Search

JP-2022515467-A5 -

JP2022515467A5JP 2022515467 A5JP2022515467 A5JP 2022515467A5JP-2022515467-A5

Dates

Publication Date
20221228
Application Date
20191230

Description

Other variations of the disclosed embodiments can be understood and implemented by those skilled in the art by reading the specification, the disclosed content, the accompanying drawings, and the accompanying claims. In the claims, the word “including” does not exclude other elements or steps, and the words “a” or “an” do not exclude the plural form. In the practical application of this application, one component may perform the function of multiple technical features enumerated in the claims. No reference numeral in the claims should be construed as limiting its scope. [Aspect 1] It is a key security management system, A security host is configured to receive a first action request, verify the first action request, and, if the verification is successful, generate a second action request based on the first action request, wherein both the first and second action requests include identity verification, and the security host A key security management system comprising: a hardware security device configured to receive the second action request from the security host, verify the second action request, and, if the verification is successful, parse the second action request to obtain the type of the second action request, and, based on the type of the second action request, perform an action related to a key pair associated with the identity, wherein the key pair includes a public key and a private key specific to the identity. [Aspect 2] The aforementioned identity verification includes organizational identity verification, Based on the type of the second operation request, the operation related to the key pair associated with the identity is performed. A key security management system according to Embodiment 1, comprising generating a random key seed in response to the type of the second operation request being a request to generate the master root key pair of the organization, and using the key seed to generate the master root key pair of the organization. [Appearance 3] After using the key seed to generate the master root key pair of the said organization, the hardware security device, The master root key pair of the aforementioned organization is stored, A key security management system according to embodiment 2, further configured to destroy the aforementioned key seed. [Aspect 4] The identity verification includes the user's identity verification and the identity verification of the organization associated with the user, and the key security management system stores the organization's master root key pair. Based on the type of the second operation request, the operation related to the key pair associated with the identity is performed. In response to the fact that the type of the second operation request is a request to obtain the user's public key, the master root key pair of the organization is determined in accordance with the organization's identity verification, The process of determining the user's key pair generation path based on the user's identity verification and hierarchical deterministic laws, Based on the user's key pair generation path and the organization's master root key pair, the user's key pair is derived. Sending the public key in the user's key pair to the security host A key security management system according to embodiment 1, including the above. [Aspect 5] The identity verification includes the user's identity verification and the identity verification of the organization associated with the user, the hardware security device stores the organization's master root key pair, and the second action request further includes data to be signed by the user. Based on the type of the second operation request, the operation related to the key pair associated with the identity is performed. In response to the fact that the type of the second operation request is a request to sign the data to be signed, the master root key pair of the organization is determined in accordance with the identity of the organization, The process of determining the user's key pair generation path based on the user's identity verification and hierarchical deterministic laws, Based on the user's key pair generation path and the organization's master root key pair, the user's key pair is derived. The process involves using the private key in the user's key pair to sign the data to be signed and obtaining the signed data. The signed data is transmitted to the security host. A key security management system according to embodiment 1, including the above. [Aspect 6] Determining the key pair generation path for the user based on the user's identity verification, The process involves performing a hash operation on the combination of the user's identity verification and the organization's identity verification to obtain a hash value. Based on the hash value and the hierarchical deterministic law, the user's key pair generation path is determined. A key security management system according to embodiment 4 or 5, including the