CN-122027147-A - TPM-based automatic encryption multi-level key management method and system

Abstract

The invention provides an automatic encryption multi-level key management method and system based on a TPM, wherein the method comprises the steps of generating a multi-level key system based on a trusted platform module TPM, generating a primary master key, deriving a secondary encryption key KEK for key encryption based on the primary master key, and a tertiary encryption key DEK for data encryption, adopting multi-factor authentication on the multi-level key system, automatically deriving a nonvolatile NV key and a storage index address of the trusted platform module TPM based on user and hardware information, and storing the multi-level key in a lasting mode. The invention constructs a safe and reliable multilevel key management system, can automatically complete the user NV key and index management, effectively ensures the security and the integrity of the key, and simultaneously realizes flexible and efficient key management.

Inventors

• LIU YI
• FU WEI
• Shu Zetian
• WANG YUCHENG
• Jiang Xingsong
• MENG YUAN
• YANG ZHAOJUN

Assignees

• 麒麟软件有限公司

Dates

Publication Date

20260512

Application Date

20260330

Claims (10)

1. 1. An automatic encryption multi-level key management method based on a TPM (trusted platform module), which is characterized by comprising the following steps: S1, generating a multi-level key system based on a trusted platform module TPM, wherein the multi-level key system comprises a primary master key generation step, a secondary encryption key KEK for key encryption based on the primary master key derivation step and a tertiary encryption key DEK for data encryption; s2, multi-factor authentication is adopted for a multi-level key system, a primary master key and a platform configuration register PCR of a trusted platform module TPM are bound and authenticated, a secondary encryption key KEK uses an incoming password to carry out encryption and decryption authentication, and a tertiary encryption key DEK carries out encryption and decryption authentication through the secondary encryption key KEK; And S3, automatically deriving the NV (nonvolatile) key and the storage index address of the trusted platform module TPM based on the user and hardware information, and storing the multilevel key in a lasting mode.
2. 2. The TPM-based automated encryption multi-level key management method of claim 1, wherein the primary master key in step S1 is generated by invoking a TPM2CREATEPRIMARY key generation function of the TPM.
3. 3. The method according to claim 1, wherein the secondary encryption key KEK in step S1 is an asymmetric encryption key generated by calling the Create function of the TPM with the primary master key as a parent key.
4. 4. The TPM-based automated encryption multi-level key management method of claim 1, wherein the tertiary encryption key DEK in step S1 is a symmetric encryption key generated by calling the Create function of the TPM with a primary master key as a parent key.
5. 5. The method for automatically encrypting a multi-level key management based on a TPM as claimed in claim 1, wherein in step S2, the authentication of the primary master key comprises reading one or more platform configuration registers PCR, creating a PCR strategy, binding the primary master key with the PCR strategy after the primary master key is generated, and protecting the security of the multi-level key system.
6. 6. The TPM-based automated encryption multi-level key management method of claim 1, wherein in step S2, the tertiary encryption key DEK is encrypted using the public key of the secondary encryption key KEK, decrypted by the private key of the secondary encryption key KEK.
7. 7. The TPM-based automated encryption multi-level key management method of claim 1, wherein step S3 comprises: s301, automatically generating an NV (random access memory) key, namely acquiring user information and hardware information as key seeds to generate an NV space encryption key; And S302, automatically generating an NV index, namely calculating an initial index address by adopting a hybrid hash algorithm based on user information and hardware information, detecting the state of the NV space based on the initial index address and an NV space encryption key, and if the space detection meets the expectation, obtaining a legal NV key and a storage index address.
8. 8. The TPM-based automated encryption multi-level key management method of claim 7, wherein step S301 comprises: The method comprises the steps of obtaining a mixed hash first element through user name calculation, obtaining a mixed hash second element through UID calculation, obtaining a mixed hash third element through Mac address calculation, and finally carrying out combined hash operation on the mixed hash first element, the mixed hash second element and the mixed hash third element to obtain an initial index address.
9. 9. The TPM-based automated encryption multilevel key management method of claim 7, further comprising, if the spatial detection is not expected, using a quadratic detection method as an index conflict resolution algorithm, the detection step length increases nonlinearly with the number of attempts, taking the modulus with a prime number larger than the index space, and continuing the state detection of the NV space.
10. 10. An automatic encryption multi-level key management system based on a TPM, which is applied to the automatic encryption multi-level key management method based on the TPM as claimed in any one of claims 1 to 9, and is characterized by comprising: the system application module provides an interface for the application program, so that the application program requests to acquire a required key through the interface, and uses the key under the authorization of the TPM; The key management module is responsible for automatically managing and interacting with the TPM module based on the NV key and index of the user and the hardware information, and realizing the generation, encryption, storage, distribution and management of the multi-level key; the TPM adaptation module is used for adapting the TPM software stack interface and completing TPM trusted storage and algorithm function call on the premise that the secret key does not come out of the TPM; When the application program/system has encryption and decryption requirements, the key management module calls the TPM adaptation module to derive a secondary encryption key KEK based on the primary master key and randomly generate a tertiary encryption key DEK, encrypts the secondary encryption key KEK by using a password to obtain a KEK ciphertext, encrypts the tertiary encryption key DEK by using the secondary encryption key KEK to obtain a DEK ciphertext, and the KEK ciphertext and the DEK ciphertext are stored in the TPM chip in a lasting manner.

Description

TPM-based automatic encryption multi-level key management method and system Technical Field The invention belongs to the technical field of information security, and particularly relates to an automatic encryption multi-level key management method and system based on a TPM. Background In the present digital age, the security and privacy of data is of paramount importance. With the rapid development of information technology, the data volume processed and stored by various information systems is continuously increased, and security threats facing data are increasingly diversified, such as data leakage, tampering, illegal access and the like. In order to protect the security of data, encryption technology is an important means. The key management includes the links of key generation, storage, encryption, distribution, use and the like. A safe and efficient key management system plays a significant role in guaranteeing the security of the whole information system. In a system application scenario, a large number of keys often need to be managed, and these keys may have different levels and uses. For example, the user's data may need to be encrypted with a multi-level key to ensure the security of the data during transmission and storage. How to effectively store, encrypt and manage the multi-level key is a problem to be solved in the current information security field. In the prior art, a scheme is proposed that a multi-level key is formed by a group of asymmetric encryption key KEK pairs and a group of symmetric encryption keys DEK to realize data encryption and key protection. In the scheme, the data are encrypted by using a symmetric encryption key DEK, then the symmetric key DEK is encrypted by using a private key of an asymmetric key KEK, and the encrypted symmetric key is stored in a text manner. And storing the encrypted data and the public key of the asymmetric key KEK to a cloud server. However, in the scheme, the private key of the KEK and the ciphertext data of the DEK are required to be managed by a user or a system, and are stored in a file system, so that the risk of easy loss and leakage exists, and the security is low. Once the file system is under attack, the keys are easily stolen. For example, malware may obtain a file storing a key by infecting a computer system, thereby obtaining the key and performing illegal operations on the data. Meanwhile, the KEK public key and the ciphertext data are stored in the cloud server, and when the cloud server data are leaked and a user obtains local DEK ciphertext data, the data can be cracked and leaked, so that a large data leakage risk exists. In addition, the cloud server is used for data storage, so that the cost is high, and the method is not suitable for a network isolation environment. In the prior art, a method for realizing data encryption and key protection by using a group of symmetric encryption keys KEK and a group of symmetric encryption keys DEK to form a multi-stage key is also proposed. In the method, the data is encrypted by using the DEK and then stored locally, the DEK is encrypted by using the KEK and then stored locally, and the KEK is stored in the TPM chip. When a data encryption and decryption request exists, DEK ciphertext data is obtained locally, a KEK key is obtained from the TPM, the DEK ciphertext is decrypted by using the KEK key to obtain the DEK, and then the data is encrypted and decrypted by using the DEK. However, in the scheme, the DEK ciphertext data adopts a local storage scheme, so that the risks of easy loss and leakage exist, meanwhile, the KEK uses a symmetric encryption key, the key needs to be shared safely in advance during encryption and decryption, and after the key is leaked, all data are in an exposed state, so that the application scene of the KEK is limited. In addition, the TPM has no related protective measures when in KEK key storage, and the key needs to be taken out from the TPM during decryption, so that the KEK is easy to leak and cause leakage, and simultaneously, the NV storage key in the TPM is not encrypted and is easy to read and crack. Disclosure of Invention The invention aims to provide an automatic encryption multi-level key management method and system based on a TPM, which realize automatic multi-level key storage, encryption and management through a trusted platform module TPM, build a safe and reliable multi-level key management system, automatically complete user NV keys (nonvolatile region keys) and index management, effectively ensure the security and integrity of keys, and realize flexible and efficient key management. In order to achieve the above object, the technical scheme of the present invention is as follows: an automated encryption multi-level key management method based on TPM, comprising: S1, generating a multi-level key system based on a trusted platform module TPM, wherein the multi-level key system comprises a primary master key generation step, a secondary encrypti