技术领域technical field
本申请涉及计算机领域,特别涉及一种云环境下用户密钥的处理方法及系统。The present application relates to the field of computers, and in particular to a method and system for processing user keys in a cloud environment.
背景技术Background technique
随着技术的发展,人们对云环境下用户密钥的处理要求越来越高。With the development of technology, people have higher and higher requirements on the processing of user keys in the cloud environment.
在云环境下,通常采用设置的口令作为用户隐私数据的加密密钥或采用口令加密对隐私数据的加密密钥进行加密保护并存储在云服务器上。而用户设置的口令常常较为简单,容易破解从而导致隐私数据泄露。In the cloud environment, the set password is usually used as the encryption key of the user's private data or password encryption is used to encrypt and protect the encryption key of the private data and store it on the cloud server. However, the passwords set by users are often relatively simple and easy to crack, resulting in leakage of private data.
因此,如何有效的对用户隐私数据进行加密处理,保证用户隐私数据的安全性是本领域技术人员目前需要解决的技术问题。Therefore, how to effectively encrypt the user private data and ensure the security of the user private data is a technical problem to be solved by those skilled in the art.
发明内容Contents of the invention
本申请所要解决的技术问题是提供一种云环境下用户密钥的处理方法及系统,解决了现有技术中用户设置的口令常常较为简单,容易破解从而导致隐私数据泄露的问题。The technical problem to be solved in this application is to provide a method and system for processing user keys in a cloud environment, which solves the problem in the prior art that the passwords set by users are often relatively simple and easy to crack, resulting in leakage of private data.
其具体方案如下:The specific plan is as follows:
一种云环境下用户密钥的处理方法,该方法包括:A method for processing user keys in a cloud environment, the method comprising:
接收获取对目标数据进行加密的密钥的请求指令,所述请求指令中包括所述密钥的访问权限列表和加密域;receiving a request instruction for acquiring a key for encrypting the target data, where the request instruction includes an access authority list and an encryption domain of the key;
产生与所述请求指令相匹配的密钥;generating a key matching the request instruction;
为所述密钥分配密钥ID;assigning a key ID to said key;
将所述密钥的密钥ID发送给用户终端。Send the key ID of the key to the user terminal.
上述的方法,还包括:The above method also includes:
获取对所述目标数据进行加密的加密请求指令,所述加密请求指令中包括密钥ID;Obtain an encryption request instruction for encrypting the target data, where the encryption request instruction includes a key ID;
在所述加密域中获取用于加密的设备;obtaining equipment for encryption in said encryption domain;
对所述用于加密的密钥采用所述用于加密的设备的公钥进行加密操作;performing an encryption operation on the key used for encryption using the public key of the device used for encryption;
将加密后的密钥发送给所述用于加密的设备,所述用于加密的设备执行相应的加密操作,并将加密后的目标数据保存在云端。The encrypted key is sent to the device for encryption, and the device for encryption performs a corresponding encryption operation and saves the encrypted target data in the cloud.
上述的方法,还包括:The above method also includes:
当所述目标数据为云环境中存储的数据时,还包括:When the target data is data stored in a cloud environment, it also includes:
获取用户PIN口令;Obtain user PIN password;
对所述PIN口令和所述密钥进行运算,将运算的结果作为最终的密钥。Operation is performed on the PIN password and the key, and the result of the operation is used as the final key.
上述的方法,还包括:The above method also includes:
接收对所述目标数据进行解密的解密请求指令,所述解密请求指令中包括用户标识和密钥ID;receiving a decryption request instruction for decrypting the target data, where the decryption request instruction includes a user ID and a key ID;
检查所述用户标识是否在所述密钥的访问权限列表中;checking that said user ID is in the access rights list for said key;
当所述用户标识在所述密钥的访问权限列表中时,进行解密操作。When the user ID is in the access authority list of the key, a decryption operation is performed.
上述的方法,所述进行解密操作,包括:The above-mentioned method, the described decryption operation includes:
在所述加密域中获取用于解密的设备;obtaining a device for decryption in said encryption domain;
对所述用于解密的密钥采用所述用于解密的设备的公钥进行加密操作;performing an encryption operation on the key for decryption using the public key of the device for decryption;
将加密后的密钥发送给所述用于解密的设备,所述用于解密的设备执行相应的解密操作。The encrypted key is sent to the device for decryption, and the device for decryption performs a corresponding decryption operation.
一种云环境下用户密钥的处理系统,该系统包括:A system for processing user keys in a cloud environment, the system comprising:
第一接收单元,用于接收获取对目标数据进行加密的密钥的请求指令,所述请求指令中包括所述密钥的访问权限列表和加密域;The first receiving unit is configured to receive a request instruction for acquiring a key for encrypting target data, where the request instruction includes an access authority list and an encryption domain of the key;
产生单元,用于产生与所述请求指令相匹配的密钥;a generating unit, configured to generate a key matching the request instruction;
分配单元,用于为所述密钥分配密钥ID;an allocation unit, configured to allocate a key ID for the key;
第一发送单元,用于将所述密钥的密钥ID发送给用户终端。The first sending unit is configured to send the key ID of the key to the user terminal.
上述的系统,还包括:The above system also includes:
第一获取单元,用于获取对所述目标数据进行加密的加密请求指令,所述加密请求指令中包括密钥ID;a first obtaining unit, configured to obtain an encryption request instruction for encrypting the target data, where the encryption request instruction includes a key ID;
第二获取单元,在所述加密域中获取用于加密的设备;a second acquiring unit, acquiring a device for encryption in the encryption domain;
第一加密单元,用于对所述用于加密的密钥采用所述用于加密的设备的公钥进行加密操作;A first encryption unit, configured to perform an encryption operation on the key used for encryption using the public key of the device used for encryption;
第二发送单元,用于将加密后的密钥发送给所述用于加密的设备,所述用于加密的设备执行相应的加密操作,并将加密后的目标数据保存在云端。The second sending unit is configured to send the encrypted key to the device for encryption, and the device for encryption performs a corresponding encryption operation and saves the encrypted target data in the cloud.
上述的系统,当所述接收单元中的所述目标数据为云环境中存储的数据时,还包括:The above system, when the target data in the receiving unit is data stored in a cloud environment, further includes:
第三获取单元,用于获取用户PIN口令;A third obtaining unit, configured to obtain a user PIN password;
运算单元,用于对所述PIN口令和所述密钥进行运算,将运算的结果作为最终的密钥。The calculation unit is used to perform calculations on the PIN password and the key, and use the result of the calculation as the final key.
上述的系统,还包括:The above system also includes:
第二接收单元,用于接收对所述目标数据进行解密的解密请求指令,所述解密请求指令中包括用户标识;The second receiving unit is configured to receive a decryption request instruction for decrypting the target data, where the decryption request instruction includes a user identifier;
检查单元,用于检查所述用户标识是否在所述密钥的访问权限列表中;a checking unit, configured to check whether the user ID is in the access authority list of the key;
解密单元,用于当所述用户标识在所述密钥的访问权限列表中时,进行解密操作。A decryption unit, configured to perform a decryption operation when the user ID is in the access authority list of the key.
上述的系统,所述解密单元,包括:In the above-mentioned system, the decryption unit includes:
第四获取单元,用于在所述加密域中获取用于解密的设备;a fourth obtaining unit, configured to obtain a device for decryption in the encryption domain;
第二加密单元,用于对所述用于解密的密钥采用所述用于解密的设备的公钥进行加密操作;A second encryption unit, configured to perform an encryption operation on the key for decryption using the public key of the device for decryption;
第三发送单元,用于将加密后的密钥发送给所述用于解密的设备,所述用于解密的设备执行相应的解密操作。The third sending unit is configured to send the encrypted key to the device for decryption, and the device for decryption performs a corresponding decryption operation.
本申请提供的一种云环境下用户密钥的处理方法中,接收获取对目标数据进行加密的密钥的请求指令,所述请求指令中包括所述密钥的访问权限列表和加密域;产生与所述请求指令相匹配的密钥;为所述密钥分配密钥ID;将所述密钥的密钥ID发送给用户终端。本申请中,用户在请求指令中设置了密钥的访问权限列表和加密域,密钥的访问权限列表限制了可以进行访问的用户,使得只有在权限列表中的用户才具有访问权,加密域限制了云端中设备对用户密钥的访问权限,使得只有用户能够控制其在云端的密钥以及由云端的硬件设备执行的操作。密钥只在加密域限制的云端密码硬件设备中流转,使多用户间密钥管理与使用安全隔离,进而提升用户隐私数据存储的安全性。In a method for processing user keys in a cloud environment provided by the present application, a request instruction for obtaining a key for encrypting target data is received, and the request instruction includes an access authority list and an encryption domain of the key; A key matching the request instruction; assigning a key ID to the key; sending the key ID of the key to the user terminal. In this application, the user sets the key access authority list and encryption domain in the request command, and the key access authority list limits the users who can access, so that only users in the authority list have access rights, and the encryption domain Access to user keys by devices in the cloud is restricted so that only users can control their keys in the cloud and the operations performed by hardware devices in the cloud. The key is only transferred in the cloud encryption hardware device restricted by the encryption domain, so that the key management and use among multiple users are safely isolated, thereby improving the security of user privacy data storage.
附图说明Description of drawings
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. For those skilled in the art, other drawings can also be obtained based on these drawings without any creative effort.
图1是本申请的一种云环境下用户密钥的处理方法实施例1的流程图;Fig. 1 is a flow chart of Embodiment 1 of a method for processing user keys in a cloud environment of the present application;
图2是本申请的一种云环境下用户密钥的处理方法实施例2的流程图;Fig. 2 is a flow chart of Embodiment 2 of a method for processing user keys in a cloud environment of the present application;
图3是本申请的一种云环境下用户密钥的处理方法实施例3的流程图;FIG. 3 is a flow chart of Embodiment 3 of a method for processing user keys in a cloud environment of the present application;
图4是本申请的一种云环境下用户密钥的处理系统实施例1的结构示意图;FIG. 4 is a schematic structural diagram of Embodiment 1 of a system for processing user keys in a cloud environment of the present application;
图5是本申请的一种云环境下用户密钥处理具体应用的示意图。FIG. 5 is a schematic diagram of a specific application of user key processing in a cloud environment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the application with reference to the drawings in the embodiments of the application. Apparently, the described embodiments are only some of the embodiments of the application, not all of them. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.
参考图1,示出了本申请一种云环境下用户密钥的处理方法实施例1的流程图,可以包括以下步骤:Referring to FIG. 1 , it shows a flow chart of Embodiment 1 of a method for processing user keys in a cloud environment of the present application, which may include the following steps:
步骤S101:接收获取对目标数据进行加密的密钥的请求指令,所述请求指令中包括所述密钥的访问权限列表和加密域。Step S101: Receive a request instruction for acquiring a key for encrypting target data, where the request instruction includes an access authority list and an encryption domain of the key.
本申请中,用户的加密密钥由云环境中的设备统一产生管理,当用户需要对隐私数据进行加密操作之前,需要向云环境中发送获取加密密钥的请求指令,然后有云环境中的设备产生用户所需要的加密密钥。In this application, the user's encryption key is uniformly generated and managed by the devices in the cloud environment. Before the user needs to encrypt the private data, he needs to send a request command to the cloud environment to obtain the encryption key, and then there is a The device generates the encryption keys required by the user.
为了保证用户信息的安全性,在用户向云环境中发送的获取加密密钥请求的指令中,用户设置了密钥的访问权限列表以及加密域(即密钥的使用区域或使用设备)。In order to ensure the security of user information, in the instruction sent by the user to the cloud environment to obtain the encryption key request, the user sets the access permission list of the key and the encryption domain (that is, the area where the key is used or the device used).
密钥的访问权限列表使得只有在列表中的用户可以使用密钥访问加密的数据,加密域使得密钥只能在加密域内使用,加密域以外的区域或设备不可以使用此密钥。The access permission list of the key allows only users in the list to use the key to access encrypted data, and the encryption domain enables the key to be used only in the encryption domain, and the area or device outside the encryption domain cannot use this key.
步骤S102:产生与所述请求指令相匹配的密钥。Step S102: Generate a key matching the request instruction.
云环境中的设备接收到用户发送的获取加密密钥的请求指令后,根据所述请求指令中包括的信息,如目标数据、密钥的访问权限列表以及加密域,产生相对应的密钥,此密钥的使用用户和使用区域都进行了限制。After the device in the cloud environment receives the request instruction for obtaining the encryption key sent by the user, it generates the corresponding key according to the information included in the request instruction, such as the target data, the access authority list of the key, and the encryption domain. The user and area of use of this key are restricted.
步骤S103:为所述密钥分配密钥ID。Step S103: assigning a key ID to the key.
对每个产生的加密密钥分配密钥ID,每个加密密钥有且只有一个密钥ID,而且不同的加密密钥的密钥ID不同。A key ID is assigned to each generated encryption key, each encryption key has one and only one key ID, and different encryption keys have different key IDs.
步骤S104:将所述密钥的密钥ID发送给用户终端。Step S104: Send the key ID of the key to the user terminal.
最后,云环境中的设备将密钥ID发送给用户,用户之后只需要根据密钥ID即可进行密钥的操作。Finally, the device in the cloud environment sends the key ID to the user, and the user only needs to operate the key according to the key ID.
本申请提供的一种云环境下用户密钥的处理方法中,用户在请求指令中设置了密钥的访问权限列表和加密域,密钥的访问权限列表限制了可以进行访问的用户,使得只有在权限列表中的用户才具有访问权,加密域限制了云端中设备对用户密钥的访问权限,使得只有用户能够控制其在云端的密钥以及由云端的硬件设备执行的操作。密钥只在加密域限制的云端密码硬件设备中流转,使多用户间密钥管理与使用安全隔离,进而提升用户隐私数据存储的安全性。In a method for processing user keys in a cloud environment provided by this application, the user sets the key access authority list and encryption domain in the request instruction, and the key access authority list limits the users who can access, so that only Only users in the permission list have access rights. The encryption domain limits the access rights of devices in the cloud to user keys, so that only users can control their keys in the cloud and the operations performed by hardware devices in the cloud. The key is only transferred in the cloud encryption hardware device restricted by the encryption domain, so that the key management and use among multiple users are safely isolated, thereby improving the security of user privacy data storage.
参考图2,示出了本申请一种云环境下用户密钥的处理方法实施例2的流程图,可以包括以下步骤:Referring to FIG. 2 , it shows a flow chart of Embodiment 2 of a method for processing user keys in a cloud environment of the present application, which may include the following steps:
步骤S201:获取对所述目标数据进行加密的加密请求指令,所述加密请求指令中包括密钥ID。Step S201: Obtain an encryption request instruction for encrypting the target data, where the encryption request instruction includes a key ID.
本申请中,用户对隐私数据的加密操作由云环境中的设备统一管理,当用户需要对隐私数据进行加密操作时,在用户获取到加密密钥后,向云环境中的设备发送对隐私数据进行加密的加密请求指令。In this application, the user's encryption operation on private data is uniformly managed by the devices in the cloud environment. When the user needs to perform encryption operations on private data, after the user obtains the encryption key, the user sends the encrypted data to the device in the cloud environment. Encryption request command for encryption.
加密请求指令中,包括密钥ID,使得云环境中的设备利用用户提供的密钥对隐私数据进行加密操作。The key ID is included in the encryption request command, so that the device in the cloud environment uses the key provided by the user to encrypt the private data.
步骤S202:在所述加密域中获取用于加密的设备。Step S202: Obtain a device used for encryption in the encryption domain.
云环境中的设备获取到加密请求指令后,在密钥的加密域中的设备中获取用户对所述隐私数据进行加密操作的设备。After the device in the cloud environment obtains the encryption request instruction, it obtains the device for the user to perform the encryption operation on the private data among the devices in the encryption domain of the key.
步骤S203:对所述用于加密的密钥采用所述用于加密的设备的公钥进行加密操作。Step S203: Perform an encryption operation on the key used for encryption using the public key of the device used for encryption.
步骤S204:将加密后的密钥发送给所述用于加密的设备,所述用于加密的设备执行相应的加密操作,并将加密后的目标数据保存在云端。Step S204: Send the encrypted key to the device for encryption, and the device for encryption performs a corresponding encryption operation, and saves the encrypted target data in the cloud.
将加密后的密钥发送给所述用于加密的设备,确保只有执行该加密操作的设备才可以执行用户的加密操作,保证用户加密操作的安全性。The encrypted key is sent to the device used for encryption to ensure that only the device that performs the encryption operation can perform the user's encryption operation, thereby ensuring the security of the user's encryption operation.
本申请中,当所述目标数据仅仅为云环境中存储的数据时,还包括:In this application, when the target data is only data stored in the cloud environment, it also includes:
获取用户PIN口令。Obtain the user PIN password.
对所述PIN口令和所述密钥进行运算,将运算的结果作为最终的密钥。Operation is performed on the PIN password and the key, and the result of the operation is used as the final key.
用户在云环境中存储且无需与其它用户进行交换的数据时,其加密密钥则采用用户掌握的PIN口令与云环境中的设备产生的随机数密钥材料经运算后作为密钥,确保完整密钥只有用户自身掌握。When the user stores data in the cloud environment and does not need to exchange data with other users, the encryption key uses the PIN password mastered by the user and the random number key material generated by the device in the cloud environment as the key after calculation to ensure integrity. Only the user owns the key.
参考图3,示出了本申请一种云环境下用户密钥的处理方法实施例3的流程图,可以包括以下步骤:Referring to FIG. 3 , it shows a flow chart of Embodiment 3 of a method for processing user keys in a cloud environment of the present application, which may include the following steps:
步骤S301:接收对所述目标数据进行解密的解密请求指令,所述解密请求指令中包括用户标识和密钥ID。Step S301: Receive a decryption request instruction for decrypting the target data, where the decryption request instruction includes a user ID and a key ID.
当其他用户需要对当前用户加密的数据进行访问时,需要向云环境中的设备中发送解密请求指令,并且解密请求指令中需要包括请求访问数据的用户的用户标识和密钥ID。When other users need to access the data encrypted by the current user, they need to send a decryption request command to the device in the cloud environment, and the decryption request command needs to include the user ID and key ID of the user who requests to access the data.
用户之间通过密钥ID进行密钥的交换,用户的应用系统不接触密钥密文。Keys are exchanged between users through the key ID, and the user's application system does not touch the key ciphertext.
步骤S302:检查所述用户标识是否在所述密钥的访问权限列表中。Step S302: Check whether the user ID is in the access authority list of the key.
对请求访问数据的用户进行检查,判断所述用户的用户标识是否再密钥的访问权限列表中。Check the user who requests to access the data, and judge whether the user ID of the user is in the access authority list of the key.
步骤S303:当所述用户标识在所述密钥的访问权限列表中时,进行解密操作。Step S303: When the user ID is in the access authority list of the key, perform a decryption operation.
只有用户的标识在密钥的访问权限列表中,也就是说,请求访问数据的用户具有访问权限时,才可以对访问的数据进行解密操作,否则,不允许请求访问数据的用户进行数据的访问操作。Only when the user's identity is in the access permission list of the key, that is, when the user requesting access to the data has access permission, can the accessed data be decrypted; otherwise, the user requesting access to the data is not allowed to access the data operate.
所述进行解密操作,具体包括:The decryption operation described specifically includes:
在所述加密域中获取用于解密的设备。A device for decryption is obtained in said encryption domain.
对所述用于解密的密钥采用上述用于解密的设备的公钥进行加密操作。An encryption operation is performed on the key used for decryption using the public key of the device used for decryption.
将加密后的密钥发送给所述用于解密的设备,所述用于解密的设备执行相应的解密操作。The encrypted key is sent to the device for decryption, and the device for decryption performs a corresponding decryption operation.
与上述本申请一种云环境下用户密钥的方法实施例1所提供的方法相对应,参见图4,本申请还提供了一种云环境下用户密钥的系统实施例1,在本实施例中,该系统包括:Corresponding to the method provided in Embodiment 1 of a method for a user key in a cloud environment in this application, see FIG. 4 , the application also provides Embodiment 1 of a system for a user key in a cloud environment. In an example, the system includes:
第一接收单元401,用于接收获取对目标数据进行加密的密钥的请求指令,所述请求指令中包括所述密钥的访问权限列表和加密域。The first receiving unit 401 is configured to receive a request instruction for acquiring a key for encrypting target data, where the request instruction includes an access authority list and an encryption domain of the key.
产生单元402,用于产生与所述请求指令相匹配的密钥。The generating unit 402 is configured to generate a key matching the request instruction.
分配单元403,用于为所述密钥分配密钥ID。An allocating unit 403, configured to allocate a key ID for the key.
第一发送单元404,用于将所述密钥的密钥ID发送给用户终端。The first sending unit 404 is configured to send the key ID of the key to the user terminal.
本申请还提供了一种云环境下用户密钥的系统实施例2,在本实施例中,该系统包括:This application also provides a system embodiment 2 of a user key in a cloud environment. In this embodiment, the system includes:
第一获取单元,用于获取对所述目标数据进行加密的加密请求指令,所述加密请求指令中包括密钥ID。The first obtaining unit is configured to obtain an encryption request instruction for encrypting the target data, where the encryption request instruction includes a key ID.
第二获取单元,在所述加密域中获取用于加密的设备。The second acquiring unit acquires the equipment used for encryption in the encryption domain.
第一加密单元,用于对所述用于加密的密钥采用所述用于加密的设备的公钥进行加密操作。The first encryption unit is configured to perform an encryption operation on the key used for encryption using the public key of the device used for encryption.
第二发送单元,用于将加密后的密钥发送给所述用于加密的设备,所述用于加密的设备执行相应的加密操作,并将加密后的目标数据保存在云端。The second sending unit is configured to send the encrypted key to the device for encryption, and the device for encryption performs a corresponding encryption operation and saves the encrypted target data in the cloud.
当所述接收单元中的所述目标数据为云环境中存储的数据时,还包括:When the target data in the receiving unit is data stored in a cloud environment, it also includes:
第三获取单元,用于获取用户PIN口令。The third obtaining unit is used to obtain the user PIN password.
运算单元,用于对所述PIN口令和所述密钥进行运算,将运算的结果作为最终的密钥。The calculation unit is used to perform calculations on the PIN password and the key, and use the result of the calculation as the final key.
本申请还提供了一种云环境下用户密钥的系统实施例3,在本实施例中,该系统包括:This application also provides a system embodiment 3 of a user key in a cloud environment. In this embodiment, the system includes:
第二接收单元,用于接收对所述目标数据进行解密的解密请求指令,所述解密请求指令中包括用户标识。The second receiving unit is configured to receive a decryption request instruction for decrypting the target data, where the decryption request instruction includes a user identifier.
检查单元,用于检查所述用户标识是否在所述密钥的访问权限列表中。A checking unit, configured to check whether the user ID is in the access authority list of the key.
解密单元,用于当所述用户标识在所述密钥的访问权限列表中时,进行解密操作。A decryption unit, configured to perform a decryption operation when the user ID is in the access authority list of the key.
所述解密单元,包括:The decryption unit includes:
第四获取单元,用于在所述加密域中获取用于解密的设备。The fourth obtaining unit is configured to obtain a device for decryption in the encryption domain.
第二加密单元,用于对所述用于解密的密钥采用所述用于解密的设备的公钥进行加密操作。The second encryption unit is configured to perform an encryption operation on the key for decryption using the public key of the device for decryption.
第三发送单元,用于将加密后的密钥发送给所述用于解密的设备,所述用于解密的设备执行相应的解密操作。The third sending unit is configured to send the encrypted key to the device for decryption, and the device for decryption performs a corresponding decryption operation.
在具体实现的过程中,如图5所示,本申请与密码资源池化技术结合使用,管理设备负责用户注册、密钥管理、密钥权限管理并根据密钥的加密域进行任务分配;密码服务代理负责实现与密钥管理设备、密码服务设备的通讯接口;密码服务设备根据密钥管理设备的任务调度实现密码服务并在密码服务结束时清除密钥。In the actual implementation process, as shown in Figure 5, this application is used in combination with password resource pooling technology, and the management device is responsible for user registration, key management, key authority management and task assignment according to the encrypted domain of the key; The service agent is responsible for realizing the communication interface with the key management device and the cryptographic service device; the cryptographic service device realizes the cryptographic service according to the task scheduling of the key management device and clears the key when the cryptographic service ends.
需要使用云密码服务的用户首先需要向云环境的密钥管理设备注册账号。Users who need to use the cloud password service first need to register an account with the key management device of the cloud environment.
加密隐私数据前,用户通过密码服务代理向云环境的密钥管理设备申请产生密钥,指定该密钥的访问权限列表和密钥使用的加密域(密钥加密存储在密钥管理设备中,并将唯一的密钥ID返回给用户。Before encrypting private data, the user applies to the key management device in the cloud environment to generate a key through the password service agent, and specifies the access permission list of the key and the encryption domain used by the key (the key is encrypted and stored in the key management device, and return the unique key ID to the user.
用户加密隐私数据时,通过密码服务代理将密钥ID告诉密钥管理设备,由密钥管理设备将密钥用执行该加密任务的密码服务设备的公钥加密保护后传递给密码服务设备,确保只有执行该加密任务的设备可以解开该密钥;若是加密仅在云环境存储的隐私数据,则用户同时将PIN传递给密码服务设备,由密码服务设备根据PIN、密钥管理设备下发的密钥作为分量计算出数据加密密钥。When the user encrypts private data, the key ID is notified to the key management device through the cryptographic service agent, and the key management device encrypts the key with the public key of the cryptographic service device performing the encryption task and then transmits it to the cryptographic service device to ensure Only the device that performs the encryption task can unlock the key; if encrypting private data that is only stored in the cloud environment, the user will pass the PIN to the password service device at the same time, and the password service device will issue it according to the PIN and key management device. The key is used as a component to compute the data encryption key.
接收方在解密数据时,通过密码服务代理将密钥ID通知密钥管理设备,由密钥管理设备检查该用户是否在该密钥的访问权限列表中;若检查通过,则密钥管理设备将密钥采用执行解密任务的密码服务设备公钥加密后传递给密码服务设备。When the receiver decrypts the data, it notifies the key management device of the key ID through the cryptographic service agent, and the key management device checks whether the user is in the access authority list of the key; if the check is passed, the key management device will The key is encrypted with the public key of the cryptographic service device performing the decryption task, and then transmitted to the cryptographic service device.
本申请中,由用户设定密钥的访问权限列表和加密域,实现密钥按权限访问,用户的应用系统通过全局唯一的密钥ID进行密钥交换,应用系统不接触密钥密文,对云环境存储的隐私数据采用PIN作为加密密钥分量,使云环境的管理员和维护人员无法获取用户密钥,保证用户加密数据的安全性。In this application, the user sets the access authority list and encryption domain of the key to realize access to the key according to the authority. The user's application system performs key exchange through the globally unique key ID, and the application system does not touch the key ciphertext. For the private data stored in the cloud environment, PIN is used as the encryption key component, so that the administrators and maintenance personnel of the cloud environment cannot obtain the user key, ensuring the security of the user's encrypted data.
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。对于装置类实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。It should be noted that each embodiment in this specification is described in a progressive manner, and each embodiment focuses on the difference from other embodiments. For the same and similar parts in each embodiment, refer to each other, that is, Can. As for the device-type embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for related parts, please refer to part of the description of the method embodiments.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本申请时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above devices, functions are divided into various units and described separately. Of course, when implementing the present application, the functions of each unit can be implemented in one or more pieces of software and/or hardware.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。It can be known from the above description of the implementation manners that those skilled in the art can clearly understand that the present application can be implemented by means of software plus a necessary general-purpose hardware platform. Based on this understanding, the essence of the technical solution of this application or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in storage media, such as ROM/RAM, disk , CD, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments of the present application.
以上对本申请所提供的一种云环境下用户密钥的处理方法及系统进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The method and system for processing user keys in a cloud environment provided by this application have been introduced in detail above. In this paper, specific examples have been used to illustrate the principles and implementation methods of this application. The description of the above embodiments is only for To help understand the method and its core idea of this application; at the same time, for those of ordinary skill in the art, according to the idea of this application, there will be changes in the specific implementation and application scope. In summary, the content of this specification It should not be construed as a limitation of the application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510764378.3ACN105429752B (en) | 2015-11-10 | 2015-11-10 | Method and system for processing user key in cloud environment |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510764378.3ACN105429752B (en) | 2015-11-10 | 2015-11-10 | Method and system for processing user key in cloud environment |
| Publication Number | Publication Date |
|---|---|
| CN105429752A CN105429752A (en) | 2016-03-23 |
| CN105429752Btrue CN105429752B (en) | 2019-10-22 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510764378.3AActiveCN105429752B (en) | 2015-11-10 | 2015-11-10 | Method and system for processing user key in cloud environment |
| Country | Link |
|---|---|
| CN (1) | CN105429752B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106059767A (en)* | 2016-08-17 | 2016-10-26 | 王树栋 | Terminal private data protection system and method based on Internet |
| CN107070879B (en)* | 2017-02-15 | 2018-12-07 | 北京深思数盾科技股份有限公司 | Data guard method and system |
| CN107302546B (en)* | 2017-08-16 | 2021-05-21 | 北京奇虎科技有限公司 | System, method and electronic device for secure access to big data platform |
| US10681033B2 (en)* | 2017-10-16 | 2020-06-09 | Microsoft Technology Licensing, Llc | Selecting and securing proof delgates for cryptographic functions |
| CN110009346A (en)* | 2019-03-11 | 2019-07-12 | 巍乾全球技术有限责任公司 | For splitting and restoring method, program product, storage medium and the system of key |
| CN110264354B (en)* | 2019-05-31 | 2020-09-01 | 阿里巴巴集团控股有限公司 | Method and device for creating block chain account and verifying block chain transaction |
| US11108545B2 (en) | 2019-05-31 | 2021-08-31 | Advanced New Technologies Co., Ltd. | Creating a blockchain account and verifying blockchain transactions |
| CN110543764B (en)* | 2019-09-11 | 2021-07-23 | 飞腾信息技术有限公司 | System-on-chip memory protection method, password acceleration engine and memory protection device |
| CN114697007B (en)* | 2020-12-29 | 2024-01-16 | 华为技术有限公司 | Key management method, corresponding device and system |
| CN114268435B (en)* | 2022-03-03 | 2022-05-13 | 南京易科腾信息技术有限公司 | Cloud password service communication method and device, electronic equipment and storage medium |
| CN115051861B (en)* | 2022-06-17 | 2024-01-23 | 北京天融信网络安全技术有限公司 | Domain name detection method, device, system and medium |
| CN117579275B (en)* | 2024-01-16 | 2024-04-12 | 中国民用航空飞行学院 | Information security management method, system and storage medium based on aviation data |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1835654A1 (en)* | 2006-02-28 | 2007-09-19 | Samsung Electronics Co., Ltd. | Method and apparatus for configuring key of groups contained in domain |
| CN101346928A (en)* | 2006-01-19 | 2009-01-14 | 三星电子株式会社 | Method and apparatus for transmitting content to device which does not join domain |
| CN103107994A (en)* | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| CN104662870A (en)* | 2012-09-10 | 2015-05-27 | 云深系统有限公司 | Data security management system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1714459B1 (en)* | 2004-02-13 | 2016-08-03 | Nokia Technologies Oy | Accessing protected data on network storage from multiple devices |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101346928A (en)* | 2006-01-19 | 2009-01-14 | 三星电子株式会社 | Method and apparatus for transmitting content to device which does not join domain |
| EP1835654A1 (en)* | 2006-02-28 | 2007-09-19 | Samsung Electronics Co., Ltd. | Method and apparatus for configuring key of groups contained in domain |
| CN104662870A (en)* | 2012-09-10 | 2015-05-27 | 云深系统有限公司 | Data security management system |
| CN103107994A (en)* | 2013-02-06 | 2013-05-15 | 中电长城网际系统应用有限公司 | Vitualization environment data security partition method and system |
| Publication number | Publication date |
|---|---|
| CN105429752A (en) | 2016-03-23 |
| Publication | Publication Date | Title |
|---|---|---|
| CN105429752B (en) | Method and system for processing user key in cloud environment | |
| Shahzad | State-of-the-art survey on cloud computing security challenges, approaches and solutions | |
| EP3123657B1 (en) | Method and apparatus for cloud-assisted cryptography | |
| Pradeep et al. | An efficient framework for sharing a file in a secure manner using asymmetric key distribution management in cloud environment | |
| CN104104692B (en) | A kind of virtual machine encryption method, decryption method and encryption and decryption control system | |
| CN109905350B (en) | A data transmission method and system | |
| EP2947811A1 (en) | Method, server, host and system for protecting data security | |
| CN105074713A (en) | Systems and methods for identifying a secure application when connecting to a network | |
| JP2020505849A (en) | Digital certificate management method and device | |
| CN111163036B (en) | Data sharing method, device, client, storage medium and system | |
| WO2017020452A1 (en) | Authentication method and authentication system | |
| CN105187362A (en) | Method and device for connection authentication between desktop cloud client and server-side | |
| CN103475474B (en) | Method for providing and acquiring shared enciphered data and identity authentication equipment | |
| US20190005258A1 (en) | A method for encrypting data and a method for decrypting data | |
| Lo et al. | An attribute-role based access control mechanism for multi-tenancy cloud environment | |
| US20150350375A1 (en) | Information Processing Method, Trusted Server, and Cloud Server | |
| CN110022207B (en) | Method, apparatus, device and computer readable medium for key management and data processing | |
| CN116233158A (en) | A data storage method, device, equipment and storage medium | |
| Thilakanathan et al. | Secure multiparty data sharing in the cloud using hardware-based TPM devices | |
| Boopathy et al. | Data encryption framework model with watermark security for data storage in public cloud model | |
| US11804969B2 (en) | Establishing trust between two devices for secure peer-to-peer communication | |
| CN105376242A (en) | Cloud terminal data access authentication method, cloud terminal data access authentication system and cloud terminal management system | |
| CN102427461B (en) | Method and system for realizing Web service application security | |
| Huang et al. | A method for trusted usage control over digital contents based on cloud computing | |
| CN105791301A (en) | A Key Distribution Management Method Oriented to Separation of Credentials and Secrets in Multi-User Groups |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | Inventor after:Lei Bo Inventor after:Chen Deyong Inventor after:Dong Guishan Inventor after:Wang Yunbing Inventor after:Hou Jianning Inventor after:Lei Zhenyu Inventor after:Leng Qingsong Inventor after:Liu Junbo Inventor after:Wang Feng Inventor after:Tang Zhongqian Inventor before:Lei Bo Inventor before:Dong Guishan Inventor before:Wang Yunbing Inventor before:Xia Fan Inventor before:Huang Bin Inventor before:Li Linxiao Inventor before:Deng Zijian Inventor before:Tang Zhongqian Inventor before:Yang Hong | |
| COR | Change of bibliographic data | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |