalized dataset of scene features, security requirements and threat features.

[0023] Based on the previously collected demand data, the focus is on the compatibility deficiencies of existing technologies. First, publicly available data on similar patents and mainstream technologies are collected and structured to include a number of verification dimensions. Real-time behavior monitoring The technical feature set of indicators, etc. The demand-technology weighted matching degree formula is used as follows: in, For matching degree, the smaller the value, the better the fit. As the indicator weight, and The normalized values ​​of the requirements and technical indicators are used to calculate the degree of fit, and mismatch items with a matching degree of less than 0.6 are filtered out.

[0024] The K-means clustering algorithm (K=5) was used to classify the mismatches into 5 categories of core technical issues. The priority of the issues was determined by "threat impact level × demand weight × quantification gap value", which clarified the target for subsequent solution design.

[0025] A five-dimensional end-to-end verification data model is constructed. This model covers five dimensions: identity, permissions, operations, keys, and behavior. Each dimension is broken down into quantifiable indicators and assigned weights: the identity dimension includes the authentication pass rate. (Weight 0.25) and information completeness (Weight 0.15), permission level matching degree is set in the permission dimension. (Weight 0.2), compliance score is set for the operational dimension. (Weight 0.1), key dimension includes validity. (Weight 0.1) and algorithm compliance (Weight 0.05), risk level set for behavioral dimension. (Weight 0.15).

[0026] By combining scenario-based verification strategy parameters, the indicator thresholds are adjusted for different scenarios, and verification is performed at each stage of the entire lifecycle, including key generation and storage. The comprehensive scoring formula is as follows: ; in, Scores range from 0 to 100. The total weight of the dimension. The verification result is calculated based on the dimension normalized score. If the score is below 80, it is judged as abnormal and handled in three levels: 70-80 (mild), 50-70 (moderate), and <50 (severe), triggering a reminder, increasing the authentication strength, or blocking the operation respectively.

[0027] Establish a real-time dynamic risk verification mechanism. Collect behavioral data such as operation time, frequency, and location using data tracking technology, and combine this data with historical data from the past 90 days to extract and normalize time, frequency, and spatial features, generating a behavioral feature vector. Use a Gaussian Mixture Model (GMM) to construct a dynamic behavioral profile, updating parameters hourly. Based on the Mahalanobis distance formula: ; in, For anomaly degree, For real-time feature vectors, This is the image mean vector. The covariance matrix is ​​used. The abnormality score is calculated and compared with a contextualized threshold to determine the risk level. Medium and high risks trigger enhanced authentication or interception warnings, upgrading behavioral risk prevention and control from "post-event auditing" to "real-time prediction".

[0028] To address the issue of "rigid management models," a smart key lifecycle management model is constructed. This includes mitigating risks associated with data collection. Attack risk Five-dimensional risk parameters, updated via key cycle. and self-check frequency For output, train a multiple linear regression model. Update the periodic formula dynamically: ; in, Based on the cycle, For risk parameter weights, To prevent the denominator from being zero, a personalized update cycle is calculated. Integrity and validity checks are performed on the key at a self-verification frequency; minor anomalies are automatically repaired, while severe anomalies are seamlessly rotated, and the key lifecycle status is updated in real time.

[0029] To improve scenario adaptability, a modular and configurable data architecture was constructed. The core functionality was broken down into six independent modules, including identity authentication and five-dimensional verification, with each module defining configurable parameters. The scenario adaptability formula is used as follows: ; in, For compatibility, For parameter matching coefficients, For parameter weights, This refers to the number of parameters. It calculates the adaptability of modules to different scenarios and automatically selects the appropriate module combination. For different scenarios such as finance and IoT, it finely adjusts module parameters: in financial scenarios, it increases the weight of the key dimension and shortens the update cycle; in IoT scenarios, it lowers the behavior monitoring threshold and increases the lower limit of entropy; and in enterprise-level scenarios, it provides a balanced configuration. Through standardized interface design, it supports hot-swapping of modules, achieving universal adaptation across multiple scenarios.

[0030] Strengthen comprehensive verification and storage protection at the key technology level. Collect characteristics such as algorithm type and length during the key generation stage, and verify whether the algorithm complies with national cryptographic standards, FIPS 140-2, and other standards to ensure compliance. If it is qualified, then it is rejected; otherwise, it is rejected. This is based on the Shannon entropy formula: ; in, The entropy value. The probability of character occurrence. Quantize the randomness of the key; the entropy value of the symmetric key must be ≥128. The "in use" key is encrypted twice using the SM4 algorithm: ; in, It is a ciphertext. For the root key, In plaintext, the data is preferentially stored in a secure chip, supplemented by access control lists and hardware-triggered decryption mechanisms. The storage medium status is monitored in real time; malicious access attempts will trigger locking and alerts. Finally, the security level of the key technology is assessed through a weighted summation method. This provides support for end-to-end verification and lifecycle management.

[0031] To achieve the above-mentioned key management, this invention provides a key management system based on security verification, the system comprising: The scenario requirements collection and analysis module is responsible for collecting feature data from multiple scenarios and quantifying security requirements and threat characteristics. The five-dimensional full-link verification module constructs and executes a five-dimensional verification model of "identity-authority-operation-key-behavior"; The real-time dynamic behavior risk verification module builds dynamic behavior profiles based on machine learning algorithms and quantitatively analyzes the degree of behavior abnormality. The key lifecycle intelligent management module dynamically adjusts the key update cycle and self-verification frequency based on multi-dimensional risk parameters. Modular and configurable architecture modules, core functions are split into independent modules, supporting scenario-based module selection and parameter adjustment; The key technology verification and storage protection module performs algorithm compliance verification, randomness verification, secondary encryption storage, and hardware protection.

[0032] The data preprocessing module cleans and normalizes the collected multi-dimensional heterogeneous data to eliminate dimensional differences. The problem identification and prioritization module, based on demand-technology matching metric analysis and K-means clustering algorithm, accurately identifies core technical problems that existing technologies cannot meet the needs of the scenario, and calculates the problem priority; The log auditing and compliance check module records key management operation logs.

[0033] Therefore, this invention adopts the aforementioned key management method and system based on security verification. It collects and normalizes feature, security requirements, and threat data from five core scenarios, including the Internet of Things and Fintech. Then, it uses a weighted matching degree formula to quantitatively analyze the adaptation gap between existing technologies and requirements. K-means clustering is used to locate five core technical problems and prioritize them. Subsequently, a five-dimensional full-link verification model is constructed to achieve full lifecycle protection of keys, real-time dynamic behavioral risk verification based on Mahalanobis distance, a risk-driven intelligent management model for the entire lifecycle of keys, a modular and configurable multi-scenario adaptation architecture, and a comprehensive technical protection system covering algorithm compliance, random entropy value verification, and SM4 secondary encryption storage. Data is transferred across links in each step, and formula quantification supports the process, enabling quantifiable, implementable, and scenario-based security control of key management, thus making up for the shortcomings of existing technologies.

[0034] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit them. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the technical solutions of the present invention, and these modifications or equivalent substitutions cannot cause the modified technical solutions to deviate from the spirit and scope of the technical solutions of the present invention.

Claims

1. A key management method based on security verification, characterized in that, Includes the following steps: S1. Collect feature data from multiple scenarios to quantify security requirements and threat characteristics; S2. Construct a five-dimensional full-link verification model of "identity-authority-operation-key-behavior" and perform multiple verifications at each stage of the key's lifecycle; S3. Construct dynamic behavior profiles based on machine learning algorithms, quantify the degree of behavior abnormality, and trigger graded handling measures. S4. Based on multi-dimensional risk parameters, dynamically adjust the key update cycle and self-verification frequency to achieve intelligent management of the entire key lifecycle. S5 adopts a modular and configurable architecture, supporting scenario-based module selection and fine-tuning of parameters; S6. Implements full-dimensional verification and storage protection at the execution key technology level, including algorithm compliance verification, randomness verification, secondary encryption storage, and hardware protection.

2. The key management method based on security verification according to claim 1, characterized in that, The specific implementation of the five-dimensional full-link verification model includes: The five-dimensional verification indicators are broken down into identity, permission, operation, key, and behavior dimensions. Each dimension corresponds to 1-3 core verification indicators and is assigned weights. Receive scenario-based verification strategy parameter configuration data, adjust the thresholds of various dimensional indicators, and generate five-dimensional verification model instances adapted to different scenarios. For the five lifecycle stages of key generation, storage, use, update and destruction, five-dimensional verification is performed respectively, a comprehensive verification score is calculated, and anomaly levels are classified according to the score, triggering early warning or interception operations.

3. The key management method based on security verification according to claim 1, characterized in that, The construction and updating of dynamic behavioral profiles includes: Real-time collection of key operation behavior data, structured into a behavior feature dataset; Feature extraction and dimensionality reduction are performed on real-time behavioral data to generate normalized behavioral feature vectors; A Gaussian mixture model is used, with historical behavioral feature data as the training set, to build a user / device behavior profile model, and the profile parameters are updated hourly. The deviation between real-time behavioral characteristics and dynamic behavioral profiles is calculated using the Mahalanobis distance formula to determine the level of behavioral risk and trigger corresponding response measures.

4. The key management method based on security verification according to claim 1, characterized in that, Intelligent management of the entire key lifecycle includes: Collect multi-dimensional risk parameters, including behavioral risk parameters, attack risk parameters, algorithm risk parameters, business risk parameters, and verification risk parameters; Construct a multiple linear regression model, taking multidimensional risk parameters as input and key update cycle and self-verification frequency as output; The personalized update cycle for each key is calculated using a dynamic update cycle formula, and the integrity and validity of the key are verified based on the self-verification frequency. Based on the verification results, the key repair or seamless rotation operation is automatically performed, and the key lifecycle status is updated in real time.

5. The key management method based on security verification according to claim 1, characterized in that, The implementation of a modular and configurable architecture includes: The core key management function is broken down into six independent configurable modules: identity authentication module, five-dimensional verification module, behavior monitoring module, lifecycle management module, technical verification module, and storage protection module. The adaptability of each module to the scene is calculated using the scene adaptability formula, and the module combination is automatically selected. Adjust the core parameters of each module according to the security level and resource limitations of the scenario to achieve scenario-based fine-grained configuration; The design incorporates standardized input / output interfaces, supporting hot-swapping and dynamic adjustment of modules.

6. The key management method based on security verification according to claim 1, characterized in that, Comprehensive verification and storage protection at the key technology level includes: Collect core technical characteristic data during the key generation and storage stages, including encryption algorithm type, key length, random number seed, storage medium type, and access control list; Verify whether the algorithm used for the key conforms to the security standards specified in the scenario; if it does not conform, reject the key generation request. The entropy value of the key is calculated using the Shannon entropy formula to evaluate the randomness of the key. If the entropy value is lower than a preset threshold, the key is regenerated. The keys in the "in use" state are encrypted and stored twice, using the national standard SM4 symmetric encryption algorithm, and are preferentially stored in the device security chip / TPM; Access control lists are used to verify the permissions of the access subjects, and the health status of the key storage medium and access logs are monitored in real time.

7. A key management system based on security verification, used to implement the key management method based on security verification as described in any one of claims 1-6, characterized in that, The system includes: The scenario requirements collection and analysis module is responsible for collecting feature data from multiple scenarios and quantifying security requirements and threat characteristics. The five-dimensional full-link verification module constructs and executes a five-dimensional verification model of "identity-authority-operation-key-behavior"; The real-time dynamic behavior risk verification module builds dynamic behavior profiles based on machine learning algorithms and quantitatively analyzes the degree of behavior abnormality. The key lifecycle intelligent management module dynamically adjusts the key update cycle and self-verification frequency based on multi-dimensional risk parameters. Modular and configurable architecture modules, core functions are split into independent modules, supporting scenario-based module selection and parameter adjustment; The key technology verification and storage protection module performs algorithm compliance verification, randomness verification, secondary encryption storage, and hardware protection.

8. A key management system based on security verification according to claim 7, characterized in that, The system also includes: The data preprocessing module cleans and normalizes the collected multi-dimensional heterogeneous data to eliminate dimensional differences. The problem identification and prioritization module, based on demand-technology matching metric analysis and K-means clustering algorithm, accurately identifies core technical problems that existing technologies cannot meet the needs of the scenario, and calculates the problem priority; The log auditing and compliance check module records key management operation logs.