Search

CN-121984671-A - Key management method, device, equipment and storage medium

CN121984671ACN 121984671 ACN121984671 ACN 121984671ACN-121984671-A

Abstract

The invention discloses a key management method, a device, equipment and a storage medium, which belong to the technical field of data processing, wherein the method is executed by a server cipher machine and comprises the steps of generating a system protection key; the method comprises the steps of receiving a key generation request, generating a service key according to the received key generation request, determining a target grade of the service key, carrying out component storage on the service key according to a system protection key and the target grade, recording a component storage address of the service key, and generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request. The invention shortens the response speed of the security service which uses the service key to carry out the cryptographic operation, such as encryption and decryption or signature verification, and the like, and realizes low-delay and high-concurrency access to mass service keys while ensuring the high security of the service key.

Inventors

  • LIU YULIN
  • GUO XIANYONG
  • XU YUBO
  • SUN YULI
  • LI SHANGFENG
  • GENG HONGLIANG
  • SUN YINFENG

Assignees

  • 北京密码云芯科技有限公司

Dates

Publication Date
20260505
Application Date
20260202

Claims (10)

  1. 1. A key management method performed by a server crypto-engine, the method comprising: Generating a system protection key; generating a service key according to the received key generation request, and determining a target grade of the service key; According to the system protection key and the target grade, performing component storage on the service key, and recording a component storage address of the service key; And generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request.
  2. 2. The method of claim 1, wherein the storing of the service key components in accordance with the system protection key and the target level comprises: Under the condition that the target level is not the column level, encrypting the service key by using the system protection key to obtain a service key ciphertext; Dividing the service key ciphertext through a secret sharing scheme to obtain a plurality of ciphertext fragments, wherein the secret sharing scheme comprises a dividing share and a threshold value; And according to the target grade, the segmentation share and the threshold value, performing scattered storage on the obtained ciphertext fragment.
  3. 3. The method of claim 2, wherein the performing the decentralized storage of the ciphertext fragment based on the target level, the split shares, and the threshold value comprises: grouping the obtained ciphertext fragments according to the segmentation share and the threshold value to obtain a first ciphertext group and a second ciphertext group, wherein the number of ciphertext fragments in the first ciphertext group is smaller than that of ciphertext fragments in the second ciphertext group; if the target grade is the tenant grade, the ciphertext fragments in the first ciphertext group are stored in discontinuous idle memory blocks of a preset memory in a dispersed manner, and meanwhile, the ciphertext fragments in the second ciphertext group are stored in a hardware security module; If the target level is a database level, the ciphertext fragments in the second ciphertext group are stored in discontinuous idle memory blocks of the preset memory in a dispersed manner, and meanwhile, the ciphertext fragments in the first ciphertext group are stored in the hardware security module; And if the target grade is a table grade, storing all the obtained ciphertext fragments into the discontinuous idle memory blocks of the preset memory in a dispersed way.
  4. 4. The method of claim 1, wherein generating a key memory index corresponding to the service key based on the target level, the component storage address, and the key generation request comprises: Generating a target hash code corresponding to the service key according to the target grade and the key generation request; And generating a key memory index corresponding to the service key according to the target hash code and the component storage address.
  5. 5. The method of claim 4, wherein generating the target hash code corresponding to the service key according to the target class and the key generation request comprises: If the target level is the tenant level, generating a target hash code corresponding to the service key according to the tenant identification in the key generation request; If the target level is a database level, generating a target hash code corresponding to the service key according to the tenant identification and the database name in the key generation request; If the target level is a table level, generating a target hash code corresponding to the service key according to the tenant identification, the database name and the table name in the key generation request; and if the target level is a column level, generating a target hash code corresponding to the service key according to the tenant identification, the database name, the table name and the column name in the key generation request.
  6. 6. The method according to claim 2, wherein the method further comprises: responding to a key calling request sent by a cloud platform, and generating a retrieval hash value according to a resource identification parameter in the key calling request; determining a target storage address corresponding to the retrieval hash value based on the corresponding relation between the hash value and the storage address in the candidate memory index according to the retrieval hash value; And generating and calling a key to be called based on the secret sharing scheme according to the target storage address and the system protection key.
  7. 7. A key management apparatus deployed in a server cryptographic engine, the apparatus comprising: the system protection key generation module is used for generating a system protection key; The service key generation module is used for generating a service key according to the received key generation request and determining the target grade of the service key; The service key component storage module is used for carrying out component storage on the service key according to the system protection key and the target grade and recording a component storage address of the service key; And the key memory index generation module is used for generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request.
  8. 8. An electronic device, the electronic device comprising: At least one processor; And a memory communicatively coupled to the at least one processor, wherein, The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the key management method of any one of claims 1-6.
  9. 9. A computer readable storage medium storing computer instructions for causing a processor to implement the key management method of any one of claims 1-6 when executed.
  10. 10. A computer program product comprising a computer program which, when executed by a processor, implements the key management method of any of claims 1-6.

Description

Key management method, device, equipment and storage medium Technical Field The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for managing a key. Background The server cipher machine is used as core equipment for ensuring the data security of the service system and is mainly used for providing security services such as encryption and decryption, signature verification and the like for the data of the service system. The server crypto-engine typically persists the service key in a specially designed hardware device, a hardware security module (Hardware Security Module, HSM), to ensure that the service key is not lost after the device is restarted or powered down. However, when the key storage mode is used for carrying out security services such as encryption and decryption or signature verification, the service keys need to be frequently read from the hardware security module, and the low-delay and high-concurrency access requirements on mass service keys are difficult to meet. Disclosure of Invention The invention provides a key management method, a device, equipment and a storage medium, which are used for realizing low-delay and high-concurrency access to mass service keys while ensuring high security of the service keys. According to an aspect of the present invention, there is provided a key management method performed by a server cryptographic machine, comprising: Generating a system protection key; generating a service key according to the received key generation request, and determining a target grade of the service key; According to the system protection key and the target grade, carrying out component storage on the service key, and recording a component storage address of the service key; and generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request. According to another aspect of the present invention, there is provided a key management apparatus deployed in a server cryptographic machine, the apparatus comprising: the system protection key generation module is used for generating a system protection key; The service key generation module is used for generating a service key according to the received key generation request and determining the target grade of the service key; the service key component storage module is used for carrying out component storage on the service key according to the system protection key and the target grade and recording the component storage address of the service key; and the key memory index generation module is used for generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request. According to another aspect of the present invention, there is provided an electronic apparatus including: At least one processor; and a memory communicatively coupled to the at least one processor, wherein, The memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the key management method of any one of the embodiments of the present invention. According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute a key management method according to any one of the embodiments of the present invention. According to another aspect of the invention there is provided a computer program product comprising a computer program which when executed by a processor implements the key management method of any of the embodiments of the invention. The technical scheme of the embodiment of the invention comprises the steps of generating a system protection key, generating a service key according to a received key generation request, determining a target grade of the service key, storing a component of the service key according to the system protection key and the target grade, recording a component storage address of the service key, and generating a key memory index corresponding to the service key according to the target grade, the component storage address and the key generation request. According to the technical scheme, different levels of service keys are protected, the security of the service keys is improved, the service keys are stored in the volatile memory in a lasting mode, frequent reading of the service keys from the hardware security module is avoided, the service keys are directly read from the volatile memory, the service key acquisition speed is increased, the response speed of security services using the service keys for cryptographic operation such as encryption and decryption or signature verification is shortened, and low-delay and high-concurrency access to mass service keys is realized. It should be understood that the descr