A mass key management method and device
By employing a multi-layered encryption mechanism that protects keys with master keys and data keys, along with pseudo-identity verification, the system solves the problems of security isolation and efficient management in the management of massive keys. This enables secure storage and rapid retrieval of massive keys and enhances user privacy protection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING ELECTRONICS SCI & TECH INST
- Filing Date
- 2026-04-08
- Publication Date
- 2026-06-23
AI Technical Summary
In cloud service and other application scenarios, how to efficiently manage massive amounts of keys while ensuring security and isolation, especially how to prevent hackers from bypassing access controls to directly access user data, while avoiding the management challenges brought about by the generation, storage, protection and use of massive amounts of keys.
A multi-layered encryption mechanism combining master key and data key protection key is adopted. By constructing a key address matrix and storing the encrypted storage address, combined with user pseudo identity identifier and temporary authentication, multi-layered encryption and pseudo identity verification are achieved, thereby improving the isolation protection capability and retrieval efficiency of the key.
It improves the storage security, retrieval efficiency, and usage security of massive keys, enhances user privacy protection, and ensures key isolation protection between different users, services, and operations.
Smart Images

Figure CN122268645A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of information security technology, and in particular to a method and apparatus for managing massive amounts of keys. Background Technology
[0002] With the development of information technology, various new service models are constantly emerging, especially the rapid development of cloud services, e-commerce, electronic payment, the sharing economy, big data centers, and social networks, which have directly led to a significant increase in both the number of users and the types of services offered. While information technology development brings various conveniences, it also brings a surge in security incidents, and data security directly impacts the security of various businesses and users' experience. To protect data security, cryptographic techniques are used to protect data transmitted over networks and stored in data centers. Information systems have a massive number of users, each with diverse service and business needs. Achieving secure protection and isolation between different users and services has become a significant challenge for data security.
[0003] In existing technologies, one solution is to use the same key for encryption protection for all users and services, while different users and services are isolated through access control policies. However, using access control methods for data isolation carries the risk that hackers can bypass the access control monitoring module and directly access individual user data, resulting in low security. Another solution is to use a one-time key approach, where different users and services use different keys for encryption protection, achieving protection and isolation between different users and services. This approach offers high security, but as the number of users and services increases, it inevitably generates a massive number of keys. Managing the entire lifecycle of these massive keys—including generation, storage, protection, use, and destruction—becomes a new challenge for data security in emerging application scenarios such as cloud services.
[0004] Therefore, how to efficiently manage massive amounts of keys while ensuring security and isolation has become a technical problem that urgently needs to be solved by those skilled in the art. Summary of the Invention
[0005] The main objective of this invention is to provide a method for managing massive amounts of keys.
[0006] Another objective of this invention is to provide a massive key management device.
[0007] The third objective of this invention is to provide a computer device.
[0008] A fourth objective of this invention is to provide a non-transitory computer-readable storage medium.
[0009] To achieve the above objectives, a first aspect of the present invention proposes a method for managing massive amounts of keys, comprising:
[0010] In response to a user access request, the system verifies the user's identity based on the user's identity identifier and password, obtains the identity verification result, and generates or obtains the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier after successful verification. When the authentication result indicates that the authentication is successful, the first random number generator is invoked to generate a data key, and the data key is encrypted using the master key and the data key protection key to obtain the encrypted data key; The encrypted data key is stored to obtain the corresponding storage address. The storage address is then encrypted using the data key address protection key to obtain the encrypted storage address. The encrypted storage address is then stored in the key address matrix. Based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier, the encrypted storage address is retrieved from the key address matrix. The encrypted storage address is then decrypted to obtain the storage address. Based on the storage address, the encrypted data key is retrieved and decrypted to recover the data key.
[0011] In one embodiment of the present invention, the step of verifying the user's identity based on the user's identity identifier and user password in response to a user access request, and obtaining an identity verification result, includes: During registration, the user generates a pseudo-identity and pseudo-password based on the user's identity identifier and password and sends them to the server; the server generates a temporary identity identifier, authentication parameters and authentication credentials, returns the temporary identity identifier and authentication credentials to the user, and stores the temporary identity identifier, user pseudo-identity identifier and authentication parameters. Upon login, the user regenerates a pseudo-password based on the user identity identifier and user password, and performs a consistency comparison with the stored authentication credentials. After the comparison is successful, the user generates an authentication message and sends the temporary identity identifier, service pseudo-identifier, job pseudo-identifier, and authentication message to the server.
[0012] In one embodiment of the present invention, the step of verifying the user's identity based on the user's identity identifier and user password in response to a user access request, and obtaining an identity verification result, further includes: The server receives the temporary identity identifier, service pseudo identifier, job pseudo identifier, and authentication message. Based on the temporary identity identifier, it retrieves the stored authentication parameters and verifies the authentication message. After successful verification, it obtains the user pseudo identity identifier, service pseudo identifier, and job pseudo identifier, and obtains the result of successful identity verification.
[0013] In one embodiment of the present invention, when the authentication result indicates that the authentication is successful, a first random number generator is invoked to generate a data key, and the data key is subjected to multi-layer encryption processing using a master key and a data key protection key to obtain a encrypted data key, including: The server calls the first random number generator to generate the data key; The server uses the master key to call the first encryption algorithm to encrypt the data key to obtain the first encrypted data key; The server generates a data key protection key based on the user pseudo-identity identifier, service pseudo-identity identifier, job pseudo-identity identifier and master key. Based on the data key protection key, the server calls a second encryption algorithm to encrypt the first encrypted data key to generate a second encrypted data key, and uses the second encrypted data key as the encrypted data key.
[0014] In one embodiment of the present invention, storing the encrypted data key to obtain the corresponding storage address, encrypting the storage address using a data key address protection key to obtain an encrypted storage address, and storing the encrypted storage address in a key address matrix includes: The server stores the second encrypted data key to obtain the address of the first data key, and uses the address of the first data key as the storage address of the encrypted data key; The server generates a data key address protection key by calling the key export function based on the user pseudo-identity identifier, service pseudo-identity identifier, job pseudo-identity identifier and master key. The server calls a third encryption algorithm based on the data key address protection key to encrypt the first data key address to obtain the second data key address, and uses the second data key address as the encrypted storage address; The server stores the second data key address into a key address matrix, wherein the key address matrix is a data key address matrix.
[0015] In one embodiment of the present invention, the step of retrieving the encrypted storage address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier, decrypting the encrypted storage address to obtain the storage address, retrieving the encrypted data key based on the storage address, and decrypting the encrypted data key to recover the data key includes: The server retrieves the second data key address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier. The server decrypts the second data key address based on the data key address protection key to obtain the first data key address, and retrieves the second encrypted data key based on the first data key address. The server decrypts the second encrypted data key using the data key protection key to obtain the first encrypted data key, and then decrypts the first encrypted data key using the master key to obtain the data key.
[0016] In one embodiment of the present invention, the server stores the second data key address into a key address matrix, including: The server stores the second data key address into the user data key address matrix according to the user's pseudo-identity identifier; The server stores the second data key address into the cell of the data key address matrix according to the service pseudo-identifier and the job pseudo-identifier.
[0017] To achieve the above objectives, a second aspect of the present invention provides a massive key management device, comprising: The authentication module is used to respond to user access requests, verify the user's identity based on the user's identity identifier and password, obtain the authentication result, and generate or obtain the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier after successful authentication. The key generation module is used to call the first random number generator to generate a data key when the authentication result indicates that the authentication is successful, and to perform multi-layer encryption processing on the data key using the master key and the data key protection key to obtain the encrypted data key; The address protection module is used to store the encrypted data key, obtain the corresponding storage address, encrypt the storage address using the data key address protection key to obtain the encrypted storage address, and store the encrypted storage address into the key address matrix. The key recovery module is used to retrieve the encrypted storage address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier; decrypt the encrypted storage address to obtain the storage address; retrieve the encrypted data key based on the storage address; decrypt the encrypted data key to recover the data key.
[0018] To achieve the above objectives, a third aspect of this application provides a computer device, including a processor and a memory; wherein the processor reads executable program code stored in the memory to run a program corresponding to the executable program code, for implementing a massive key management method as described in the first aspect embodiment.
[0019] To achieve the above objectives, a fourth aspect of this application provides a non-transitory computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements a massive key management method as described in the first aspect.
[0020] The embodiments of the present invention have the following beneficial effects: This invention improves the storage security of massive keys through a multi-layered encryption mechanism combining master keys, data keys, and protection keys; improves the retrieval efficiency of massive keys by constructing a key address matrix and storing encrypted storage addresses; enhances key isolation and protection capabilities by generating separate protection keys for different users, services, and jobs; improves user privacy protection by combining user pseudo-identity identifiers with temporary identities; and enhances the security of key usage through a multi-level pseudo-identity verification and retrieval mechanism. Attached Figure Description
[0021] The above and / or additional aspects and advantages of the present invention will become apparent and readily understood from the following description of the embodiments taken in conjunction with the accompanying drawings, wherein: Figure 1 A flowchart illustrating a massive key management method provided in an embodiment of the present invention; Figure 2 This is a schematic diagram of the user registration steps provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of user login steps provided in an embodiment of the present invention; Figure 4 This is a schematic diagram of user authentication steps provided in an embodiment of the present invention; Figure 5 This is a schematic diagram of the key protection steps provided in an embodiment of the present invention; Figure 6 A key address storage matrix diagram provided for embodiments of the present invention; Figure 7 This is a schematic diagram of the key retrieval and recovery steps provided in an embodiment of the present invention; Figure 8 The key logic diagram provided for embodiments of the present invention; Figure 9 This is a structural diagram of a massive key management device provided in an embodiment of the present invention. Detailed Implementation
[0022] It should be noted that, unless otherwise specified, the embodiments and features described in the present invention can be combined with each other. The present invention will now be described in detail with reference to the accompanying drawings and embodiments.
[0023] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.
[0024] The following description, with reference to the accompanying drawings, describes a method and apparatus for managing massive amounts of keys according to an embodiment of the present invention.
[0025] Example 1 This embodiment provides a method for managing massive amounts of keys, such as Figure 1 As shown, the method includes the following steps: S1 responds to a user access request by verifying the user's identity based on the user's identity identifier and password, obtaining the identity verification result, and generating or obtaining the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier after successful verification.
[0026] Specifically, this process includes three parts: user registration, user login, and user authentication.
[0027] I. User registration steps.
[0028] Specifically, the user registration process is used by users based on their unique identity identifiers. ID and password PW Register on the server to generate user authentication parameters and authentication credentials.
[0029] First, users are based on their unique identity. ID and password PW Generate pseudo identity tokens HIDu and fake passwords HPW and the false identity HIDu and fake passwords HPW Send to the server.
[0030] Next, the server uses the user's fake identity. HIDu and fake passwords HPW Generate user authentication parameters A, B, C and the first authentication credential, and simultaneously generate a temporary identity. TID and the false identity HIDu Temporary identity TID The authentication parameter C is stored locally, and the first authentication credential, authentication parameters A and B, and temporary identity are sent to the user.
[0031] Subsequently, the user uses the first authentication credential, authentication parameters A and B, and temporary identity. TID Generate authentication parameters D, E, F and a second authentication credential, and store the user identity, temporary identity, authentication parameters D, E, F and the second authentication credential locally.
[0032] Furthermore, such as Figure 2 As shown, the specific implementation of the registration steps includes: (1) The user calls the second random number generator to generate random numbers. r 1.
[0033] (2) Users are based on a unique identifier ID and a random number. r 1. Call the digest function h to calculate the pseudo-identity. HIDu , HIDu = h ( ID || r 1) Based on the initial password value and a random number r 1. Call the digest function h to calculate the pseudo password. HPW = h ( PW || r 1), and transmit via a secure channel < HIDu , HPW >Transmitted to the server.
[0034] The digest function h is a hash function that generates a fixed-length digest value from a sequence of arbitrary length, including but not limited to SM3, SHA3, SHA1, SHA2, MD5, MD4, etc.
[0035] The second random number generator includes, but is not limited to, various pseudo-random number generators and true random number generators.
[0036] (3) The server receives the fake identity and fake password sent by the user. HIDu , HPW > Call the first random number generator to generate random numbers. r 2.
[0037] The first random number generator includes, but is not limited to, various pseudo-random number generators and true random number generators. The first random number generator and the second random number generator may be the same or different.
[0038] (4) The server is based on the user's pseudo identity. HIDu Fake password HPW and random numbers r 2. Call the digest function h to calculate authentication parameters A, B, C and the first authentication credential. token 1, A = r 2⊕ h ( HIDu ⊕ HPW ), B = h ( HIDu || r 2‖ K ), C = r 2⊕ h ( HIDu || K ), token 1= h ( HIDu|| HPW || r 2).
[0039] (5) The server generates a temporary identity for the user. TID The user's temporary identity, pseudo-identity, and authentication parameter C are stored in the database. TID , HIDu , C Stored on the server, and the first authentication credential... token 1. Temporary identity and authentication parameters A and B<token1,TID,A,B> Send it to the user.
[0040] (6) The user receives the message sent by the server.<token1,TID,A,B> Then, based on the random number r1 and authentication parameters A and B, the digest function h is called to generate authentication parameters D, E, and F and a second authentication credential. token 2. D=r1⊕A, E=B⊕h(HIDu⊕HPW⊕r1), F=r1⊕h(ID‖PW), token2=h(token1⊕HPW⊕r1).
[0041] (7) User U storage<TID,D,E,F,token2> .
[0042] In this invention, user registration is performed using a pseudo-identity and pseudo-password. Simultaneously, after registration, the server generates a temporary identity for the user, effectively preventing the leakage of the user's real identity and password, and protecting user privacy. Authentication parameters A, B, C, D, E, and F, along with the first and second authentication credentials, are based on the temporary pseudo-identity, pseudo-password, and a random number. r 2. Generation: On the one hand, it binds authentication parameters and authentication credentials to user identity; on the other hand, it generates random numbers. r 2. Effectively prevents replay attacks. By storing authentication parameters and credentials, further verification of user identity is supported, effectively preventing user information leakage caused by directly storing usernames and passwords. Different authentication parameters and credentials are stored on the server and user sides, effectively preventing the simultaneous leakage of data from one side and significantly improving the security of user authentication.
[0043] II. User Login Steps.
[0044] Specifically, the user login step is used by users based on their unique identity. ID and password PW Log in locally, generate new authentication parameters B' and authentication message M1, and send the new authentication parameters B' and authentication message M1 to the server.
[0045] First, the user enters a unique identifier. ID and password PWBased on identity identifier ID Retrieve temporary identity, authentication parameters D, E, F, and second authentication credentials, based on identity identifier. ID Password PW And the calculation of authentication parameters D, E, F, and pseudo-identity HIDu and fake passwords HPW, The system retrieves a new second authentication credential and checks if it matches the retrieved second authentication credential. If they match, the user can log in; otherwise, the login fails.
[0046] After successful login, calculate the new authentication parameter B' and authentication message M1, and send the new authentication parameter B' and authentication message M1 to the server.
[0047] Furthermore, such as Figure 3 As shown, the specific implementation of the login steps includes: (1) User inputs unique identifier ID and password PW .
[0048] (2) Users are based on a unique identity identifier ID The corresponding temporary identity was retrieved. TID Authentication parameters D , E , F Second certification certificate token 2.
[0049] (3) Users are based on a unique identity identifier ID Password PW and authentication parameters D , E , F Call the summary function h to calculate r 1= F ⊕h( ID || PW ), false identity HIDu and fake passwords HPW, HIDu =h( ID || r 1), HPW =h( PW || r 1) New second certification certificate token 2'=h( token 1⊕ HPW ⊕ r 1).
[0050] (4) The user determines the new second authentication credential. token 2' and the retrieved second authentication credential token 2. Check if the two matches. If they match, the user's login is successful; otherwise, the login fails.
[0051] (5) After successful login, the user calls the second random number generator to generate a random number. r 5.
[0052] (6) Users based on fake identities, fake passwords, and random numbers r 1. Call the digest function to calculate the new authentication parameters. B '= E ⊕h( HIDu ⊕ HPW ⊕ r 1) Based on pseudo-identity, authentication parameter B', and random number r 2. r 5. Call the digest function to generate authentication messages. M 1= r 5⊕h( B || HIDu || HIDs || HIV / AIDS || r 2) Based on random numbers r 5. Temporary status TID Authentication message M 1. Call the digest function to calculate the digest value h( r 5‖ TID || M 1), and will use the user's temporary identity TID Service false label HIDs False identification of work HIV / AIDS New certification parameters B 'and authentication message M 1. Summary value h( r 5‖ TID || M 1) Send to the server. HIDs For the pseudo-identifier of the service to be encrypted / decrypted, HIV / AIDS This is a pseudo-identifier for the job to be encrypted / decrypted. A user can have one or more services, and a service can have one or more jobs. Services and jobs are sent to the server using this pseudo-identifier to prevent the server from creating a user profile.
[0053] In the user login step of this invention, the user inputs a unique identifier. ID and password PW The system verifies the user's identity and password by comparing the second authentication credential for consistency. Simultaneously, it generates new authentication parameters and messages to support further server-side verification of the user's identity.
[0054] III. User authentication steps.
[0055] Specifically, the user authentication step is used by the server to authenticate the user based on the authentication parameters and authentication messages sent by the user. After successful authentication, the server can generate a corresponding data key based on the user's pseudo-identity, service pseudo-identity, and job pseudo-identity, or the user can access the corresponding data key. If authentication fails, the above operation is rejected.
[0056] Subsequently, the server based on the temporary identity TID Search for fake user identities HIDu Based on the new authentication parameter B', authentication message M1, user temporary identity, and authentication parameter C, the user is authenticated. If the authentication is successful, the user proceeds to the next step; otherwise, the user is refused access to the data key or the generation of the data key is denied.
[0057] Furthermore, such as Figure 4 As shown, the specific implementation of the authentication steps includes: (1) The server receives < TID , HIDs , HIV / AIDS , B ', M 1, h( r 5‖ TID || M 1)>, according to TID Searching for fake user identities HIDu and authentication parameters C .
[0058] (2) The server is based on authentication parameters C False identity HIDu Master key K Call the digest function to calculate r 2'= C ⊕h( HID || K Based on authentication messages M 1. Certification Parameters B User pseudo-identity HIDu Random numbers r 2' Call the digest function to calculate r 5'= M 1⊕h( B '‖ HIDu || r 2').
[0059] (3) The server determines h( r 5'‖ TID || M 1) and h( r 5‖ TID || M 1) Are they consistent? If they are consistent, then... r 2 and rIf the integrity of step 5 is verified, the next step is to generate or restore a data key for the user; otherwise, the generation of a data key for the user or access to the data key will be refused.
[0060] In the user authentication step of this invention, the verification server verifies the temporary identity. TID The corresponding pseudo-identity was retrieved. HIDu and authentication parameters C Calculate random numbers through authentication steps r 2'、 r 5'、h( r 5'‖ TID || M 1), if h( r 5'‖ TID || M 1) and h( r 5‖ TID || M 1) If the match is consistent, user authentication is successful, and the server will then use a random number to perform subsequent authentication. r 2. False service identifiers HIDs False identification of work HIV / AIDS Restore the user's key.
[0061] The master key of this invention is the highest-level security key for the server, stored in a secure area of the server, or divided into different parts and stored in different locations. This master key, stored on the server, is used in user authentication to ensure the legitimacy of only the server's identity. The server master key can be generated and injected securely online or offline.
[0062] S2, when the authentication result indicates that the authentication is successful, the first random number generator is invoked to generate a data key, and the data key is encrypted using the master key and the data key protection key to obtain the encrypted data key.
[0063] S3, store the encrypted data key to obtain the corresponding storage address, encrypt the storage address using the data key address protection key to obtain the encrypted storage address, and store the encrypted storage address in the key address matrix.
[0064] Specifically, steps S2 and S3 together complete the two parts of key generation and key protection.
[0065] I. Key generation steps.
[0066] Specifically, the key generation step is used by the server to call the first random number generator to generate data keys for different users, different services, and different jobs; First, the server calls the first random number generator to generate data keys based on different users, services, and jobs. Key , Key=PRF( K,HIDu || HIDs || HIV / AIDS ).
[0067] Next, the data key Key by K,HIDu || HIDs || HIV / AIDS The seed key is used to generate a pseudo-random function, which includes, but is not limited to, pseudo-random functions based on cryptographic algorithms, such as pseudo-random functions based on block cipher algorithms, pseudo-random functions based on stream ciphers, and pseudo-random functions based on hash functions. Pseudo-random functions also include those constructed using basic mathematical operations, such as linear congruential and BBS pseudo-random functions.
[0068] II. Key Protection Steps.
[0069] Specifically, the key protection step is used by the server to protect and isolate data keys for different users, different services, and different jobs.
[0070] First, the server uses the master key to call a key encryption algorithm to encrypt the data key to obtain a first encrypted data key; based on the user pseudo-identity, service pseudo-identity, job pseudo-identity and master key, it calls a key derivation function to generate a data key protection key and a data key address protection key; based on the data key protection key, the first encrypted data key is encrypted again to generate a second encrypted data key, and the second encrypted data key is stored to obtain a first data key address; based on the first data key address and the data key address protection key, the data key address is encrypted to obtain a second data key address, and the second data key address is stored to obtain a data key address matrix.
[0071] The master key is the server's highest-level security key, stored in a secure area of the server or divided into different parts stored in different locations. Data keys are encrypted using the master key, ensuring that only the server can recover the master key. Simultaneously, data keys for different users, services, and jobs are encrypted a second time using different data key protection keys, achieving data key isolation between different users, services, and jobs. The data key addresses for different users, services, and jobs are encrypted using different data key address protection keys, achieving isolation and protection between different data key addresses. The secondary data key addresses are centrally stored to enable fast retrieval of key addresses for different users, services, and jobs.
[0072] Furthermore, such as Figure 5 As shown, the specific implementation of the key protection steps includes: (1) The server is based on the master key K Call the first encryption algorithm to test the data key Key Encryption yields the first encrypted data key Key=Encrypt1( K , Key The first encryption algorithm includes, but is not limited to, block cipher algorithms, stream cipher algorithms, public-key algorithms, and XOR.
[0073] (2) The server is based on the user's pseudo identity. HIDu Service false label HIDs False identification of work HIV / AIDS and master key K Call the key export function to generate the data key and protection key. r 3=KDF( K , HIDu || HIDs || HIV / AIDS , r 2, ID key ) and data key address protection key r 4=KDF( K , HIDu || HIDs || HIV / AIDS , r 2, ID keyAddress The key derivation functions include, but are not limited to, various existing key derivation functions. ID key For data key identifier, the ID keyAddress This is the data key address identifier.
[0074] (3) The server protects the key based on the data key. r 3. Call the second encryption algorithm to process the first encrypted data key. Key 'Encryption to generate second-state data key' Key '' = Encrypt2( r 3, Key '), and store the second encrypted data key to obtain the address of the first data key. KeyAddress The second encryption algorithm includes, but is not limited to, block cipher algorithms, stream cipher algorithms, public-key algorithms, and XOR.
[0075] (4) The server protects the key based on the data key address. r 4. Call the third encryption algorithm to the first data key address KeyAddress Encrypt to obtain the second data key address KeyAddress ', KeyAddress = Encrypt3( r 4, KeyAddress The second data key address is stored to obtain the data key address matrix.
[0076] The third encryption algorithm includes, but is not limited to, block cipher algorithms, stream cipher algorithms, public-key algorithms, and XOR. The first, second, and third encryption algorithms can be the same or different.
[0077] In the key protection step of this invention, the data key is encrypted using the server master key. Data keys for different users, services, and jobs are encrypted a second time using different data key protection keys, thus achieving data key isolation for different users, services, and jobs. The data key addresses for different users, services, and jobs are encrypted using different data key address protection keys, thus achieving isolation protection for different data key addresses. The second data key address is centrally stored to enable fast retrieval of key addresses for different users, services, and jobs, improving the efficiency of data key usage.
[0078] The key of this invention can be, but is not limited to, the following: Figure 6 The key address is stored in the manner shown. A user's key address can be stored according to the encrypted services and jobs of that user, as shown below. Figure 6 As shown, in use, the key address matrix can be retrieved according to the user, and then the encrypted key address can be retrieved according to the pseudo-identifiers of the service and job. Alternatively, other methods of storing key addresses are also within the scope of this invention.
[0079] In this embodiment, taking user C1 as an example, the user has n services, corresponding to service 1, and m job flows. These m job flows have a total of m data keys, each key corresponding one-to-one with a job in service 1, denoted as... Key 11 , ..., Key 1m The server calls the first encryption algorithm to encrypt the data key and obtains the first encrypted data key. Key ' 11 , ..., Key ' 1m The second encryption algorithm is used to encrypt the first encrypted data key to obtain the second encrypted data key. Key '' 11 , ..., Key '' 1m Store the second secret state data key Key '' 11 , ..., Key '' 1m Obtain the first data key address KeyAddress 11 , ..., KeyAddress 1m The server calls the third encryption algorithm to encrypt the first data key address to obtain the encrypted first data key address, denoted as . KeyAddress ' 11 , ..., KeyAddress '1m And they are stored one by one in the key address matrix of user C1.
[0080] For n services, each service contains less than or equal to n i There are 2 jobs. Different services contain different numbers of job packages. Assuming service s (1 < s ≤ n) contains two jobs, then the key address matrix should only contain the jobs specified in the original text. KeyAddress ' s1 , KeyAddress '2.
[0081] S4. Based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier, retrieve the encrypted storage address from the key address matrix, decrypt the encrypted storage address to obtain the storage address, retrieve the encrypted data key based on the storage address, and decrypt the encrypted data key to recover the data key.
[0082] Specifically, this step includes key retrieval and recovery steps.
[0083] First, the server retrieves the second data key address based on the user pseudo-identity, service pseudo-identity, and job pseudo-identity; it generates a data key protection key and a data key address protection key based on the user pseudo-identity, service pseudo-identity, job pseudo-identity, and master key; and it calls the decryption algorithm based on the data key address protection key and the second data key address to obtain the first data key address.
[0084] Next, the second encrypted data key is obtained by retrieving the first data key address; the first encrypted data key is obtained by calling the decryption algorithm on the second encrypted data key based on the data key protection key; and the user data key is obtained by calling the decryption algorithm on the first encrypted data key and the master key.
[0085] Furthermore, such as Figure 7 As shown, the specific implementation of the key retrieval and recovery steps includes: (1) The server is based on the user's pseudo identity. HIDu Service false label HIDs False identification of work HIV / AIDS The second data key address was retrieved. KeyAddress '; (2) The server is based on the user's pseudo identity. HIDu Service false label HIDs False identification of work HIV / AIDS and master key K Call the key export function to generate the data key and protection key. r 3=KDF( K , HIDu || HIDs || HIV / AIDS ,r 2, ID key ) and data key address protection key r 4=KDF( K , HIDu || HIDs || HIV / AIDS , r 2, ID keyAddress ); (3) The server protects the key based on the data key address. r 4. Second data key address KeyAddress 'The first data key address is obtained by calling the third decryption algorithm' KeyAddress = Decrypt3( r 4, KeyAddress '); (4) The server is based on the first data key address KeyAddress The second secret state data key was retrieved. Key ''; (5) The server protects the key based on the data key. r 3 pairs of second-secret data keys Key The first encrypted data key is obtained by calling the second decryption algorithm. Key = Decrypt2( r 3, Key ''); (6) The server is based on the first encrypted data key. Key 'and master key K The user data key is obtained by calling the first decryption algorithm. Key =Decrypt1( K , Key ').
[0086] In this invention, the key is as follows Figure 8 As shown, the top layer is the master key, securely stored on the server. All key-related operations must be performed on the server. The second layer consists of the data key protection key and the data key address protection key. The data key protection key protects the bottom-level data key, while the data key address protection key protects the data key storage address. The bottom layer is the data key, used to specifically encrypt user data.
[0087] In this embodiment, taking job 1 of service 1 as an example, the server generates a data key for the user. Key 11 To encrypt the data for this task. Assuming the data for task 1 is named 'data', it can be... Key 11 The data is encrypted using a cryptographic algorithm to obtain the encrypted data. The data key is then protected using the following method. Key 11 The first encrypted data key is obtained by encrypting the data key using the first encryption algorithm. Key ' 11 =Encrypt1( K , Key 11 Data key protection key generated based on master key; r 3=KDF( K , HIDu || HIDs || HIV / AIDS , r 2, ID key ) and data key address protection key r 4=KDF( K , HIDu || HIDs || HIV / AIDS , r 2, ID keyAddress ); Protect keys based on data keys r 3. Use the second encryption algorithm to encrypt the first encrypted data key to obtain the second encrypted data key. Key '' 11 =Encrypt2( r 3, Key ' 11 ). Assumption Key '' 11 Stored at address KeyAddress 11 In China, a key is protected based on the data key address. r 4. Call the third encryption algorithm to the first data key address KeyAddress 11 Encrypting the encrypted data key address KeyAddress ' 11 =Encrypt3( r 4, KeyAddress 11 ).
[0088] As can be seen from the above, the data key is used to protect the data generated by service 1 when performing job 1, the data protection key is used to protect the data key, the data address protection key is used to protect the address of the encrypted data key, and the master key is used to protect the data protection key and the data address protection key.
[0089] It should be noted that the encryption algorithms mentioned above include, but are not limited to, block cipher algorithms, stream cipher algorithms, public-key algorithms, and XOR.
[0090] Example 2 This invention also provides a massive key management device, such as... Figure 9 As shown, the device 10 includes: The authentication module 100 is used to respond to user access requests, verify the user's identity based on the user's identity identifier and user password, obtain the authentication result, and generate or obtain the user pseudo-identity identifier, service pseudo-identity identifier and job pseudo-identity identifier after the authentication is successful. The key generation module 200 is used to call the first random number generator to generate a data key when the authentication result indicates that the authentication is successful, and to perform multi-layer encryption processing on the data key using the master key and the data key protection key to obtain the encrypted data key. The address protection module 300 is used to store the encrypted data key, obtain the corresponding storage address, encrypt the storage address using the data key address protection key to obtain the encrypted storage address, and store the encrypted storage address into the key address matrix. The key recovery module 400 is used to retrieve the encrypted storage address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier, decrypt the encrypted storage address to obtain the storage address, retrieve the encrypted data key based on the storage address, decrypt the encrypted data key, and recover the data key.
[0091] Example 3 To implement the methods of the above embodiments, the present invention also provides a computer device, which includes a memory and a processor; wherein the processor runs a program corresponding to the executable program code by reading executable program code stored in the memory, so as to implement the various steps of the methods described above.
[0092] Example 4 To implement the above embodiments, this application also proposes a non-transitory computer-readable storage medium storing a computer program thereon, which, when executed by a processor, implements the method described in the foregoing embodiments.
[0093] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
[0094] In the description of this specification, the references to terms such as "one embodiment," "some embodiments," "example," "specific example," or "some examples," etc., refer to specific features, structures, materials, or characteristics described in connection with that embodiment or example, which are included in at least one embodiment or example of the present invention. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments or examples described in this specification, as well as the features of different embodiments or examples.
[0095] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this invention, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.
Claims
1. A method for managing massive amounts of keys, characterized in that, Includes the following steps: In response to a user access request, the system verifies the user's identity based on the user's identity identifier and password, obtains the identity verification result, and generates or obtains the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier after successful verification. When the authentication result indicates that the authentication is successful, the first random number generator is invoked to generate a data key, and the data key is encrypted using the master key and the data key protection key to obtain the encrypted data key; The encrypted data key is stored to obtain the corresponding storage address. The storage address is then encrypted using the data key address protection key to obtain the encrypted storage address. The encrypted storage address is then stored in the key address matrix. Based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier, the encrypted storage address is retrieved from the key address matrix. The encrypted storage address is then decrypted to obtain the storage address. Based on the storage address, the encrypted data key is retrieved and decrypted to recover the data key.
2. The method according to claim 1, characterized in that, The process of responding to a user access request by verifying the user's identity based on the user's identifier and password, and obtaining an authentication result, includes: During registration, the user generates a pseudo-identity and pseudo-password based on the user's identity identifier and password and sends them to the server; the server generates a temporary identity identifier, authentication parameters and authentication credentials, returns the temporary identity identifier and authentication credentials to the user, and stores the temporary identity identifier, user pseudo-identity identifier and authentication parameters. Upon login, the user regenerates a pseudo-password based on the user identity identifier and user password, and performs a consistency comparison with the stored authentication credentials. After the comparison is successful, the user generates an authentication message and sends the temporary identity identifier, service pseudo-identifier, job pseudo-identifier, and authentication message to the server.
3. The method according to claim 2, characterized in that, The step of responding to a user access request, verifying the user's identity based on the user's identifier and password, and obtaining an authentication result, further includes: The server receives the temporary identity identifier, service pseudo identifier, job pseudo identifier, and authentication message. Based on the temporary identity identifier, it retrieves the stored authentication parameters and verifies the authentication message. After successful verification, it obtains the user pseudo identity identifier, service pseudo identifier, and job pseudo identifier, and obtains the result of successful identity verification.
4. The method according to claim 1, characterized in that, When the authentication result indicates successful authentication, a first random number generator is invoked to generate a data key, and the data key is subjected to multi-layer encryption using a master key and a data key protection key to obtain a encrypted data key, including: The server calls the first random number generator to generate the data key; The server uses the master key to call the first encryption algorithm to encrypt the data key to obtain the first encrypted data key; The server generates a data key protection key based on the user pseudo-identity identifier, service pseudo-identity identifier, job pseudo-identity identifier and master key. Based on the data key protection key, the server calls a second encryption algorithm to encrypt the first encrypted data key to generate a second encrypted data key, and uses the second encrypted data key as the encrypted data key.
5. The method according to claim 1, characterized in that, The process of storing the encrypted data key to obtain the corresponding storage address, encrypting the storage address using the data key address protection key to obtain the encrypted storage address, and storing the encrypted storage address into the key address matrix includes: The server stores the second encrypted data key to obtain the address of the first data key, and uses the address of the first data key as the storage address of the encrypted data key; The server generates a data key address protection key by calling the key export function based on the user pseudo-identity identifier, service pseudo-identity identifier, job pseudo-identity identifier and master key. The server calls a third encryption algorithm based on the data key address protection key to encrypt the first data key address to obtain the second data key address, and uses the second data key address as the encrypted storage address; The server stores the second data key address into a key address matrix, wherein the key address matrix is a data key address matrix.
6. The method according to claim 1, characterized in that, The process of retrieving the encrypted storage address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier; decrypting the encrypted storage address to obtain the storage address; retrieving the encrypted data key based on the storage address; and decrypting the encrypted data key to recover the data key includes: The server retrieves the second data key address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier. The server decrypts the second data key address based on the data key address protection key to obtain the first data key address, and retrieves the second encrypted data key based on the first data key address. The server decrypts the second encrypted data key using the data key protection key to obtain the first encrypted data key, and then decrypts the first encrypted data key using the master key to obtain the data key.
7. The method according to claim 5, characterized in that, The server stores the second data key address into the key address matrix, including: The server stores the second data key address into the user data key address matrix according to the user's pseudo-identity identifier; The server stores the second data key address into the cell of the data key address matrix according to the service pseudo-identifier and the job pseudo-identifier.
8. A massive key management device, characterized in that, The device includes: The authentication module is used to respond to user access requests, verify the user's identity based on the user's identity identifier and password, obtain the authentication result, and generate or obtain the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier after successful authentication. The key generation module is used to call the first random number generator to generate a data key when the authentication result indicates that the authentication is successful, and to perform multi-layer encryption processing on the data key using the master key and the data key protection key to obtain the encrypted data key; The address protection module is used to store the encrypted data key, obtain the corresponding storage address, encrypt the storage address using the data key address protection key to obtain the encrypted storage address, and store the encrypted storage address into the key address matrix. The key recovery module is used to retrieve the encrypted storage address from the key address matrix based on the user pseudo-identity identifier, service pseudo-identity identifier, and job pseudo-identity identifier; decrypt the encrypted storage address to obtain the storage address; retrieve the encrypted data key based on the storage address; decrypt the encrypted data key to recover the data key.
9. A computer device, characterized in that, Including processor and memory; The processor reads executable program code stored in the memory to run a program corresponding to the executable program code, so as to implement a massive key management method as described in any one of claims 1-7.
10. A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements a massive key management method as described in any one of claims 1-7.