[go: up one dir, main page]

CN117336077A - A data encryption and decryption method and system - Google Patents

A data encryption and decryption method and system Download PDF

Info

Publication number
CN117336077A
CN117336077A CN202311364258.5A CN202311364258A CN117336077A CN 117336077 A CN117336077 A CN 117336077A CN 202311364258 A CN202311364258 A CN 202311364258A CN 117336077 A CN117336077 A CN 117336077A
Authority
CN
China
Prior art keywords
key
working key
ciphertext
working
timestamp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311364258.5A
Other languages
Chinese (zh)
Inventor
刘志祖
鹿昌开
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Momo Information Technology Co Ltd
Original Assignee
Beijing Momo Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Momo Information Technology Co Ltd filed Critical Beijing Momo Information Technology Co Ltd
Priority to CN202311364258.5A priority Critical patent/CN117336077A/en
Publication of CN117336077A publication Critical patent/CN117336077A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本申请提供一种数据加解密方法和系统。本申请提供的数据加解密方法,应用于密钥管理服务器,所述方法包括:在接收到来自存储节点的工作密钥获取请求时,判断工作密钥获取请求携带的第一时间戳是否为历史时间戳;若否,获取当日的第一工作密钥,并利用保护密钥对第一工作密钥进行加密,得到第一工作密钥的密文;利用通信密钥对第一工作密钥的密文、第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文;将第一通信密文返回给存储节点,以指示存储节点基于第一通信密文获取第一工作密钥,并利用第一工作密钥进行数据加解密。本申请提供的数据加密方法和系统,可以保证数据安全。

This application provides a data encryption and decryption method and system. The data encryption and decryption method provided by this application is applied to a key management server. The method includes: when receiving a working key acquisition request from a storage node, determining whether the first timestamp carried in the working key acquisition request is historical. timestamp; if not, obtain the first working key of the day, and use the protection key to encrypt the first working key to obtain the ciphertext of the first working key; use the communication key to encrypt the first working key The ciphertext, the hash value of the first working key and the current timestamp are encrypted to obtain the first communication ciphertext; the first communication ciphertext is returned to the storage node to instruct the storage node to obtain the first communication ciphertext based on the first communication ciphertext. working key, and use the first working key to perform data encryption and decryption. The data encryption method and system provided by this application can ensure data security.

Description

一种数据加解密方法和系统A data encryption and decryption method and system

技术领域Technical field

本申请涉及数据加解密技术领域,尤其涉及一种数据加解密方法和系统。This application relates to the technical field of data encryption and decryption, and in particular to a data encryption and decryption method and system.

背景技术Background technique

近年来,随着数字化和智能化的逐步发展,海量的数量被产生、收集和存储,并通过先进的技术进行分析和利用。数据安全的重要性日益凸显,如何保证数据安全成为当前亟待解决的问题。In recent years, with the gradual development of digitalization and intelligence, massive quantities have been generated, collected and stored, and analyzed and utilized through advanced technologies. The importance of data security has become increasingly prominent, and how to ensure data security has become an urgent problem to be solved.

发明内容Contents of the invention

有鉴于此,本申请提供一种数据加解密方法和系统,用以保证数据安全。In view of this, this application provides a data encryption and decryption method and system to ensure data security.

具体地,本申请是通过如下技术方案实现的:Specifically, this application is implemented through the following technical solutions:

本申请第一方面提供一种数据加解密方法,所述方法应用于密钥管理服务器;所述方法包括:The first aspect of this application provides a data encryption and decryption method, the method is applied to a key management server; the method includes:

在接收到来自存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;When receiving a work key acquisition request from a storage node, it is determined whether the first timestamp carried by the work key acquisition request is a historical timestamp; wherein, the work key acquisition request is used to request the acquisition of data. The working key for encryption and decryption;

若否,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文;If not, obtain the first working key of the day, and use the protection key to encrypt the first working key to obtain the ciphertext of the first working key;

利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文;Use the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext;

将所述第一通信密文返回给所述存储节点,以指示所述存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。Return the first communication ciphertext to the storage node to instruct the storage node to obtain the first working key based on the first communication ciphertext and use the first working key to perform data encryption. Decrypt.

本申请第二方面提供一种数据加解密方法,所述方法应用于数据加解密系统,所述系统包括密钥管理服务器和多个存储节点;所述方法包括:A second aspect of this application provides a data encryption and decryption method. The method is applied to a data encryption and decryption system. The system includes a key management server and multiple storage nodes; the method includes:

所述密钥管理服务器在接收到来自所述多个存储节点中的第一存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;When the key management server receives a working key acquisition request from a first storage node among the plurality of storage nodes, the key management server determines whether the first timestamp carried in the working key acquisition request is a historical timestamp; Wherein, the work key acquisition request is used to request to obtain the working key for encrypting and decrypting data;

所述密钥管理服务器在判断所述密钥获取请求携带的第一时间戳为当日时间戳时,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文;When the key management server determines that the first timestamp carried in the key acquisition request is the timestamp of the day, it obtains the first working key of the day and uses the protection key to encrypt the first working key. , get the ciphertext of the first working key;

所述密钥管理服务器利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文;The key management server uses the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext;

所述密钥管理服务器将所述第一通信密文返回给所述第一存储节点;The key management server returns the first communication ciphertext to the first storage node;

所述第一存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。The first storage node obtains the first working key based on the first communication ciphertext, and uses the first working key to perform data encryption and decryption.

本申请第三方面提供一种数据加解密系统,所述系统包括密钥管理服务器和多个存储节点;A third aspect of this application provides a data encryption and decryption system, which includes a key management server and multiple storage nodes;

所述密钥管理服务器,用于在接收到来自所述多个存储节点中的第一存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;The key management server is configured to, when receiving a work key acquisition request from a first storage node among the plurality of storage nodes, determine whether the first timestamp carried in the work key acquisition request is historical. Timestamp; wherein, the working key acquisition request is used to request to obtain the working key for encrypting and decrypting data;

所述密钥管理服务器,还用于在判断所述密钥获取请求携带的第一时间戳为当日时间戳时,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文;The key management server is also configured to obtain the first working key of the day when it is determined that the first timestamp carried in the key acquisition request is the time stamp of the day, and use the protection key to update the first working key. The key is encrypted to obtain the ciphertext of the first working key;

所述密钥管理服务器,还用于利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文,并将所述第一通信密文返回给所述第一存储节点;The key management server is also configured to use the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext. , and return the first communication ciphertext to the first storage node;

所述第一存储节点,用于基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。The first storage node is configured to obtain the first working key based on the first communication ciphertext, and use the first working key to perform data encryption and decryption.

本申请提供的数据加解密方法和系统,在接收到来自存储节点的工作密钥获取请求时,通过判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;若所述工作密钥获取请求携带的第一时间戳不为历史时间戳,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文,进而利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文,从而将所述第一通信密文返回给所述存储节点,以指示所述存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。这样,利用保护密钥和通信密钥对工作密钥进行加密,实现工作密钥多级保护机制,保证了工作密钥的安全性,从而保证了数据安全。The data encryption and decryption method and system provided by this application, when receiving a work key acquisition request from a storage node, determine whether the first timestamp carried in the work key acquisition request is a historical timestamp; wherein, the The work key acquisition request is used to request to obtain the working key for encryption and decryption of data; if the first timestamp carried by the work key acquisition request is not a historical timestamp, obtain the first working key of the day and use The protection key encrypts the first working key to obtain the ciphertext of the first working key, and then uses the communication key to encrypt the ciphertext of the first working key and the hash of the first working key. The hash value and the current timestamp are encrypted to obtain the first communication ciphertext, thereby returning the first communication ciphertext to the storage node to instruct the storage node to obtain the third communication ciphertext based on the first communication ciphertext. A working key, and use the first working key to perform data encryption and decryption. In this way, the protection key and the communication key are used to encrypt the working key, realizing a multi-level protection mechanism for the working key, ensuring the security of the working key, and thereby ensuring data security.

附图说明Description of drawings

图1为本申请提供的数据加解密方法实施例一的流程图;Figure 1 is a flow chart of Embodiment 1 of the data encryption and decryption method provided by this application;

图2为本申请提供的数据加解密方法实施例二的流程图;Figure 2 is a flow chart of Embodiment 2 of the data encryption and decryption method provided by this application;

图3为本申请提供的数据加解密方法实施例三的流程图;Figure 3 is a flow chart of Embodiment 3 of the data encryption and decryption method provided by this application;

图4为本申请提供的数据加解密方法实施例四的流程图;Figure 4 is a flow chart of Embodiment 4 of the data encryption and decryption method provided by this application;

图5为本申请提供的数据加解密方法实施例五的流程图;Figure 5 is a flow chart of Embodiment 5 of the data encryption and decryption method provided by this application;

图6为本申请提供的数据加密系统的示意图。Figure 6 is a schematic diagram of the data encryption system provided by this application.

具体实施方式Detailed ways

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are illustrated in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with this application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the appended claims.

在本申请使用的术语是仅仅出于描述特定实施例的目的,而非旨在限制本申请。在本申请和所附权利要求书中所使用的单数形式的“一种”、“所述”和“该”也旨在包括多数形式,除非上下文清楚地表示其他含义。还应当理解,本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terminology used in this application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "the" and "the" are intended to include the plural forms as well, unless the context clearly dictates otherwise. It will also be understood that the term "and/or" as used herein refers to and includes any and all possible combinations of one or more of the associated listed items.

应当理解,尽管在本申请可能采用术语第一、第二、第三等来描述各种信息,但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如,在不脱离本申请范围的情况下,第一信息也可以被称为第二信息,类似地,第二信息也可以被称为第一信息。取决于语境,如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”。It should be understood that although the terms first, second, third, etc. may be used in this application to describe various information, the information should not be limited to these terms. These terms are only used to distinguish information of the same type from each other. For example, without departing from the scope of the present application, the first information may also be called second information, and similarly, the second information may also be called first information. Depending on the context, the word "if" as used herein may be interpreted as "when" or "when" or "in response to determining."

本申请提供一种数据加解密方法和系统,用以保证数据安全。This application provides a data encryption and decryption method and system to ensure data security.

本申请提供的数据加解密方法和系统,在接收到来自存储节点的工作密钥获取请求时,通过判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;并在判断所述工作密钥获取请求携带的第一时间戳不为历史时间戳,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文,进而利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文,从而将所述第一通信密文返回给所述存储节点,以指示所述存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。这样,利用保护密钥和通信密钥对工作密钥进行加密,实现工作密钥多级保护机制,保证了工作密钥的安全性,从而保证了数据安全。The data encryption and decryption method and system provided by this application, when receiving a work key acquisition request from a storage node, determine whether the first timestamp carried in the work key acquisition request is a historical timestamp; wherein, the The work key acquisition request is used to request to obtain the work key for encrypting and decrypting data; and after judging that the first timestamp carried in the work key acquisition request is not a historical timestamp, obtain the first working key of the day, And use the protection key to encrypt the first working key to obtain the ciphertext of the first working key, and then use the communication key to encrypt the ciphertext of the first working key, the first working key The hash value and the current timestamp are encrypted to obtain the first communication ciphertext, thereby returning the first communication ciphertext to the storage node to instruct the storage node to obtain the communication ciphertext based on the first communication ciphertext. The first working key is used to perform data encryption and decryption. In this way, the protection key and the communication key are used to encrypt the working key, realizing a multi-level protection mechanism for the working key, ensuring the security of the working key, and thereby ensuring data security.

下面给出具体的实施例,用以详细介绍本申请的技术方案。Specific examples are given below to introduce the technical solution of the present application in detail.

图1为本申请提供的数据加解密方法实施例一的流程图。请参照图1,本实施例提供的方法,所述方法应用于密钥管理服务器;所述方法包括:Figure 1 is a flow chart of Embodiment 1 of the data encryption and decryption method provided by this application. Please refer to Figure 1. This embodiment provides a method, which is applied to a key management server; the method includes:

S101、在接收到来自存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥。S101. When receiving a work key acquisition request from a storage node, determine whether the first timestamp carried in the work key acquisition request is a historical timestamp; wherein the work key acquisition request is used to request to obtain a pair of The working key for data encryption and decryption.

具体的,密钥管理服务器是一种用于管理加解密算法中所需的工作密钥的服务器。进一步的,存储节点是一种用于存储和管理数据的设备,其利用工作密钥对数据进行加解密。Specifically, the key management server is a server used to manage working keys required in encryption and decryption algorithms. Furthermore, the storage node is a device used to store and manage data, and it uses a working key to encrypt and decrypt data.

工作密钥获取请求用于请求获取对数据进行加解密的工作密钥,其可以携带时间戳、存储节点的标识信息等。需要说明的是,工作密钥每日都在变化,工作密钥获取请求携带的时间戳,用于指示获取该时间戳下的工作密钥。例如,一实施例中,工作密钥获取请求携带的时间戳为2023年9月2日,此时,该工作密钥获取请求用于指示获取2023年9月2日的工作密钥。The work key acquisition request is used to request to obtain the work key for encrypting and decrypting data, which can carry timestamps, identification information of storage nodes, etc. It should be noted that the working key changes every day, and the timestamp carried in the work key acquisition request is used to indicate the acquisition of the working key under this timestamp. For example, in one embodiment, the timestamp carried in the work key acquisition request is September 2, 2023. At this time, the work key acquisition request is used to indicate obtaining the work key on September 2, 2023.

具体实现时,当存储节点需要对数据进行加解密时,其会去向密钥管理服务器获取工作密钥,以利用工作密钥对数据进行加解密。In specific implementation, when the storage node needs to encrypt and decrypt data, it will obtain the working key from the key management server to use the working key to encrypt and decrypt the data.

具体实现时,可以将第一时间戳和当前时刻进行比较,以判断第一时间戳是否为历史时间戳。During specific implementation, the first timestamp can be compared with the current time to determine whether the first timestamp is a historical timestamp.

例如,一实施例中,工作密钥获取请求携带的第一时间戳为2023年9月1日,当前时刻为2023年9月8日,此时,确定工作密钥获取请求携带的第一时间戳为历史时间戳。For example, in one embodiment, the first timestamp carried in the work key acquisition request is September 1, 2023, and the current time is September 8, 2023. At this time, it is determined that the first time stamp carried in the work key acquisition request The stamp is a historical timestamp.

再例如,在另一实施例中,工作密钥获取请求携带的第一时间戳为2023年9月8日,当前时刻为2023年9月8日,此时,确定工作密钥获取请求携带的第一时间戳为当日时间戳,不是历史时间戳。For another example, in another embodiment, the first timestamp carried in the work key acquisition request is September 8, 2023, and the current time is September 8, 2023. At this time, it is determined that the work key acquisition request carries The first timestamp is the current day's timestamp, not the historical timestamp.

需要说明的是,在一可能的实现方式中,在接收到工作密钥获取请求时,可以先对存储节点进行身份鉴权,进而在该存储节点通过身份鉴权后,执行判断工作密钥获取请求携带的第一时间戳是否为历史时间戳的步骤,而在该存储节点未通过身份鉴权时,向该存储节点返回失败消息。有关身份鉴权的具体实现原理可以参见相关技术中的描述,此处不再赘述。It should be noted that, in a possible implementation, when receiving a request to obtain a working key, the identity of the storage node can be authenticated first, and then after the storage node passes the identity authentication, the judgment of obtaining the working key can be performed. Check whether the first timestamp carried in the request is a historical timestamp. If the storage node fails identity authentication, a failure message is returned to the storage node. For specific implementation principles of identity authentication, please refer to the description in related technologies and will not be described again here.

S102、若否,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文。S102. If not, obtain the first working key of the day, and use the protection key to encrypt the first working key to obtain the ciphertext of the first working key.

具体的,在工作密钥获取请求携带的第一时间戳不是历史时间戳时,表示该工作密钥获取请求用于指示获取当日的工作密钥,本步骤中,就获取当日的第一工作密钥。Specifically, when the first timestamp carried in the work key acquisition request is not a historical timestamp, it means that the work key acquisition request is used to indicate obtaining the working key of the day. In this step, the first working key of the day is obtained. key.

具体实现时,在获取当日的第一工作密钥时,可以先判断内存中是否存在当日的第一工作密钥,若是,直接从内存中获取第一工作密钥;进一步的,在内存中不存在第一工作密钥时,判断用于存储工作密钥的数据库中是否存在第一工作密钥,若是,从数据库中获取第一工作密钥;进一步的,若数据库中也不存在第一工作密钥,则生成第一工作密钥。例如,一实施例中,可随机数生成器来生成工作密钥。In specific implementation, when obtaining the first working key of the day, you can first determine whether the first working key of the day exists in the memory. If so, obtain the first working key directly from the memory; further, if there is no first working key in the memory, When the first working key exists, determine whether the first working key exists in the database used to store the working key. If so, obtain the first working key from the database; further, if the first working key does not exist in the database either key, the first working key is generated. For example, in one embodiment, a random number generator can be used to generate the working key.

具体的,保护密钥是对工作密钥进行加解密的密钥。本步骤中,可利用保护密钥的公钥对工作密钥进行加密,得到第一工作密钥的密文。Specifically, the protection key is the key that encrypts and decrypts the working key. In this step, the public key of the protection key can be used to encrypt the working key to obtain the ciphertext of the first working key.

S103、利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文。S103. Use the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext.

具体的,通信密钥是一种不同于保护密钥的密钥,其用于对第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文。通过通信密钥,可保证工作密钥在服务器与存储节点之间传输的安全性,防止工作密钥被篡改或携带。Specifically, the communication key is a key different from the protection key, which is used to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp, to obtain First communication cipher text. Through the communication key, the security of the transmission of the working key between the server and the storage node can be ensured, and the working key can be prevented from being tampered with or carried.

具体实现时,可以先利用预设哈希算法来计算第一工作密钥的哈希值,进而利用通信密钥对第一工作密钥的密文、第一工作密钥的哈希值和当前时间戳进行加密。During specific implementation, a preset hash algorithm can be used to calculate the hash value of the first working key, and then the communication key can be used to pair the ciphertext of the first working key, the hash value of the first working key and the current The timestamp is encrypted.

S104、将所述第一通信密文返回给所述存储节点,以指示所述存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。S104. Return the first communication ciphertext to the storage node to instruct the storage node to obtain the first working key based on the first communication ciphertext and use the first working key to perform Data encryption and decryption.

具体实现时,存储节点接收到第一通信密文后,可基于第一通信密文获取第一工作密钥,进而利用第一工作密钥进行数据加解密。In specific implementation, after receiving the first communication ciphertext, the storage node can obtain the first working key based on the first communication ciphertext, and then use the first working key to perform data encryption and decryption.

具体的,所述存储节点基于通信密文获取工作密钥,并利用所述第一工作密钥进行数据加解密,包括:Specifically, the storage node obtains the working key based on the communication ciphertext, and uses the first working key to perform data encryption and decryption, including:

(1)所述存储节点利用所述通信密钥对通信密文进行解密,得到工作密钥的密文、工作密钥的哈希值和时间戳。(1) The storage node uses the communication key to decrypt the communication ciphertext to obtain the ciphertext of the working key, the hash value of the working key and the timestamp.

具体的,储节点上存储有通信密钥的私钥,存储节点利用通信密钥的私钥对通信密文进行解密,得到工作密钥的密文、工作密钥的哈希值和时间戳。其中,通信密钥包括通信密钥公钥和通信密钥私钥,其中,通信密钥的公钥,用于对工作密钥的密文、工作密钥的哈希值和当前时间戳进行加密,得到通信密文;通信密钥的私钥,用于对通信密文进行解密,得到工作密钥的密文、工作密钥的哈希值和时间戳。Specifically, the storage node stores the private key of the communication key, and the storage node uses the private key of the communication key to decrypt the communication ciphertext to obtain the ciphertext of the working key, the hash value of the working key, and the timestamp. Among them, the communication key includes the communication key public key and the communication key private key. The public key of the communication key is used to encrypt the ciphertext of the working key, the hash value of the working key and the current timestamp. , obtain the communication ciphertext; the private key of the communication key is used to decrypt the communication ciphertext, and obtain the ciphertext of the working key, the hash value of the working key and the timestamp.

(2)所述存储节点利用所述保护密钥对所述工作密钥的密文进行解密,得到所述工作密钥。(2) The storage node uses the protection key to decrypt the ciphertext of the working key to obtain the working key.

具体的,存储节点存储有保护密钥的私钥,存储节点在获取到工作密钥的密文后,可利用保护密钥的私钥对工作密钥的密文进行解密,得到工作密钥。其中,保护密钥包括保护密钥的公钥和保护密钥的私钥,保护密钥的公钥对工作密钥的密文进行加密,保护密钥的私钥对工作密钥的密文进行解密。Specifically, the storage node stores the private key that protects the key. After obtaining the ciphertext of the working key, the storage node can use the private key that protects the key to decrypt the ciphertext of the working key to obtain the working key. Among them, the protection key includes the public key of the protection key and the private key of the protection key. The public key of the protection key encrypts the ciphertext of the working key, and the private key of the protection key encrypts the ciphertext of the working key. Decrypt.

(3)所述存储节点计算所述工作密钥的哈希值。(3) The storage node calculates the hash value of the working key.

具体实现时,存储节点可基于预设哈希算法来计算第一工作密钥的哈希值。例如,一实施例中,计算出的工作密钥的哈希值为a1。During specific implementation, the storage node may calculate the hash value of the first working key based on a preset hash algorithm. For example, in one embodiment, the calculated hash value of the working key is a1.

(4)所述存储节点在计算出的哈希值和解密得到的哈希值一致时,利用所述工作密钥对数据进行加解密。(4) When the calculated hash value and the decrypted hash value are consistent, the storage node uses the working key to encrypt and decrypt the data.

具体的,存储节点在计算出的哈希值和解密得到的哈希值一致时,认为该工作密钥没有被篡改,该工作密钥安全,此时,利用该工作密钥对数据进行加解密。Specifically, when the calculated hash value and the decrypted hash value are consistent, the storage node considers that the working key has not been tampered with and the working key is safe. At this time, the working key is used to encrypt and decrypt the data. .

结合上面的例子,例如,存储节点解密得到的哈希值为a1,与存储节点计算出的哈希值一致,此时,存储节点利用所述工作密钥对数据进行加解密。Combined with the above example, for example, the hash value obtained by decryption by the storage node is a1, which is consistent with the hash value calculated by the storage node. At this time, the storage node uses the working key to encrypt and decrypt the data.

本实施例提供的数据加解密方法,所述方法应用于密钥管理服务器,在接收到来自存储节点的工作密钥获取请求时,通过判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;并在所述工作密钥获取请求携带的第一时间戳不为历史时间戳,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文,进而利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文,从而将所述第一通信密文返回给所述存储节点,以指示所述存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。这样,利用保护密钥和通信密钥对工作密钥进行加密,实现工作密钥多级保护机制,保证了工作密钥的安全性,从而保证了数据安全。The data encryption and decryption method provided in this embodiment is applied to the key management server. When receiving a working key acquisition request from a storage node, it determines whether the first timestamp carried in the working key acquisition request is is a historical timestamp; wherein, the work key acquisition request is used to request to obtain a work key for encrypting and decrypting data; and when the first timestamp carried in the work key acquisition request is not a historical timestamp, obtain The first working key of the day is encrypted using the protection key to obtain the ciphertext of the first working key, and then the communication key is used to encrypt the ciphertext of the first working key. , encrypt the hash value of the first working key and the current timestamp to obtain the first communication ciphertext, thereby returning the first communication ciphertext to the storage node to indicate that the storage node is based on the The first communication ciphertext obtains the first working key, and uses the first working key to perform data encryption and decryption. In this way, the protection key and the communication key are used to encrypt the working key, realizing a multi-level protection mechanism for the working key, ensuring the security of the working key, and thereby ensuring data security.

可选的,在本申请一可能的实现方式中,所述得到第一工作密钥密文之后,所述方法还包括:Optionally, in a possible implementation of this application, after obtaining the first working key ciphertext, the method further includes:

存储所述第一工作密钥的密文、所述第一工作密钥的哈希值和所述当前时间戳三者之间的对应关系。The correspondence between the ciphertext of the first working key, the hash value of the first working key and the current timestamp is stored.

例如,第一时间戳为当前时间戳1,第一工作密钥的密文为密文1,第一工作密钥的哈希值为哈希值1,本步骤中,就将当前时间戳1、密文1和哈希值1作为一组对应关系存在对应关系表中。例如,表1为本申请一示例性实施例示出的一种本地存储的工作密钥的密文、工作密钥的哈希值和当前时间戳三者之间的对应关系:For example, the first timestamp is the current timestamp 1, the ciphertext of the first working key is ciphertext 1, and the hash value of the first working key is hash value 1. In this step, the current timestamp 1 is , ciphertext 1 and hash value 1 exist in the correspondence table as a set of correspondences. For example, Table 1 shows the correspondence between the ciphertext of a locally stored working key, the hash value of the working key and the current timestamp according to an exemplary embodiment of the present application:

表1本地存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系Table 1 Correspondence between the locally stored ciphertext of the working key, the hash value of the working key and the timestamp

本实施例提供的方法,在得到第一工作密钥的密文之后,通过存储所述第一工作密钥的密文、所述第一工作密钥的哈希值和所述当前时间戳三者之间的对应关系,这样,后续在需要获取该工作密钥时,可基于该对应关系来获取。The method provided in this embodiment, after obtaining the ciphertext of the first working key, stores the ciphertext of the first working key, the hash value of the first working key and the current timestamp. In this way, when the working key needs to be obtained later, it can be obtained based on the corresponding relationship.

图2为本申请提供的数据加解密方法实施例二的流程图。请参照图2,本实施例提供的方法,在上述实施例的基础上,在所述工作密钥获取请求携带的第一时间戳为历史时间戳时,所述方法还包括:Figure 2 is a flow chart of Embodiment 2 of the data encryption and decryption method provided by this application. Please refer to Figure 2. The method provided in this embodiment, based on the above embodiment, when the first timestamp carried in the working key acquisition request is a historical timestamp, the method further includes:

S201、从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,查找与所述第一时间戳相关的目标对应关系。S201. Find a target correspondence related to the first timestamp from the stored correspondence between the ciphertext of the work key, the hash value of the work key, and the timestamp.

具体的,存储节点需要对之前加密的数据进行解密时,需要向密钥管理服务器获取之前加密该数据时使用的工作密钥。结合上面的例子,例如,当前时刻为2023年9月8日,存储节点想要对2023年9月6日加密的数据进行解密时,此时,向密钥管理服务器发送工作密钥获取请求,该工作密钥获取请求携带的时间戳为2023年9月6日,用于指示获取2023年9月6日的工作密钥。Specifically, when the storage node needs to decrypt previously encrypted data, it needs to obtain the working key used to encrypt the data from the key management server. Combined with the above example, for example, the current time is September 8, 2023, and when the storage node wants to decrypt the data encrypted on September 6, 2023, at this time, it sends a working key acquisition request to the key management server, The timestamp carried in the work key acquisition request is September 6, 2023, which is used to indicate the acquisition of the work key on September 6, 2023.

具体的,当工作密钥获取请求携带的第一时间戳为历史时间戳时,密钥管理服务器可以从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,查找与所述第一时间戳相关的目标对应关系。Specifically, when the first timestamp carried in the working key acquisition request is a historical timestamp, the key management server can obtain the ciphertext from the stored working key, the hash value of the working key, and the timestamp. Among the corresponding relationships between, search for the target corresponding relationship related to the first timestamp.

需要说明的是,与第一时间戳相关的目标对应关系指的是时间戳为所述第一时间戳的对应关系。It should be noted that the target correspondence relationship related to the first timestamp refers to the correspondence relationship in which the timestamp is the first timestamp.

例如,一实施例中,第一时间戳为历史时间戳2,结合表1所示的例子,本步骤中,就从表1中查找与历史时间戳2相关的对应关系,查找到的目标对应关系为表1中的第二条记录,即查找到的目标对应关系为:工作密钥的密文为密文2、工作密钥的哈希值为哈希值2和时间戳为历史时间戳2。For example, in one embodiment, the first timestamp is historical timestamp 2. Combined with the example shown in Table 1, in this step, the corresponding relationship related to historical timestamp 2 is searched from Table 1. The found target corresponds to The relationship is the second record in Table 1, that is, the found target correspondence is: the ciphertext of the working key is ciphertext 2, the hash value of the working key is hash value 2, and the timestamp is the historical timestamp. 2.

S202、利用所述通信密钥对所述目标对应关系中的历史工作密钥的密文、所述历史工作密钥的哈希值和历史时间戳进行加密,得到第二通信密文。S202. Use the communication key to encrypt the ciphertext of the historical working key, the hash value of the historical working key and the historical timestamp in the target correspondence relationship to obtain a second communication ciphertext.

结合上面的例子,本步骤中,就利用通信密钥对密文2、哈希值2和历史时间戳2进行加密,得到第二通信密文2。Combined with the above example, in this step, the communication key is used to encrypt the ciphertext 2, the hash value 2 and the historical timestamp 2 to obtain the second communication ciphertext 2.

S203、将所述第二通信密文返回给所述存储节点,以指示所述存储节点基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据解密。S203. Return the second communication ciphertext to the storage node to instruct the storage node to obtain the historical working key based on the second communication ciphertext and use the historical working key to perform data decryption. .

具体的,参见前面的描述,存储节点上存储有通信密钥的私钥和保护密钥的私钥,可利用该通信密钥的私钥对第二通信密文进行解密,得到历史工作密钥的密文、历史工作密钥的哈希值和历史时间戳;进而在得到历史工作密钥的密文后,利用保护密钥的私钥对历史工作密钥的密文进行解码,得到历史工作密钥。Specifically, referring to the previous description, the private key of the communication key and the private key of the protection key are stored on the storage node. The private key of the communication key can be used to decrypt the second communication ciphertext to obtain the historical working key. The ciphertext, the hash value of the historical working key and the historical timestamp; then, after obtaining the ciphertext of the historical working key, the private key of the protection key is used to decode the ciphertext of the historical working key and obtain the historical working key. key.

换言之,所述存储节点基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据加解密的过程,可以包括:In other words, the storage node obtains the historical working key based on the second communication ciphertext, and uses the historical working key to perform data encryption and decryption. The process may include:

(1)所述存储节点利用所述通信密钥对第二通信密文进行解密,得到历史工作密钥的密文、历史工作密钥的哈希值和历史时间戳。(1) The storage node uses the communication key to decrypt the second communication ciphertext to obtain the ciphertext of the historical working key, the hash value of the historical working key and the historical timestamp.

(2)所述存储节点利用保护密钥对所述历史工作密钥的密文进行解密,得到所述历史工作密钥。(2) The storage node uses the protection key to decrypt the ciphertext of the historical working key to obtain the historical working key.

(3)所述存储节点计算所述历史工作密钥的哈希值。(3) The storage node calculates the hash value of the historical working key.

(4)所述存储节点在计算出的哈希值和解密得到的哈希值一致时,利用所述工作密钥对数据进行加解密。(4) When the calculated hash value and the decrypted hash value are consistent, the storage node uses the working key to encrypt and decrypt the data.

具体的,有关步骤(1)到(4)的具体实现过程可以参考上述实施例中的描述,此处不再赘述。Specifically, for the specific implementation process of steps (1) to (4), reference may be made to the description in the above embodiments, which will not be described again here.

结合上面的例子,本步骤中,将第二通信密文2返回给存储节点,存储节点利用通信密钥对第二通信密文2进行解密得到历史工作密钥的密文2、历史工作密钥的哈希值2和历史时间戳2,进而利用保护密钥对历史工作密钥的密文2进行解密,得到历史工作密钥,并计算该历史工作密钥的哈希值,从而在计算出的历史工作密钥的哈希值与历史工作密钥的哈希值2一致时,利用该历史工作密钥对数据进行加解密。Combined with the above example, in this step, the second communication ciphertext 2 is returned to the storage node, and the storage node uses the communication key to decrypt the second communication ciphertext 2 to obtain the ciphertext 2 of the historical working key and the historical working key. hash value 2 and historical timestamp 2, and then uses the protection key to decrypt the ciphertext 2 of the historical working key, obtains the historical working key, and calculates the hash value of the historical working key, thereby calculating When the hash value of the historical working key is consistent with the hash value 2 of the historical working key, the historical working key is used to encrypt and decrypt the data.

本实施例提供的数据加解密方法,在所述工作密钥获取请求携带的第一时间戳为历史时间戳时,通过从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,查找与所述第一时间戳相关的目标对应关系,并利用所述通信密钥对所述目标对应关系中的历史工作密钥的密文、所述历史工作密钥的哈希值和时间戳进行加密,得到第二通信密文,进而将所述第二通信密文返回给所述存储节点,以指示所述存储节点基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据加解密。这样,可以利用已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系查找与第一时间戳相关的目标对应关系,进而基于该目标对应关系来获取历史工作密钥,保证了数据传输的安全性。The data encryption and decryption method provided in this embodiment, when the first timestamp carried in the work key acquisition request is a historical timestamp, by obtaining the ciphertext of the stored work key, the hash value of the work key and Among the correspondences between the three timestamps, find the target correspondence related to the first timestamp, and use the communication key to compare the ciphertext of the historical working key in the target correspondence, the The hash value and timestamp of the historical working key are encrypted to obtain a second communication ciphertext, and then the second communication ciphertext is returned to the storage node to instruct the storage node to use the second communication ciphertext based on the second communication ciphertext. The historical working key is obtained, and the historical working key is used to perform data encryption and decryption. In this way, the corresponding relationship between the stored ciphertext of the working key, the hash value of the working key and the timestamp can be used to find the target corresponding relationship related to the first timestamp, and then based on the target corresponding relationship. Obtain historical working keys to ensure the security of data transmission.

图3为本申请提供的数据加解密方法实施例三的流程图。请参照图3,本实施例提供的方法,在上述实施例的基础上,所述方法还包括:Figure 3 is a flow chart of Embodiment 3 of the data encryption and decryption method provided by this application. Please refer to Figure 3. The method provided in this embodiment, based on the above embodiment, further includes:

S301、接收来自管理员客户端的初始化指令;其中,所述初始化指令携带主口令和保护密钥。S301. Receive an initialization instruction from the administrator client; wherein the initialization instruction carries the master password and the protection key.

具体的,例如,在密钥管理服务器重启后,管理员会通过管理员客户端触发初始化指令,进一步的,管理员客户端将该初始化指令发送给密钥管理服务器。Specifically, for example, after the key management server is restarted, the administrator will trigger an initialization instruction through the administrator client. Further, the administrator client will send the initialization instruction to the key management server.

具体的,初始化指令携带主口令和保护密钥。其中,主口令用于对保护密钥进行加密,保护密钥用于对工作密钥进行加解密数据以保护其安全性。Specifically, the initialization command carries the master password and protection key. Among them, the master password is used to encrypt the protection key, and the protection key is used to encrypt and decrypt the data of the working key to protect its security.

S302、利用所述主口令对所述保护密钥进行加密,得到所述保护密钥的密文。S302: Encrypt the protection key using the master password to obtain the ciphertext of the protection key.

具体的,有关利用主口令对保护密钥进行加密的具体实现过程和实现原理可以参考相关技术中的描述,此处不再赘述。Specifically, for the specific implementation process and implementation principle of using the master password to encrypt the protection key, please refer to the description in the related technology, and will not be described again here.

例如,一实施例中,保护密钥的密文为密文A。For example, in one embodiment, the ciphertext protecting the key is ciphertext A.

S303、在所述保护密钥的密文与本地当前保存的保护密钥的密文一致时,保存所述保护密钥的密文。S303: When the ciphertext of the protection key is consistent with the ciphertext of the protection key currently stored locally, save the ciphertext of the protection key.

例如,一实施例中,本地当前保存的保护密钥的密文为密文A,与所述保护密钥的密文A一致,此时,就保存所述保护密钥的密文A。For example, in one embodiment, the ciphertext of the protection key currently stored locally is ciphertext A, which is consistent with the ciphertext A of the protection key. At this time, the ciphertext A of the protection key is saved.

再例如,在另一可能的实现方式中,本地当前保存的保护密钥的密文为密文B,与所述保护密钥的密文A不一致,此时,输出错误提醒消息。For another example, in another possible implementation, the ciphertext of the protection key currently saved locally is ciphertext B, which is inconsistent with the ciphertext A of the protection key. In this case, an error reminder message is output.

本实施例提供的数据加解密方法,通过接收来自管理员客户端的初始化指令;其中,所述初始化指令携带主口令和保护密钥,并利用所述主口令对所述保护密钥进行加密,得到所述保护密钥的密文,进而在所述保护密钥的密文与本地当前保存的保护密钥的密文一致时,保存所述保护密钥的密文。这样,可使管理员有权对保护密钥进行初始化、加密和保存,保证了数据传输的安全性。The data encryption and decryption method provided in this embodiment receives an initialization instruction from the administrator client; wherein the initialization instruction carries a master password and a protection key, and uses the master password to encrypt the protection key, thus obtaining The ciphertext of the protection key, and further, when the ciphertext of the protection key is consistent with the ciphertext of the protection key currently saved locally, the ciphertext of the protection key is saved. In this way, the administrator has the right to initialize, encrypt and save the protection key, ensuring the security of data transmission.

图4为本申请提供的数据加解密方法实施例四的流程图。请参照图4,本实施例提供的方法,所述方法应用于数据加解密系统,所述系统包括密钥管理服务器和多个存储节点;所述方法包括:Figure 4 is a flow chart of Embodiment 4 of the data encryption and decryption method provided by this application. Please refer to Figure 4. This embodiment provides a method, which is applied to a data encryption and decryption system. The system includes a key management server and multiple storage nodes; the method includes:

S401、所述密钥管理服务器在接收到来自所述多个存储节点中的第一存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥。S401. When the key management server receives a working key acquisition request from the first storage node among the plurality of storage nodes, determine whether the first timestamp carried in the working key acquisition request is a historical time. Stamp; wherein, the working key acquisition request is used to request to obtain the working key for encrypting and decrypting data.

S402、所述密钥管理服务器在判断所述密钥获取请求携带的第一时间戳为当日时间戳时,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文。S402. When the key management server determines that the first timestamp carried in the key acquisition request is the timestamp of the day, obtain the first working key of the day, and use the protection key to verify the first working key. Encrypt to obtain the ciphertext of the first working key.

S403、所述密钥管理服务器利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文。S403. The key management server uses the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext.

S404、所述密钥管理服务器将所述第一通信密文返回给所述第一存储节点。S404. The key management server returns the first communication ciphertext to the first storage node.

有关步骤S401至S404的具体实现原理,可以参照实施例一中的描述,此处不再赘述。Regarding the specific implementation principles of steps S401 to S404, reference may be made to the description in Embodiment 1, which will not be described again here.

S405、所述第一存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。S405. The first storage node obtains the first working key based on the first communication ciphertext, and uses the first working key to perform data encryption and decryption.

具体的,所述第一存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密,包括:Specifically, the first storage node obtains the first working key based on the first communication ciphertext, and uses the first working key to perform data encryption and decryption, including:

(1)所述第一存储节点利用所述通信密钥对通信密文进行解密,得到工作密钥的密文、工作密钥的哈希值和时间戳。(1) The first storage node uses the communication key to decrypt the communication ciphertext to obtain the ciphertext of the working key, the hash value of the working key and the timestamp.

(2)所述第一存储节点利用所述保护密钥对所述工作密钥的密文进行解密,得到所述工作密钥。(2) The first storage node uses the protection key to decrypt the ciphertext of the working key to obtain the working key.

(3)所述第一存储节点计算所述工作密钥的哈希值。(3) The first storage node calculates the hash value of the working key.

(4)所述第一存储节点在计算出的哈希值和解密得到的哈希值一致时,利用所述工作密钥对数据进行加解密。(4) When the calculated hash value and the decrypted hash value are consistent, the first storage node uses the working key to encrypt and decrypt the data.

有关步骤(1)到步骤(4)的具体实现原理,可以参见前面的描述,此处不再赘述。For the specific implementation principles of steps (1) to (4), please refer to the previous description and will not be repeated here.

进一步地,所述第一存储节点利用所述工作密钥进行数据加密,包括:Further, the first storage node uses the working key to perform data encryption, including:

对所述数据进行粒度划分,并按照划分后的粒度对所述数据进行加密。The data is divided into granularities, and the data is encrypted according to the divided granularities.

例如,可以按照行或列对数据进行粒度划分,进而按照行或列对数据进行加密,这样,可提供细粒度的字段内容保护,可按需对数据进行加密,提升数据使用的灵活性。For example, the data can be granularly divided according to rows or columns, and then the data can be encrypted according to rows or columns. This can provide fine-grained field content protection, encrypt data on demand, and improve the flexibility of data use.

本实施例提供的数据加解密方法,所述方法应用于数据加解密系统,所述系统包括密钥管理服务器和多个存储节点;所述系统包括密钥管理服务器和多个存储节点;所述密钥管理服务器在接收到来自所述多个存储节点中的第一存储节点的工作密钥获取请求时,通过判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥,在所述密钥管理服务器判断所述密钥获取请求携带的第一时间戳为当日时间戳时,获取当日的第一工作密钥,并利用保护密钥对所述第一工作密钥进行加密,得到第一工作密钥的密文;进而所述密钥管理服务器利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文;所述密钥管理服务器将所述第一通信密文返回给所述第一存储节点;所述第一存储节点基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。这样,通过工作密钥的多级保护机制,保证了工作密钥的安全性,从而保证了数据安全。This embodiment provides a data encryption and decryption method. The method is applied to a data encryption and decryption system. The system includes a key management server and multiple storage nodes; the system includes a key management server and multiple storage nodes; When the key management server receives a work key acquisition request from a first storage node among the plurality of storage nodes, the key management server determines whether the first timestamp carried in the work key acquisition request is a historical timestamp; wherein , the work key acquisition request is used to request to obtain the working key for encrypting and decrypting data. When the key management server determines that the first timestamp carried in the key acquisition request is the timestamp of the current day, the work key acquisition request is obtained. the first working key, and uses the protection key to encrypt the first working key to obtain the ciphertext of the first working key; and then the key management server uses the communication key to encrypt the first working key The ciphertext of the key, the hash value of the first working key and the current timestamp are encrypted to obtain the first communication ciphertext; the key management server returns the first communication ciphertext to the third communication ciphertext. A storage node; the first storage node obtains the first working key based on the first communication ciphertext, and uses the first working key to perform data encryption and decryption. In this way, the security of the working key is ensured through the multi-level protection mechanism of the working key, thereby ensuring data security.

图5为本申请提供的数据加解密方法实施例五的流程图。请参照图5,本实施例提供的方法,在上述实施例的基础上,所述密钥管理服务器在判断所述工作密钥获取请求携带的第一时间戳为历史时间戳时,所述方法还包括:Figure 5 is a flow chart of Embodiment 5 of the data encryption and decryption method provided by this application. Please refer to Figure 5. The method provided in this embodiment is based on the above embodiment. When the key management server determines that the first timestamp carried in the working key acquisition request is a historical timestamp, the method Also includes:

S501、所述密钥管理服务器从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,查找与所述第一时间戳相关的目标对应关系。S501. The key management server searches for the target correspondence related to the first timestamp from the correspondence between the stored ciphertext of the working key, the hash value of the working key and the timestamp. relation.

S502、所述密钥管理服务器利用所述通信密钥对所述目标对应关系中的历史工作密钥的密文、所述历史工作密钥的哈希值和时间戳进行加密,得到第二通信密文。S502. The key management server uses the communication key to encrypt the ciphertext of the historical working key in the target correspondence relationship, the hash value and the timestamp of the historical working key to obtain the second communication ciphertext.

S503、所述密钥管理服务器将所述第二通信密文返回给所述第一存储节点。S503. The key management server returns the second communication ciphertext to the first storage node.

S504、所述第一存储节点基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据加解密。S504. The first storage node obtains the historical working key based on the second communication ciphertext, and uses the historical working key to perform data encryption and decryption.

具体的,该步骤的具体实现过程,可以包括:Specifically, the specific implementation process of this step may include:

(1)所述第一存储节点利用所述通信密钥对第二通信密文进行解密,得到历史工作密钥的密文、历史工作密钥的哈希值和历史时间戳。(1) The first storage node uses the communication key to decrypt the second communication ciphertext to obtain the ciphertext of the historical working key, the hash value of the historical working key and the historical timestamp.

(2)所述第一存储节点利用保护密钥对所述历史工作密钥的密文进行解密,得到所述历史工作密钥。(2) The first storage node uses the protection key to decrypt the ciphertext of the historical working key to obtain the historical working key.

(3)所述第一存储节点计算所述历史工作密钥的哈希值。(3) The first storage node calculates the hash value of the historical working key.

(4)所述第一存储节点在计算出的哈希值和解密得到的哈希值一致时,利用所述历史工作密钥对数据进行加解密。(4) When the calculated hash value and the decrypted hash value are consistent, the first storage node uses the historical working key to encrypt and decrypt the data.

具体的,有关步骤(1)到(4)的具体实现过程可以参考上述实施例中的描述,此处不再赘述。Specifically, for the specific implementation process of steps (1) to (4), reference may be made to the description in the above embodiments, which will not be described again here.

本实施例提供的数据加解密方法,在所述工作密钥获取请求携带的第一时间戳为历史时间戳时,所述密钥管理服务器从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,通过查找与所述第一时间戳相关的目标对应关系,进而利用所述通信密钥对所述目标对应关系中的历史工作密钥的密文、所述历史工作密钥的哈希值和时间戳进行加密,得到第二通信密文,从而将所述第二通信密文返回给所述第一存储节点;所述第一存储节点基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据加解密。这样,可以利用已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系查找与第一时间戳相关的目标对应关系,进而基于该目标对应关系来获取历史工作密钥,保证了数据传输的安全性。In the data encryption and decryption method provided by this embodiment, when the first timestamp carried in the working key acquisition request is a historical timestamp, the key management server obtains the ciphertext of the working key and the working key from the stored working key. In the correspondence between the hash value and the timestamp, by searching for the target correspondence related to the first timestamp, and then using the communication key to compare the historical working key in the target correspondence. The ciphertext, the hash value of the historical working key and the timestamp are encrypted to obtain a second communication ciphertext, thereby returning the second communication ciphertext to the first storage node; the first storage The node obtains the historical working key based on the second communication ciphertext, and uses the historical working key to perform data encryption and decryption. In this way, the corresponding relationship between the stored ciphertext of the working key, the hash value of the working key and the timestamp can be used to find the target corresponding relationship related to the first timestamp, and then based on the target corresponding relationship. Obtain historical working keys to ensure the security of data transmission.

与前述一种数据加解密方法的实施例相对应,本申请还提供了一种数据加解密系统的实施例。图6为本申请提供的数据加密系统的示意图,请参照图6,本实施提供的系统,包括密钥管理服务器和多个存储节点;其中,Corresponding to the foregoing embodiment of a data encryption and decryption method, this application also provides an embodiment of a data encryption and decryption system. Figure 6 is a schematic diagram of the data encryption system provided by this application. Please refer to Figure 6. The system provided by this implementation includes a key management server and multiple storage nodes; wherein,

所述密钥管理服务器,用于在接收到来自所述多个存储节点中的第一存储节点的工作密钥获取请求时,判断所述工作密钥获取请求携带的第一时间戳是否为历史时间戳;其中,所述工作密钥获取请求用于请求获取对数据进行加解密的工作密钥;The key management server is configured to, when receiving a work key acquisition request from a first storage node among the plurality of storage nodes, determine whether the first timestamp carried in the work key acquisition request is historical. Timestamp; wherein, the working key acquisition request is used to request to obtain the working key for encrypting and decrypting data;

所述密钥管理服务器,还用于利用通信密钥对所述第一工作密钥的密文、所述第一工作密钥的哈希值和当前时间戳进行加密,得到第一通信密文,并将所述第一通信密文返回给所述第一存储节点;The key management server is also configured to use the communication key to encrypt the ciphertext of the first working key, the hash value of the first working key and the current timestamp to obtain the first communication ciphertext. , and return the first communication ciphertext to the first storage node;

所述多个存储节点,用于基于所述第一通信密文获取所述第一工作密钥,并利用所述第一工作密钥进行数据加解密。The plurality of storage nodes are configured to obtain the first working key based on the first communication ciphertext, and use the first working key to perform data encryption and decryption.

可选的,所述密钥管理服务器,还用于在得到第一工作密钥密文之后,存储所述第一工作密钥的密文、所述第一工作密钥的哈希值和所述当前时间戳三者之间的对应关系。Optionally, the key management server is further configured to store the ciphertext of the first working key, the hash value of the first working key and the ciphertext of the first working key after obtaining the ciphertext of the first working key. Describe the correspondence between the three current timestamps.

可选的,所述密钥管理服务器,还用于在判断所述工作密钥获取请求携带的第一时间戳为历史时间戳时,从已存储的工作密钥的密文、工作密钥的哈希值和时间戳三者之间的对应关系中,查找与所述第一时间戳相关的目标对应关系;Optionally, the key management server is also configured to, when determining that the first timestamp carried in the work key acquisition request is a historical timestamp, obtain the ciphertext of the work key and the Among the correspondences between the hash value and the timestamp, find the target correspondence related to the first timestamp;

所述密钥管理服务器,还用于利用所述通信密钥对所述目标对应关系中的历史工作密钥的密文、所述历史工作密钥的哈希值和时间戳进行加密,得到第二通信密文;The key management server is also configured to use the communication key to encrypt the ciphertext of the historical working key in the target correspondence relationship, the hash value and the timestamp of the historical working key to obtain the first 2. Communication cipher text;

所述密钥管理服务器,还用于将所述第二通信密文返回给所述第一存储节点;The key management server is also configured to return the second communication ciphertext to the first storage node;

所述第一存储节点,还用于基于所述第二通信密文获取所述历史工作密钥,并利用所述历史工作密钥进行数据加解密。The first storage node is also configured to obtain the historical working key based on the second communication ciphertext, and use the historical working key to perform data encryption and decryption.

可选的,所述第一存储节点,还用于利用所述通信密钥对通信密文进行解密,得到工作密钥的密文、工作密钥的哈希值和时间戳;Optionally, the first storage node is also used to decrypt the communication ciphertext using the communication key to obtain the ciphertext of the working key, the hash value of the working key and the timestamp;

所述第一存储节点,还用于利用所述保护密钥对所述工作密钥的密文进行解密,得到所述工作密钥;The first storage node is also configured to use the protection key to decrypt the ciphertext of the working key to obtain the working key;

所述第一存储节点,还用于计算所述工作密钥的哈希值,并在计算出的哈希值和解密得到的哈希值一致时,利用所述工作密钥对数据进行加解密。The first storage node is also used to calculate the hash value of the working key, and when the calculated hash value is consistent with the hash value obtained by decryption, use the working key to encrypt and decrypt data. .

上述系统中各个单元的功能和作用的实现过程具体详见上述方法中对应步骤的实现过程,在此不再赘述。The specific implementation process of the functions and roles of each unit in the above system can be found in the implementation process of the corresponding steps in the above method, and will not be described again here.

以上所述仅为本申请的较佳实施例而已,并不用以限制本申请,凡在本申请的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本申请保护的范围之内。The above are only preferred embodiments of the present application and are not intended to limit the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application shall be included in the present application. within the scope of protection.

Claims (10)

1. The data encryption and decryption method is characterized in that the method is applied to a key management server; the method comprises the following steps:
when a working key acquisition request from a storage node is received, judging whether a first timestamp carried by the working key acquisition request is a historical timestamp or not; the working key acquisition request is used for requesting to acquire a working key for encrypting and decrypting the data;
if not, acquiring a first working key of the current day, and encrypting the first working key by using a protection key to obtain a ciphertext of the first working key;
encrypting the ciphertext of the first working key, the hash value of the first working key and the current time stamp by using the communication key to obtain a first communication ciphertext;
and returning the first communication ciphertext to the storage node to instruct the storage node to acquire the first working key based on the first communication ciphertext, and encrypting and decrypting data by using the first working key.
2. The method of claim 1, wherein after the obtaining the first working key ciphertext, the method further comprises:
storing the corresponding relation among the ciphertext of the first working key, the hash value of the first working key and the current time stamp.
3. The method of claim 2, wherein when the first timestamp carried by the working key acquisition request is a historical timestamp, the method further comprises:
searching a target corresponding relation related to the first timestamp from the corresponding relation among the stored ciphertext of the working key, the hash value of the working key and the timestamp;
encrypting the ciphertext of the historical working key, the hash value of the historical working key and the historical timestamp in the target corresponding relation by using the communication key to obtain a second communication ciphertext;
and returning the second communication ciphertext to the storage node to instruct the storage node to acquire the historical working key based on the second communication ciphertext, and decrypting data by using the historical working key.
4. The method according to claim 1, wherein the method further comprises:
receiving an initialization instruction from an administrator client; the initialization instruction carries a main password and a protection key;
encrypting the protection key by using the master password to obtain a ciphertext of the protection key;
and when the ciphertext of the protection key is consistent with the ciphertext of the protection key stored locally at present, storing the ciphertext of the protection key.
5. The data encryption and decryption method is characterized in that the method is applied to a data encryption and decryption system, and the system comprises a key management server and a plurality of storage nodes; the method comprises the following steps:
when receiving a working key acquisition request from a first storage node in the plurality of storage nodes, the key management server judges whether a first timestamp carried by the working key acquisition request is a historical timestamp; the working key acquisition request is used for requesting to acquire a working key for encrypting and decrypting the data;
when judging that the first timestamp carried by the key acquisition request is the time stamp of the day, the key management server acquires a first working key of the day, and encrypts the first working key by using a protection key to obtain a ciphertext of the first working key;
the key management server encrypts the ciphertext of the first working key, the hash value of the first working key and the current timestamp by using a communication key to obtain a first communication ciphertext;
the key management server returns the first communication ciphertext to the first storage node;
and the first storage node acquires the first working key based on the first communication ciphertext, and encrypts and decrypts data by using the first working key.
6. The method of claim 5, wherein after the key management server obtains the first working key ciphertext, the method further comprises:
the key management server stores a correspondence relationship among the ciphertext of the first working key, the hash value of the first working key, and the current timestamp.
7. The method of claim 6, wherein the key management server, upon determining that the first timestamp carried by the working key acquisition request is a historical timestamp, further comprises:
the key management server searches a target corresponding relation related to the first timestamp from the corresponding relation among the stored ciphertext of the working key, the hash value of the working key and the timestamp;
the key management server encrypts ciphertext of a historical working key, a hash value of the historical working key and a time stamp in the target corresponding relation by using the communication key to obtain a second communication ciphertext;
the key management server returns the second communication ciphertext to the first storage node;
and the first storage node acquires the historical working key based on the second communication ciphertext and encrypts and decrypts data by utilizing the historical working key.
8. The method of claim 5, wherein the first storage node obtains a working key based on a communication ciphertext and encrypts and decrypts data using the working key, comprising:
the first storage node decrypts the communication ciphertext by using the communication key to obtain the ciphertext of the working key, the hash value of the working key and the time stamp;
the first storage node decrypts the ciphertext of the working key by using the protection key to obtain the working key;
the first storage node calculates a hash value of the working key;
and when the calculated hash value and the hash value obtained by decryption are consistent, the first storage node encrypts and decrypts the data by using the working key.
9. The method of claim 5, wherein the first storage node encrypting data using the working key comprises:
and carrying out granularity division on the data, and encrypting the data according to the granularity after division.
10. A data encryption and decryption system, wherein the system comprises a key management server and a plurality of storage nodes;
the key management server is used for judging whether a first timestamp carried by a working key acquisition request is a historical timestamp or not when the working key acquisition request from a first storage node in the plurality of storage nodes is received; the working key acquisition request is used for requesting to acquire a working key for encrypting and decrypting the data;
the key management server is further configured to, when determining that the first timestamp carried by the key acquisition request is a time stamp of the day, acquire a first working key of the day, and encrypt the first working key with a protection key to obtain a ciphertext of the first working key;
the key management server is further configured to encrypt, with a communication key, a ciphertext of the first working key, a hash value of the first working key, and a current timestamp, to obtain a first communication ciphertext, and return the first communication ciphertext to the first storage node;
the first storage node is configured to obtain the first working key based on the first communication ciphertext, and perform data encryption and decryption by using the first working key.
CN202311364258.5A 2023-10-20 2023-10-20 A data encryption and decryption method and system Pending CN117336077A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311364258.5A CN117336077A (en) 2023-10-20 2023-10-20 A data encryption and decryption method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311364258.5A CN117336077A (en) 2023-10-20 2023-10-20 A data encryption and decryption method and system

Publications (1)

Publication Number Publication Date
CN117336077A true CN117336077A (en) 2024-01-02

Family

ID=89282799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311364258.5A Pending CN117336077A (en) 2023-10-20 2023-10-20 A data encryption and decryption method and system

Country Status (1)

Country Link
CN (1) CN117336077A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118631552A (en) * 2024-06-25 2024-09-10 重庆扬唐科技有限公司 A computer network security protection method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118631552A (en) * 2024-06-25 2024-09-10 重庆扬唐科技有限公司 A computer network security protection method
CN118631552B (en) * 2024-06-25 2025-02-07 重庆扬唐科技有限公司 A computer network security protection method

Similar Documents

Publication Publication Date Title
US12243057B2 (en) Offline storage system and method of use
US8892866B2 (en) Secure cloud storage and synchronization systems and methods
US10439804B2 (en) Data encrypting system with encryption service module and supporting infrastructure for transparently providing encryption services to encryption service consumer processes across encryption service state changes
US8239679B2 (en) Authentication method, client, server and system
CN107347058B (en) Data encryption method, data decryption method, device and system
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US11240008B2 (en) Key management method, security chip, service server and information system
CN104995632B (en) Privacy Preserving Database System
US9122882B2 (en) Method and apparatus of securely processing data for file backup, de-duplication, and restoration
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
EP3598714A1 (en) Method, device, and system for encrypting secret key
CN110781140B (en) Method, device, computer equipment and storage medium for signing data in blockchain
CN111917711B (en) Data access method and device, computer equipment and storage medium
CN111104691A (en) Sensitive information processing method and device, storage medium and equipment
CN114417073B (en) Neighbor node query method and device of encryption graph and electronic equipment
US10447475B1 (en) System and method for managing backup of cryptographic keys
CN116232639B (en) Data transmission method, device, computer equipment and storage medium
CN112995784A (en) Video data slice encryption method, device and system
US20200304291A1 (en) Information management system and method for the same
EP4012689A1 (en) Key management system providing secure management of cryptographic keys, and methods of operating the same
CN112528309A (en) Data storage encryption and decryption method and device
US12381730B2 (en) Dynamic and verifiable searchable encryption method and system based on updatable encryption and blockchain
CN117336077A (en) A data encryption and decryption method and system
CN114942729A (en) Data safety storage and reading method for computer system
US10050943B2 (en) Widely distributed parameterization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination