A key efficient management method based on a national secret algorithm
By generating protection keys in secure encryption hardware and combining them with national cryptographic algorithms and database transaction mechanisms, the problem of single key generation and protection mechanisms and insufficient atomicity of storage and operation in existing key management methods is solved, achieving efficient and secure key management that is suitable for high-security information systems.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING CATHAY INTERNET INFORMATION TECH CO LTD
- Filing Date
- 2026-04-16
- Publication Date
- 2026-07-14
Smart Images

Figure CN122394775A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of information security and data storage technology, specifically to an efficient key management method based on Chinese national cryptographic algorithms. Background Technology
[0002] In today's information age, keys are the core element of data encryption and identity authentication. Their security protection level directly determines the security baseline of the entire information system. With the iterative upgrading of network attack technology, the security risks of key leakage, tampering, and theft are becoming increasingly prominent. How to build a highly reliable key security storage system has become a core technical problem that urgently needs to be solved in the field of information security.
[0003] Existing key management methods based on national cryptographic algorithms have several shortcomings: First, the key generation and protection mechanisms are simplistic, often relying on a fixed master key to directly encrypt and protect working keys. If the master key is leaked, all working keys become invalid. Second, the atomicity of key storage and operations cannot be guaranteed. When storing keys in traditional databases, in case of power outages, network interruptions, or other abnormal situations, key data inconsistencies, loss, or tampering can easily occur. Third, the fault tolerance and traceability of key operations are insufficient. There is a lack of effective logging and timeout control mechanisms, making it difficult to quickly locate problems and trace operational behavior when key operations time out or malfunction. Fourth, key management is inefficient. In scenarios with multiple concurrent terminals, resource contention and response delays are common, failing to meet the needs of large-scale key management.
[0004] Therefore, in view of this, the present invention proposes a key management method based on the national cryptographic algorithm to make up for and improve the shortcomings of the existing technology. Summary of the Invention
[0005] To address the aforementioned technical problems, this invention provides a key management method based on national cryptographic algorithms that can ensure the security of key data used by multiple users while also meeting the timeliness requirements of business systems in processing transactions, thereby resolving the corresponding technical problems mentioned in the background section.
[0006] To achieve the above objectives, the technical solution adopted by this invention is: an efficient key management method based on national cryptographic algorithms, comprising the following steps: Step 1: Generate the master key MK and store it in secure encryption hardware. It can only be accessed through the hardware interface. Use the master key to encrypt and transform it using the national cryptographic algorithm to obtain the protection key PK1. Step 2: The administrator enters the protection password and the key ciphertext data to be stored, and uses the SM3 algorithm to calculate the input protection password to obtain the protection key PK2. The key KEY is obtained by decrypting the key ciphertext to be stored using the protection key PK2. The protection key PK1 uses the CBC encryption mode of the SM4 algorithm to encrypt the key KEY to be stored to obtain a new key ciphertext. The verification value of the key to be stored is calculated using the SM3 algorithm. Step 3: In the database storing keys, construct multiple key storage tables according to different key types. The fields of the tables include key index number, key ciphertext data, key creation time, key attributes, key verification value, and extended fields. Configure parameters for database transactions, determine the transaction isolation level, transaction timeout threshold, and transaction rollback triggering conditions, set the transaction isolation level to repeatable read, enable database WAL mode, and configure the checkpoint mechanism. Step 4: When performing the key storage operation, start a write transaction, complete the writing operation of the encryption key data within the transaction boundary, and insert all the associated information of the key into the corresponding key storage table; Step 5: Periodically back up the encrypted key data in the key storage table, use the protection key PK1 to perform secondary encryption on the key data file, and store it in a separate backup server.
[0007] As a preferred option, In step one, Perform an SM3 hash operation on the master key to obtain the master key's hash. Extract the first 16 bytes of the hash as the key. Encrypt the protection factor S with SM4 to obtain the protection key PK1, i.e., PK1 = SM4_Enc(SM3(MK),S). The protection factor is a fixed value stored in the system configuration file and can only be modified by specific administrators after authorization. The protection key PK1 encrypts and protects the key KEY to be stored.
[0008] As a preferred option, In step two, The SM3 algorithm is used to calculate the hash value of the unique serial number or system version information data of the business system, and the last 16 bytes of the hash value are extracted as the initial vector. If the length of the key to be stored does not meet the encryption requirements of the SM4 algorithm, it is padded using the PKCS#5 method before encryption.
[0009] As a preferred option, In step three, The WAL log records all data modification operations during the execution of a transaction; By leveraging the checkpoint mechanism, committed transaction data in the WAL log is periodically written to the data file, freeing up log space and optimizing data recovery efficiency.
[0010] As a preferred option, In step four, All associated information about the key is stored in the form of a corresponding hexadecimal string; After the data is written, a data integrity check is performed. The check includes verification of the integrity and validity of the basic field content. The check process is as follows: If the verification passes, the transaction is committed and the data is written to the WAL log file. If the checkpoint threshold is reached, all data in the WAL log file is permanently written to the data file and the WAL log file is cleared in a timely manner. If the verification fails, the transaction rollback mechanism is triggered, which undoes all write operations performed within the transaction based on the WAL log and restores the database to its initial state before the transaction started.
[0011] As a preferred option, In step two, If only the key data is accessed, the database read-only operation is used directly. After the key data is successfully read, the SM4 decryption algorithm and decryption parameters corresponding to the encryption step are used to decrypt the key ciphertext data to restore the original key data. At the same time, the check value of the key data is calculated and compared with the check value stored in the database. After the verification is passed, the stored key KEY is exported by encrypting it with the SM4 algorithm using the protection key PK2. If key data needs to be modified, a read-write transaction is initiated. The key data is updated within the transaction boundary. After the update is completed, a data consistency check is performed. The check includes the integrity and validity of the basic field content. If the check passes, the transaction is committed. If the check fails, the transaction is rolled back. Data conflicts are avoided through concurrent transaction management.
[0012] As a preferred option, In step four, When a transaction timeout, data conflict, or system failure occurs, the transaction rollback mechanism is automatically triggered. Combined with the checkpoint mechanism, the most recent valid data snapshot is located. Based on the WAL log, all operations during the transaction execution process are traced. Starting from the checkpoint snapshot, the log is replayed to complete data recovery and transaction rollback, undoing all modifications within the transaction. At the same time, an exception log is generated, recording key log information, and an alarm notification is sent to the system operation and maintenance node.
[0013] Compared with existing technologies, the beneficial effects of this invention are as follows: A master key MK is generated and stored in secure encryption hardware. The master key is used to encrypt and transform the encrypted data using a national cryptographic algorithm to obtain a protection key PK1. An administrator inputs a protection password and the ciphertext data of the key to be stored. The SM3 algorithm is used to calculate the protection key PK2 based on the input protection password. The ciphertext of the key to be stored is decrypted using the protection key PK2 to obtain the key KEY. The protection key PK1 is then encrypted using the CBC encryption mode of the SM4 algorithm to obtain a new ciphertext key. The SM3 algorithm is used to calculate the checksum of the key to be stored. The data is then stored in the key data. In the database, multiple key storage tables are built according to different key types. Database transactions are configured with parameters to determine the transaction isolation level, transaction timeout threshold, and transaction rollback triggering conditions. The transaction isolation level is set to repeatable read, the database WAL mode is enabled, and a checkpoint mechanism is configured. When executing key storage operations, a write transaction is started, and the writing operation of encrypted key data is completed within the transaction boundary. All related information of the key is inserted into the corresponding key storage table. The encrypted key data in the key storage table is periodically backed up. The key data file is encrypted twice using the protection key PK1 and stored on a separate backup server. By employing a protection key and a national cryptographic algorithm to encrypt the key data, the generation method of the protection key PK1 is fixed and depends on the master key and the protection factor S, while the generation method of the protection key PK2 is determined by the password passed by the administrator. This achieves complete autonomy and control over the protection key and encryption algorithm. At the same time, the storage and access of the key are all performed in ciphertext form, which greatly improves the security of the key. By adopting a database transaction mechanism, combined with WAL log mode and dual checkpoint mechanism, efficient concurrency control in the key storage and access process is achieved, avoiding problems such as data write failure caused by multi-process concurrent access. At the same time, the transaction exception handling mechanism based on WAL log improves the efficiency of fault diagnosis through checkpoints and exception logs. By combining a key backup mechanism and using the SM2 asymmetric encryption algorithm to encrypt the backup data file a second time, a dual security protection system is constructed, which significantly improves the disaster recovery capability and security protection level of key data. As a result, this invention is applicable to various high-security information systems and has broad application prospects. Attached Figure Description
[0014] Figure 1 This is a schematic diagram of the overall structure of a preferred embodiment of the present invention; Figure 2 This is a flowchart illustrating the key storage and key access process of this invention. Figure 3This is a schematic diagram illustrating the working principle of transactional storage of encrypted key data as shown in this invention. Figure 4 This is a schematic diagram illustrating the working principle of key access and transaction control as shown in this invention. Detailed Implementation
[0015] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0016] Embodiments of the present invention: Please refer to Figures 1 to 4 As shown, an efficient key management method based on the Chinese national cryptographic algorithm includes the following steps: Step 1: Key Generation and Initial Preprocessing: Generate the master key MK (SM4 symmetric key) and store it in secure encryption hardware. It can only be accessed through the hardware interface. Use the master key to encrypt and transform it using the national cryptographic algorithm to obtain the protection key PK1. Step 2: Encrypt the protection key: First, the administrator enters the protection password and the key ciphertext data to be stored, and uses the SM3 algorithm to calculate the input protection password to obtain the protection key PK2. Then, the protection key PK2 is used to decrypt the key ciphertext to be stored to obtain the key KEY. The protection key PK1 uses the CBC (Civic Block Chaining) encryption mode of the SM4 algorithm to encrypt the key KEY to be stored to obtain the new key ciphertext. Step 3: Database Initialization: In the database storing keys, multiple key storage tables are built according to different key types. The fields of the tables include key index number, key ciphertext data, key creation time, key attributes, key verification value, and other core information such as extended fields, so as to realize fine-grained full lifecycle management of keys. At the same time, the database transaction parameter configuration is completed, focusing on clarifying key parameters such as transaction isolation level, transaction timeout threshold, and transaction rollback triggering conditions. The database WAL (Write-Ahead Logging) mode is enabled and the checkpoint mechanism is configured. Step 4: Transactional storage of encryption key data: When performing key storage operations, a write transaction is initiated, and the writing operation of encryption key data is completed strictly within the transaction boundary. Combined with WAL log mode, "log-first writing" is achieved. The specific process is as follows: insert all the associated information of the key into the corresponding key storage table. Key Access and Transaction Control: To ensure the security of the exported key, the administrator enters a protection password and calculates the protection key PK2 using the SM3 algorithm. Then, the stored key KEY is encrypted and exported using this key. The specific process is as follows: If only the key data is accessed, a read-only operation is used directly in the database. After the key data is successfully read, the SM4 decryption algorithm and decryption parameters corresponding to the encryption step are used to decrypt the key ciphertext data to restore the original key data. At the same time, the check value of the key data is calculated and compared with the check value stored in the database. After the verification is passed, the stored key KEY is encrypted and exported using the SM4 algorithm with the protection key PK2. If key data needs to be modified, a read-write transaction is started. The key data is updated within the transaction boundary. After the update is completed, a data consistency check is performed. The check includes the integrity and legality of the basic field content. If the check passes, the transaction is committed. If the check fails, the transaction is rolled back. Data conflicts are avoided through concurrent transaction management. Transaction anomaly handling: When a transaction times out, data conflict, or system failure occurs, the transaction rollback mechanism is automatically triggered. Combined with the checkpoint mechanism, the most recent valid data snapshot is located. Based on the WAL log, all operations during the transaction execution process are traced. Starting from the checkpoint snapshot, the log is replayed to complete data recovery and transaction rollback, undoing all modifications within the transaction. At the same time, an anomaly log is generated, recording key log information, and alarm notifications are sent to the system operation and maintenance nodes, enabling rapid response and handling of anomalies. With the help of the WAL log and checkpoint mechanism, the efficiency of fault diagnosis is improved. Step 5: Periodically back up the encrypted key data in the key storage table, use the protection key PK1 to perform secondary encryption on the key data file, and store it in an independent backup server to form a dual security protection system of "encrypted storage + encrypted backup" to further improve the security of key data.
[0017] In step one, Perform an SM3 hash operation on the master key to obtain the master key's hash. Extract the first 16 bytes of the hash as the key. Encrypt the protection factor S with SM4 to obtain the protection key PK1, i.e., PK1 = SM4_Enc(SM3(MK),S). The protection factor is a fixed value stored in the system configuration file and can only be modified by specific administrators after authorization. The protection key PK1 encrypts and protects the key KEY to be stored.
[0018] In step two, The SM3 algorithm is used to calculate the hash value of the unique serial number or system version information data of the business system, and the last 16 bytes of the hash value are extracted as the initial vector (IV). If the length of the key to be stored does not meet the encryption requirements of the SM4 algorithm, it is padded using the PKCS#5 method before encryption. To verify the integrity of the key data later, the SM3 algorithm is used to calculate the checksum of the key to be stored.
[0019] In step three, The WAL log records all data modification operations during the execution of a transaction; By using the checkpoint mechanism, committed transaction data in the WAL log is periodically written to the data file, freeing up log space and optimizing data recovery efficiency; Specifically, setting the transaction isolation level to repeatable read, combined with WAL log mode and checkpoint mechanism, ensures data consistency and transaction durability during concurrent transactions.
[0020] In step four, All associated information about the key is stored in the form of a corresponding hexadecimal string, which enhances the readability of the data; After the data is written, a data integrity check is performed. This check includes verifying the integrity and validity of the basic field content. The check process is as follows: If the verification passes, the transaction is committed, and the data is written to the WAL log file. If the checkpoint threshold is reached, all data in the WAL log file is permanently written to the data file, and the WAL log file is cleared in time. If the validation fails (e.g., due to missing data, abnormal format, etc.), the transaction rollback mechanism is triggered, which undoes all write operations performed within the transaction based on the WAL log and restores the database to the initial state before the transaction started. Meanwhile, the transaction timeout threshold is set to 3-5 seconds (which can be adjusted according to actual business conditions), the number of retries is 2-3, the WAL log adopts a circular overwrite strategy and retains the log data of the most recent 7 days, and the checkpoint mechanism is set to a combination of manual triggering (once every 30 minutes) and automatic triggering (when the WAL log reaches the preset threshold) to ensure transaction durability and efficient use of system resources.
[0021] A master key MK is generated and stored in secure encryption hardware. The master key is used to encrypt and transform the encrypted key using a national cryptographic algorithm to obtain the protection key PK1. The administrator inputs a protection password and the ciphertext data of the key to be stored, and the SM3 algorithm is used to calculate the protection key PK2. The ciphertext of the key to be stored is decrypted using the protection key PK2 to obtain the key KEY. The protection key PK1 uses the CBC encryption mode of the SM4 algorithm to encrypt the key KEY to be stored, obtaining a new ciphertext key. The SM3 algorithm is used to calculate the checksum of the key to be stored. In the database storing the keys, multiple key storage tables are constructed according to different key types. Database transaction parameters are configured to determine the transaction isolation level, transaction timeout threshold, and transaction rollback trigger conditions. The transaction isolation level is set to repeatable read, the database WAL mode is enabled, and a checkpoint mechanism is configured. When executing key storage operations, a write transaction is initiated, and the encrypted key data is written within the transaction boundary. All associated information of the key is inserted into the corresponding key storage table. The encrypted key data in the key storage table is periodically backed up. The key data file is then encrypted a second time using the protection key PK1 and stored on a separate backup server. By employing a protection key and a national cryptographic algorithm to encrypt the key data, the generation method of the protection key PK1 is fixed and depends on the master key and the protection factor S, while the generation method of the protection key PK2 is determined by the password passed by the administrator. This achieves complete autonomy and control over the protection key and encryption algorithm. At the same time, the storage and access of the key are all performed in ciphertext form, which greatly improves the security of the key. By adopting a database transaction mechanism, combined with WAL log mode and dual checkpoint mechanism, efficient concurrency control in the key storage and access process is achieved, avoiding problems such as data write failure caused by multi-process concurrent access. At the same time, the transaction exception handling mechanism based on WAL log improves the efficiency of fault diagnosis through checkpoints and exception logs. By combining a key backup mechanism and using the SM2 asymmetric encryption algorithm to encrypt the backup data file a second time, a dual security protection system is constructed, which significantly improves the disaster recovery capability and security protection level of key data. As a result, this invention is applicable to various high-security information systems and has broad application prospects.
[0022] The size of the interval and threshold is set to facilitate comparison. The size of the threshold depends on the amount of sample data and the number of bases set by those skilled in the art for each set of sample data; as long as it does not affect the ratio between the parameter and the quantized value.
[0023] The above formulas are all dimensionless calculations. The formulas are derived from software simulations based on a large amount of collected data to obtain the most recent real-world results. The preset parameters in the formulas are set by those skilled in the art according to the actual situation. In the two embodiments provided in this application, it should be understood that the disclosed apparatus and system can be implemented in other ways; for example, the apparatus embodiments described above are merely illustrative, and the division of modules is merely a logical functional division. In actual implementation, there may be other division methods, such as multiple modules or components can be combined or integrated into another system, or some features can be ignored or not executed; furthermore, the coupling or direct coupling or communication connection between the shown or discussed mutuals can be through some interfaces, and the indirect coupling or communication connection between the apparatus or modules can be electrical, mechanical or other forms. The above description is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any equivalent substitutions or modifications made by those skilled in the art within the scope of the technology disclosed in the present invention, based on the technical solution and inventive concept of the present invention, should be covered within the scope of protection of the present invention.
Claims
1. A method for efficient key management based on Chinese national cryptographic algorithms, characterized in that, Includes the following steps: Step 1: Generate the master key MK and store it in secure encryption hardware. It can only be accessed through the hardware interface. Use the master key to encrypt and transform it using the national cryptographic algorithm to obtain the protection key PK1. Step 2: The administrator enters the protection password and the key ciphertext data to be stored, and uses the SM3 algorithm to calculate the input protection password to obtain the protection key PK2. The key KEY is obtained by decrypting the key ciphertext to be stored using the protection key PK2. The protection key PK1 uses the CBC encryption mode of the SM4 algorithm to encrypt the key KEY to be stored to obtain a new key ciphertext. The verification value of the key to be stored is calculated using the SM3 algorithm. Step 3: In the database storing keys, construct multiple key storage tables according to different key types. The fields of the tables include key index number, key ciphertext data, key creation time, key attributes, key verification value, and extended fields. Configure parameters for database transactions, determine the transaction isolation level, transaction timeout threshold, and transaction rollback triggering conditions, set the transaction isolation level to repeatable read, enable database WAL mode, and configure the checkpoint mechanism. Step 4: When performing the key storage operation, start a write transaction, complete the writing operation of the encryption key data within the transaction boundary, and insert all the associated information of the key into the corresponding key storage table; Step 5: Periodically back up the encrypted key data in the key storage table, use the protection key PK1 to perform secondary encryption on the key data file, and store it in a separate backup server.
2. The method for efficient key management based on national cryptographic algorithms according to claim 1, characterized in that, In step one, Perform an SM3 hash operation on the master key to obtain the master key's hash. Extract the first 16 bytes of the hash as the key. Encrypt the protection factor S with SM4 to obtain the protection key PK1, i.e., PK1 = SM4_Enc(SM3(MK),S). The protection factor is a fixed value stored in the system configuration file and can only be modified by specific administrators after authorization. The protection key PK1 encrypts and protects the key KEY to be stored.
3. The efficient key management method based on the national cryptographic algorithm according to claim 2, characterized in that, In step two, The SM3 algorithm is used to calculate the hash value of the unique serial number or system version information data of the business system, and the last 16 bytes of the hash value are extracted as the initial vector. If the length of the key to be stored does not meet the encryption requirements of the SM4 algorithm, it is padded using the PKCS#5 method before encryption.
4. The efficient key management method based on the national cryptographic algorithm according to claim 3, characterized in that, In step three, The WAL log records all data modification operations during the execution of a transaction; By leveraging the checkpoint mechanism, committed transaction data in the WAL log is periodically written to the data file, freeing up log space and optimizing data recovery efficiency.
5. The efficient key management method based on the national cryptographic algorithm according to claim 4, characterized in that, In step four, All associated information about the key is stored in the form of a corresponding hexadecimal string; After the data is written, a data integrity check is performed. The check includes verification of the integrity and validity of the basic field content. The check process is as follows: If the verification passes, the transaction is committed and the data is written to the WAL log file. If the checkpoint threshold is reached, all data in the WAL log file is permanently written to the data file and the WAL log file is cleared in a timely manner. If the verification fails, the transaction rollback mechanism is triggered, which undoes all write operations performed within the transaction based on the WAL log and restores the database to its initial state before the transaction started.
6. The method for efficient key management based on the national cryptographic algorithm according to claim 5, characterized in that, In step two, If only the key data is accessed, the database read-only operation is used directly. After the key data is successfully read, the SM4 decryption algorithm and decryption parameters corresponding to the encryption step are used to decrypt the key ciphertext data to restore the original key data. At the same time, the check value of the key data is calculated and compared with the check value stored in the database. After the verification is passed, the stored key KEY is exported by encrypting it with the SM4 algorithm using the protection key PK2. If key data needs to be modified, a read-write transaction is initiated. The key data is updated within the transaction boundary. After the update is completed, a data consistency check is performed. The check includes the integrity and validity of the basic field content. If the check passes, the transaction is committed. If the check fails, the transaction is rolled back. Data conflicts are avoided through concurrent transaction management.
7. The method for efficient key management based on the national cryptographic algorithm according to claim 6, characterized in that, In step four, When a transaction timeout, data conflict, or system failure occurs, the transaction rollback mechanism is automatically triggered, and combined with the checkpoint mechanism, the most recent valid data snapshot is located. Based on WAL logs, all operations during the transaction execution process are traced. Starting from the checkpoint snapshot, the logs are replayed to complete data recovery and transaction rollback, undoing all modifications within the transaction. At the same time, an exception log is generated, key log information is recorded, and alarm notifications are sent to the system operation and maintenance nodes.