CN109302400A - A kind of cryptographic asset deriving method for O&M auditing system - Google Patents
A kind of cryptographic asset deriving method for O&M auditing system Download PDFInfo
- Publication number
- CN109302400A CN109302400A CN201811210286.0A CN201811210286A CN109302400A CN 109302400 A CN109302400 A CN 109302400A CN 201811210286 A CN201811210286 A CN 201811210286A CN 109302400 A CN109302400 A CN 109302400A
- Authority
- CN
- China
- Prior art keywords
- file
- password
- user
- ciphertext
- auditing system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000002441 reversible effect Effects 0.000 claims abstract description 10
- 230000004048 modification Effects 0.000 claims abstract description 9
- 238000012986 modification Methods 0.000 claims abstract description 9
- 230000011218 segmentation Effects 0.000 claims abstract description 6
- 238000011084 recovery Methods 0.000 claims description 26
- 230000008676 import Effects 0.000 claims description 24
- 238000005192 partition Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 7
- 238000007726 management method Methods 0.000 description 18
- 230000008569 process Effects 0.000 description 11
- 230000005484 gravity Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 239000012141 concentrate Substances 0.000 description 1
- 238000005194 fractionation Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of cryptographic asset deriving methods for O&M auditing system, password sharing module matches the information of sub- ciphertext and clear portion after segmentation, incoming document analysis module is recorded as one, document analysis module is packaged data, exports as n parts of different password exports;Cryptographic Hash is taken to the file attachment user name of generation, the key pair generated for each user is digitally signed;According to preset rights division, file is distributed for each user, and the file of user is subjected to reversible file encryption with the modification logging of the user;File is transferred on subscriber's main station using encryption channel.The present invention realizes the safeguard protection to export.The present invention is distributed management to export, realizes rights division derived from assets information.By data signature mechanism, traceable source and anti-tamper is realized.Safety when hedge-type assets information back-up, and it has been reasonably resistant to attacker that may be present in Intranet.
Description
Technical field
The invention belongs to the technical fields of information security, and in particular to a kind of cryptographic asset for O&M auditing system is led
Method out.
Background technique
Secret sharing techniques are an important research contents of cryptography and information security, are widely used in key management
And field of digital signature, he was based respectively on Lagrance interpolation polynomial and arrow in 1979 by Shaimir and Blackly earliest
Amount method proposes.Its basic thought, which is distributor, divide secret s by secret polynomial and holds for n shadow secret and being distributed to
Person, wherein being arbitrarily no less than any information of t shadow secret.His appearance solves the basic problem of key safety message,
Not only secret safety, integrality can guarantee, but can prevent secret excessively concentrate and bring risk (Rong Huigui, Mo Jinxia, often
Bright state is waited to be distributed based on the key of Shamir privacy sharing and communicates journal, 2015 (3): 60-69 with recovery algorithms [J]).?
It usually needs that password is exported and imported in O&M auditing system, however safety is it in weight during password is derived
Weight is the key that system safety place, while the division of responsibiltiy management of password is most important, is the key that prevent internal stolen ring
Section.
Summary of the invention
The purpose of the present invention is to provide a kind of cryptographic asset deriving methods for O&M auditing system, solve export
In the process the problem of cryptographic asset safety, the present invention realizes the safeguard protection to export.
The present invention is distributed management to export, realizes rights division derived from assets information.Recognized by identity
Confirm that current family is credible.By data signature mechanism, traceable source and anti-tamper is realized.It can be with introgressive line to export
The function that assets information restores is realized in system.Safety when hedge-type assets information back-up, and being reasonably resistant in Intranet may
Existing attacker facilitates management by the clear operation maintenance personnel responsibility of rights division.
The present invention is achieved through the following technical solutions: a kind of cryptographic asset export side for O&M auditing system
Method mainly comprises the steps that
Step S102: password sharing module matches the information of sub- ciphertext and clear portion after segmentation according to assets,
Incoming document analysis module is recorded as one, document analysis module is packaged data, exports and lead for n parts of different passwords
File out;
Step S103: taking cryptographic Hash to the file attachment user name of generation, and the key pair generated for each user counts
Word signature;According to preset rights division, file, and the logging in the user by the file of user are distributed for each user
Password carries out reversible file encryption;File is transferred on subscriber's main station using encryption channel.
In order to preferably realize the present invention, further, guaranteed first by authentication system in the step S103
The legal identity of department manager and Password Manager;It is that the user of each administrator password uses inside O&M auditing system
Public key encryption system generates a pair of of public, private key key pair, internal system is stored in, for being digitally signed to export.
In order to preferably realize the present invention, further, Password Management is used to the file of generation in the step S103
The password that person logs in O&M auditing system carries out reversible file encryption;Password Management person is sent the file to using sftp agreement
On the machine backed up, man-in-the-middle attack is avoided using encryption channel.
In order to preferably realize the present invention, further, further include the steps that password imports:
Step S201: the file held is uploaded in O&M auditing system by encryption channel;User is used to file
The password for logging in O&M auditing system is decrypted, and obtains file and digital signature;Digital signature is verified, if wrong
It misses, then end operation, and is recorded, fed back into O&M auditing system;
Step S202: after the file of user is carried out file decryption using the modification logging of the user, document analysis module
Record in file is read as into data one by one, the sub- cipher text part that assets are corresponded in the file of importing is read, it is common to transmit
Give ciphertext recovery module;Ciphertext recovery module gets sub- ciphertext, by shamir privacy sharing algorithm, calculates and restores to have obtained
Whole original cipher text, and the ciphertext is passed into database parsing module;
Step S203: database parsing module remembers the corresponding database that is combined into of the plain text transmit information and ciphertext of assets
Record, and be written in the asset database of O&M auditing system, cryptographic asset is completed to import recovery process.
Further include step S101 further to preferably realize the present invention: database parsing module reads assets letter
The record in database is ceased, non-sensitive information is read out with former data format, and reads the assets of corresponding encryption storage
The ciphertext of password, and ciphertext is transferred in ciphertext partition module, using Shamir privacy sharing algorithm, ciphertext is divided to obtain
N one's share of expenses for a joint undertaking ciphertext.
In order to preferably realize the present invention, further, the non-sensitive information include asset name, assets IP address,
The information of the stored in clear of remark information;The format of password export in the step S102 can be txt plain text text
Part or excel form document or data-base recording.
In order to preferably realize the present invention, further, user includes department manager and several in the step S103
Total file of total file or all Password Managers of a Password Manager, department manager and a Password Manager
It can complete password and import recovery.
In order to preferably realize the present invention, further, the password export n is 5, and department manager is 1, close
Code administrator is 3;Department manager holds 2 one's share of expenses for a joint undertaking passwords, and Password Manager respectively holds 1 one's share of expenses for a joint undertaking password;It is needed when importing password
Want 3 one's share of expenses for a joint undertaking passwords.
Rights division is provided that
1. password export function is designed into the role in O&M auditing system are as follows: system manager, department manager and Mi
Code administrator.System manager is the administrator of O&M auditing system, the highest permission with O&M auditing system.Division management
Member is responsible for the O&M auditor of administrative section assets to divide administrator.Password Manager is responsible for management service O&M audit system
Cryptographic asset in system.
2. the rights division of password export function is to be set by system manager, but the role not responsible password is led
Enter export and the preservation of cryptogam.Department manager will hold the biggish export password of specific gravity, and Password Manager respectively holds
The password of identical specific gravity.Department manager needs to complete password with unification position Password Manager to import the process restored;It is all close
Code administrator cooperates the process that password imports recovery that could complete jointly.
3. in default configuration, a department has 1 department manager, 3 Password Managers.Share 5 one's share of expenses for a joint undertaking passwords, portion
Door administrator holds 2 one's share of expenses for a joint undertaking passwords, and Password Manager holds 1 one's share of expenses for a joint undertaking password respectively.When importing password, 3 one's share of expenses for a joint undertaking passwords are needed, it can
With with department manager 1 Password Manager complete this and operate;Or this is completed jointly by 3 Password Managers and is operated.
4. the support of password splitting scheme is customized, can be configured on the page by system manager, and be stored in fortune
It ties up inside auditing system, is encrypted using open Shamir privacy sharing algorithm, divide sub- password.
5. can click button by department manager manually initiates password export, or according to configuration according to week certain time
Phase is derived automatically from backup cryptographic asset.
Cryptographic asset export process is as follows:
Step 1: database parsing module reads the money being stored in O&M auditing system after initiating password export operation
The record in information database is produced, by non-sensitive information such as asset name, assets IP address, the letter of the stored in clear such as remark information
Breath reads the cryptographic asset ciphertext of corresponding encryption storage with the reading of former data format, and ciphertext is transferred to ciphertext and splits mould
In block.
Step 2: ciphertext, which splits module, uses Shamir privacy sharing algorithm, it is right according to the parameter that system manager sets
Ciphertext is split, and generates n one's share of expenses for a joint undertaking ciphertext.Default generates 5 one's share of expenses for a joint undertaking ciphertexts.
Step 3: password sharing module matches the information of sub- ciphertext and clear portion after segmentation according to assets, make
Incoming document analysis module is recorded for one, document analysis module is packaged data, exports as n parts of different password export
File, for example common txt text-only file of file format, excel form document, data-base recording etc..
Step 4: the file attachment user name to generation takes cryptographic Hash, it the use of O&M designing system is each user generation
Key pair be digitally signed.
Step 5: distributing file according to preset rights division for each user, and the file of the user is used should
The modification logging of user carries out reversible file encryption.
Step 6: file is transferred on subscriber's main station using encryption channel.
After initiating password importing recovery operation, need to find system manager and 1 Password Manager, or whole passwords
Administrator uploads to the file that they respectively hold in O&M auditing system by encryption channel.File is stepped on using user
The password of land transportation dimension auditing system is decrypted, and obtains file and digital signature.Digital signature is verified, if mistake,
It is then not available for operating in next step, and is recorded, fed back into O&M auditing system.The file of user is used the user's
After modification logging carries out file decryption, the record in file is read as data by document analysis module one by one, by the file of importing
The sub- cipher text part of middle corresponding assets is read, and is collectively delivered to ciphertext recovery module.Ciphertext recovery module gets sub- ciphertext, passes through
Shamir privacy sharing algorithm calculates and restores to obtain complete original cipher text, and the ciphertext is passed to database parsing mould
Block.Plain text transmit information and the ciphertext correspondence of assets are combined into data-base recording by database parsing module, and are written to O&M
In the asset database of auditing system, so far cryptographic asset is completed to import recovery process.
As shown in figure 4, key is shared, specific step is as follows with recovery module:
Step 1: being set by the user the number n of file when password exports.Setting imports the minimum text needed when cryptographic asset
Part number k.The optionally file number that setting different rights user holds, n user of default respectively hold a different file,
It can be voluntarily allocated according to authority configuration demand the case where (but hold there can be no single user >=k parts of files).Hold part
The more file of number, has higher permission when restoring cryptographic asset, can provide more sub- ciphertexts, it is also desirable to undertake bigger
Responsibility.
Step 2: ciphertext is read and is converted into binary system since shamir privacy sharing algorithm requirements secret is integer
Encode S.
Step 3: initiation parameter.It sets ciphertext and distributes number n, threshold value k.It at random (for convenience can be under from p
Q in one step takes identical value) n different nonzero element x of rank finite field gf (p) middle selection1,x2,…,xn, with n sub- ciphertexts
Holder Ur={ U1, U2, UnCorrespond, and in storage inside corresponding relationship.
Step 4: ciphertext distribution phase.O&M auditing system takes Big prime q, and the theoretical maximum for meeting q > n and q >=S takes
Value.(k-1) a element a is arbitrarily selected in GF (p)i(i=1,2 ..., k-1) constitutes (k-1) rank multinomial:
Original cipher text S=f (0)=a0.For all ciphertext holder Ur∈ U generates n sub- ciphertexts:
And by SrCorresponding UrDocument analysis module is transferred to as sub- ciphertext and generates n parts of assets secret exports.And according to
Before can arrangement, according to the number that user should hold, random distribution of document defaults each user and holds text document.
Step 5: ciphertext Restoration stage.When user, which needs to import cryptographic asset file, to restore, finds and hold file
Number summation reaches k parts of several users, and file is uploaded in O&M auditing system.O&M auditing system reads sub- ciphertext,
And use Lagrange's interpolation formula:
Recover ciphertext S.
The principle of the invention is to set administrator by the customized rights division of user and be classified permission, divide encryption data.It will
Cryptographic asset exports as file, carries out encryption storage, is backed up;Guarantee that file is not tampered by digital signature simultaneously.It is more
The upper transmitting file of a administrator restores cryptographic asset after verifying, imports and restores assets information.The present invention solves to examine in O&M
Export backup is carried out to cryptographic asset in meter systems, and backup file is imported into asking for O&M auditing system reduction cryptographic asset
Topic, and cipher safety and rights division are solved the problems, such as in export process.
The record of export password is recorded by system log and imports the record of password.The row of each user is traced by record
For history, achieve the purpose that trace to the source.The file and administrator of digital signature authentication mistake are recorded, can be carried out further
Inspection of calling to account.System manager is responsible for configuration setting, but according to the requirement of rights division, does not have direct administrator password and import
Derived permission.Department manager has the sub- password of more specific gravity, also mutually in requisition for undertaking bigger responsibility.
Beneficial effects of the present invention:
(1) cryptographic Hash is taken to the file attachment user name of generation, the key pair generated for each user is digitally signed;
According to preset rights division, distribute file for each user, and by the file of user with the modification logging of the user into
The reversible file encryption of row;File is transferred on subscriber's main station using encryption channel.The present invention is solved in export process and is solved
Certainly the problem of cipher safety, the present invention guarantees that file is not tampered by digital signature, and the present invention is realized to export
Safeguard protection, have preferable practicability.
(2) guarantee that department manager and Password Manager's is legal by authentication system first in the step S103
Identity;It is that the user of each administrator password generates a pair of of public, private key using public key encryption system inside O&M auditing system
Key pair is stored in internal system, for being digitally signed to export.The present invention be first identity-based system
Line verifying, followed by the protection to export offline secure have preferable to realize the safeguard protection to export
Practicability.
(3) file of generation is carried out using the password that Password Management person logs in O&M auditing system in the step S103
Reversible file encryption;It is sent the file to using sftp agreement on the machine that Password Management person is backed up, is believed using encryption
Road avoids man-in-the-middle attack.File encryption guarantees only have this talent of administrator that can interpret to file, after file export
Safety be effectively protected.The potential attack that may be present in intranet environment is avoided using encryption channel, protects file
Leakage will not be trapped.
(4) present invention is distributed management to export, realizes rights division derived from assets information.Pass through identity
Certification realizes that user is credible.By data signature mechanism, traceable source and anti-tamper is realized.Export can be imported
The function that assets information restores is realized in system.Safety when hedge-type assets information back-up, and being reasonably resistant to can in Intranet
Attacker existing for energy facilitates management by the clear operation maintenance personnel responsibility of rights division.
(5) present invention guarantees that sole user will not hold complete cryptographic asset information by the segmentation to cryptographic asset,
It realizes rights division and trackability, easily carries out cryptographic asset management.Using general file format, provide preferable
It is portable and readable, convenient for the maintenance and recovery to assets information.
Detailed description of the invention
Fig. 1 is the functional block diagram of rights division;
Fig. 2 is the flow chart of password export and importing process;
Fig. 3 is safeguard protection functional block diagram derived from password;
Fig. 4 is the shared functional block diagram with recovery module of key.
Specific embodiment
Embodiment 1:
A kind of cryptographic asset deriving method for O&M auditing system, mainly comprises the steps that
Step S102: password sharing module matches the information of sub- ciphertext and clear portion after segmentation according to assets,
Incoming document analysis module is recorded as one, document analysis module is packaged data, exports and lead for n parts of different passwords
File out;
Step S103: taking cryptographic Hash to the file attachment user name of generation, and the key pair generated for each user counts
Word signature;According to preset rights division, file, and the logging in the user by the file of user are distributed for each user
Password carries out reversible file encryption;File is transferred on subscriber's main station using encryption channel.
Such as the export process in Fig. 2, assets information is read from asset information database, is then introduced into database parsing mould
Block obtains the cryptographic asset ciphertext of clear portion information and encryption storage;Cryptographic asset ciphertext imports ciphertext and splits module, according to
Configuration splits into n parts of ciphertexts;Then clear portion information and ciphertext are merged by document analysis module, then setting number label
Name, file encryption export n parts of files finally by encryption channel.
The present invention solves the problems, such as that solution cipher safety, the present invention guarantee file by digital signature in export process
It is not tampered, the present invention realizes the safeguard protection to export, has preferable practicability.The present invention to export into
Row distribution management, realizes rights division derived from assets information.By data signature mechanism, realizes traceable source and prevent
It distorts.It can be with the function of realization assets information recovery in import system to export.Safety when hedge-type assets information back-up,
And it has been reasonably resistant to attacker that may be present in Intranet, by the clear operation maintenance personnel responsibility of rights division, facilitate management.
Embodiment 2:
The present embodiment is to optimize on the basis of embodiment 1, as shown in figure 3, passing through first in the step S103
The legal identity of authentication system guarantee department manager and Password Manager;It is each pipe inside O&M auditing system
The user for managing password generates a pair of of public, private key key pair using public key encryption system, internal system is stored in, for export
File is digitally signed.The close of O&M auditing system is logged in using Password Management person to the file of generation in the step S103
Code carries out reversible file encryption;It is sent the file on the machine that Password Management person is backed up, is used using sftp agreement
Encryption channel avoids man-in-the-middle attack.
By multiple authentication system, guarantee using user derived from cryptographic asset to be legitimate user.It realizes more
Stringent authentication has preferable authentication mechanism, guarantees security of system.The present invention is distributed pipe to export
Reason, realizes rights division derived from assets information.Realize that user is credible by authentication.It is real by data signature mechanism
Traceable source and anti-tamper is showed.It can be with the function of realization assets information recovery in import system to export.Ensure money
Safety when information back-up is produced, and has been reasonably resistant to attacker that may be present in Intranet, passes through the clear O&M of rights division
Personnel's responsibility facilitates management.
The other parts of the present embodiment are same as Example 1, and so it will not be repeated.
Embodiment 3:
The present embodiment is optimized on the basis of embodiment 1 or 2, as shown in Figure 1, user wraps in the step S103
Include department manager and several Password Managers, total file or all close of department manager and Password Manager
Total file of code administrator can complete password and import recovery.The password export n is 5, and department manager is 1,
Password Manager is 3;Department manager holds 2 one's share of expenses for a joint undertaking passwords, and Password Manager respectively holds 1 one's share of expenses for a joint undertaking password;When importing password
Need 3 one's share of expenses for a joint undertaking passwords.
As shown in Figure 1, system manager sets rights division, default setting is that each department has a department manager
With 3 Password Managers, department manager holds 2 one's share of expenses for a joint undertaking passwords, and Password Manager respectively holds 1 one's share of expenses for a joint undertaking password;Then system pipes
Reason person logs in administration page, specific office administrator, setting code splitting scheme;The storage of password splitting scheme is audited to O&M is
System is internal;Password export backup is carried out according to configuration is automatic, carries out password export manually;Finally according to scheme to cryptographic asset into
Row distribution processor.
The record of export password is recorded by system log and imports the record of password.The row of each user is traced by record
For history, achieve the purpose that trace to the source.The file and administrator of digital signature authentication mistake are recorded, can be carried out further
Inspection of calling to account.System manager is responsible for configuration setting, but according to the requirement of rights division, does not have direct administrator password and import
Derived permission.Department manager has the sub- password of more specific gravity, also mutually in requisition for undertaking bigger responsibility.
The other parts of the present embodiment are identical as above-described embodiment 1 or 2, and so it will not be repeated.
Embodiment 4:
The present embodiment is optimized on the basis of embodiment 2, further includes the steps that password imports:
Step S201: the file held is uploaded in O&M auditing system by encryption channel;User is used to file
The password for logging in O&M auditing system is decrypted, and obtains file and digital signature;Digital signature is verified, if wrong
It misses, then end operation, and is recorded, fed back into O&M auditing system;
Step S202: after the file of user is carried out file decryption using the modification logging of the user, document analysis module
Record in file is read as into data one by one, the sub- cipher text part that assets are corresponded in the file of importing is read, it is common to transmit
Give ciphertext recovery module;Ciphertext recovery module gets sub- ciphertext, by shamir privacy sharing algorithm, calculates and restores to have obtained
Whole original cipher text, and the ciphertext is passed into database parsing module;
Step S203: database parsing module remembers the corresponding database that is combined into of the plain text transmit information and ciphertext of assets
Record, and be written in the asset database of O&M auditing system, cryptographic asset is completed to import recovery process.
As shown in importing process in Fig. 2, derived file is inputted by encryption channel, then file is decrypted simultaneously
To digital signature authentication, if being proved to be successful, decryption file is obtained, document analysis module is then introduced into and obtains clear portion information
With cryptographic asset ciphertext, cryptographic asset ciphertext importing ciphertext recovery module is obtained into original cipher text, then by original cipher text and bright
Literary partial information imports data resolution module jointly, imports O&M auditing system and realizes and restores data.
It by data signature mechanism, is imported in recovery process in cryptographic asset, the user of identification holding assets password uploads
File whether be tampered.Guarantee file can not tamper, identify the malicious user to tamper with a document, avoid internal evil
Meaning user, which tampers with a document, causes password recovery process to fail, and has the characteristics that trace to the source, except protect external security with equally to avoid
Internal malicious user.
The other parts of the present embodiment are identical as above-described embodiment 2, and so it will not be repeated.
Embodiment 5:
The present embodiment is to optimize on the basis of embodiment 1, further includes step S101: database parsing module is read
Non-sensitive information is read out by the record in asset information database with former data format, and reads corresponding encryption storage
Cryptographic asset ciphertext, and ciphertext is transferred in ciphertext partition module, using Shamir privacy sharing algorithm, to ciphertext point
It cuts to obtain n one's share of expenses for a joint undertaking ciphertext.The non-sensitive information includes the letter of asset name, assets IP address, the stored in clear of remark information
Breath;The format of password export in the step S102 can for txt text-only file or excel form document or
Data-base recording.
The present invention solves the problems, such as that solution cipher safety, the present invention guarantee file by digital signature in export process
It is not tampered, the present invention realizes the safeguard protection to export, has preferable practicability.To non-sensitive information in plain text
Form is presented, and reduces the resource that encryption occupies.General file format is generated, is had preferable portable, it may have preferably
Readability.The unavailable complete cryptographic asset of sole user is guaranteed to the fractionation of ciphertext.
The other parts of the present embodiment are identical as above-described embodiment 1, and so it will not be repeated.
The above is only presently preferred embodiments of the present invention, not does limitation in any form to the present invention, it is all according to
According to technical spirit any simple modification to the above embodiments of the invention, equivalent variations, protection of the invention is each fallen within
Within the scope of.
Claims (8)
1. a kind of cryptographic asset deriving method for O&M auditing system, which is characterized in that mainly comprise the steps that
Step S102: password sharing module matches the information of sub- ciphertext and clear portion after segmentation according to assets, as
One records incoming document analysis module, and document analysis module is packaged data, exports as n parts of different password export texts
Part;
Step S103: taking cryptographic Hash to the file attachment user name of generation, carries out digital label for the key pair that each user generates
Name;According to preset rights division, file is distributed for each user, and by the file of the user modification logging of the user
Carry out reversible file encryption;File is transferred on subscriber's main station using encryption channel.
2. a kind of cryptographic asset deriving method for O&M auditing system according to claim 1, which is characterized in that institute
State the legal identity for guaranteeing department manager and Password Manager in step S103 by authentication system first;It is examined in O&M
Inside meter systems, it is that the user of each administrator password generates a pair of of public, private key key pair using public key encryption system, is stored in
Internal system, for being digitally signed to export.
3. a kind of cryptographic asset deriving method for O&M auditing system according to claim 2, which is characterized in that institute
It states and reversible file is carried out using the password that Password Management person logs in O&M auditing system to the file of generation in step S103 adds
It is close;It is sent the file to using sftp agreement on the machine that Password Management person is backed up, go-between is avoided using encryption channel
Attack.
4. a kind of cryptographic asset deriving method for O&M auditing system according to claim 1, which is characterized in that institute
Stating user in step S103 includes department manager and several Password Managers, and department manager is with Password Manager's
Total file of total file or all Password Managers can complete password and import recovery.
5. a kind of cryptographic asset deriving method for O&M auditing system according to claim 4, which is characterized in that institute
Stating password export n is 5, and department manager is 1, and Password Manager is 3;Department manager holds 2 one's share of expenses for a joint undertaking passwords, close
Code administrator respectively holds 1 one's share of expenses for a joint undertaking password;3 one's share of expenses for a joint undertaking passwords are needed when importing password.
6. a kind of cryptographic asset deriving method for O&M auditing system according to claim 1-5, special
Sign is, further includes the steps that password imports:
Step S201: the file held is uploaded in O&M auditing system by encryption channel;File is logged in using user
The password of O&M auditing system is decrypted, and obtains file and digital signature;Digital signature is verified, if mistake,
End operation, and recorded, it feeds back into O&M auditing system;
Step S202: after the file of user is carried out file decryption using the modification logging of the user, document analysis module will be literary
Record in part reads as data one by one, and the sub- cipher text part that assets are corresponded in the file of importing is read, is collectively delivered to close
Literary recovery module;Ciphertext recovery module gets sub- ciphertext, by shamir privacy sharing algorithm, calculates and restores to obtain complete
Original cipher text, and the ciphertext is passed into database parsing module;
Step S203: plain text transmit information and the ciphertext correspondence of assets are combined into data-base recording by database parsing module, and
It is written in the asset database of O&M auditing system, cryptographic asset is completed to import recovery process.
7. a kind of cryptographic asset deriving method for O&M auditing system according to claim 1, which is characterized in that also
Including step S101: database parsing module reads the record in asset information database, by non-sensitive information with former data lattice
Formula is read out, and reads the ciphertext of the cryptographic asset of corresponding encryption storage, and ciphertext is transferred in ciphertext partition module,
Using Shamir privacy sharing algorithm, ciphertext is divided to obtain n one's share of expenses for a joint undertaking ciphertext.
8. a kind of cryptographic asset deriving method for O&M auditing system according to claim 7, which is characterized in that institute
State the information that non-sensitive information includes asset name, assets IP address, the stored in clear of remark information;In the step S102
The format of password export can be txt text-only file or excel form document or data-base recording.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811210286.0A CN109302400B (en) | 2018-10-17 | 2018-10-17 | Asset password exporting method for operation and maintenance auditing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811210286.0A CN109302400B (en) | 2018-10-17 | 2018-10-17 | Asset password exporting method for operation and maintenance auditing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109302400A true CN109302400A (en) | 2019-02-01 |
| CN109302400B CN109302400B (en) | 2021-09-03 |
Family
ID=65163082
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811210286.0A Active CN109302400B (en) | 2018-10-17 | 2018-10-17 | Asset password exporting method for operation and maintenance auditing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109302400B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110580406A (en) * | 2019-07-23 | 2019-12-17 | 中国航天系统科学与工程研究院 | Internet file self-help importing system and method |
| CN112651214A (en) * | 2020-08-28 | 2021-04-13 | 成都格斗科技有限公司 | Method for converting data table plaintext into binary ciphertext convenient for program to read |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060184786A1 (en) * | 2005-02-14 | 2006-08-17 | Tricipher, Inc. | Technique for asymmetric crypto-key generation |
| US20120144465A1 (en) * | 2008-11-24 | 2012-06-07 | Microsoft Corporation | Distributed single sign on technologies including privacy protection and proactive updating |
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
| CN107623569A (en) * | 2017-09-30 | 2018-01-23 | 矩阵元技术(深圳)有限公司 | Block chain key escrow and restoration methods, device based on Secret sharing techniques |
| CN107979461A (en) * | 2017-10-27 | 2018-05-01 | 财付通支付科技有限公司 | Secret key retrieving method, device, terminal, secret key escrow server and readable medium |
-
2018
- 2018-10-17 CN CN201811210286.0A patent/CN109302400B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060184786A1 (en) * | 2005-02-14 | 2006-08-17 | Tricipher, Inc. | Technique for asymmetric crypto-key generation |
| US20120144465A1 (en) * | 2008-11-24 | 2012-06-07 | Microsoft Corporation | Distributed single sign on technologies including privacy protection and proactive updating |
| CN107171796A (en) * | 2017-06-27 | 2017-09-15 | 济南浪潮高新科技投资发展有限公司 | A kind of many KMC key recovery methods |
| CN107623569A (en) * | 2017-09-30 | 2018-01-23 | 矩阵元技术(深圳)有限公司 | Block chain key escrow and restoration methods, device based on Secret sharing techniques |
| CN107979461A (en) * | 2017-10-27 | 2018-05-01 | 财付通支付科技有限公司 | Secret key retrieving method, device, terminal, secret key escrow server and readable medium |
Non-Patent Citations (1)
| Title |
|---|
| 陈思光等: "一种安全的可验证密钥管理方案", 《商业研究》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110580406A (en) * | 2019-07-23 | 2019-12-17 | 中国航天系统科学与工程研究院 | Internet file self-help importing system and method |
| CN110580406B (en) * | 2019-07-23 | 2021-08-10 | 中国航天系统科学与工程研究院 | Internet file self-help importing system and method |
| CN112651214A (en) * | 2020-08-28 | 2021-04-13 | 成都格斗科技有限公司 | Method for converting data table plaintext into binary ciphertext convenient for program to read |
| CN112651214B (en) * | 2020-08-28 | 2023-03-28 | 成都格斗科技有限公司 | Method for converting data table plaintext into binary ciphertext convenient for program to read |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109302400B (en) | 2021-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8806200B2 (en) | Method and system for securing electronic data | |
| US7860243B2 (en) | Public key encryption for groups | |
| US20100005318A1 (en) | Process for securing data in a storage unit | |
| US20090158037A1 (en) | System and method for protecting an electronic file | |
| US20080098227A1 (en) | Method of enabling secure transfer of a package of information | |
| CN102460460A (en) | Secure and private backup storage and processing for trusted computing and data services | |
| CN105122265A (en) | Data security service system | |
| CN111130770A (en) | Block chain based information evidence storage method and system, user terminal, electronic equipment and storage medium | |
| Nirmala et al. | Data confidentiality and integrity verification using user authenticator scheme in cloud | |
| Mukundan et al. | Replicated Data Integrity Verification in Cloud. | |
| CN109302400A (en) | A kind of cryptographic asset deriving method for O&M auditing system | |
| Kim et al. | BRICS: blockchain-based resilient information control system | |
| Nooh | Cloud Cryptography: User End Encryption | |
| Rawat et al. | A survey of various techniques to secure cloud storage | |
| US20060053294A1 (en) | System and method for proving time and content of digital data in a monitored system | |
| CN108173880B (en) | File encryption system based on third party key management | |
| CN110474873B (en) | A method and system for electronic file access control based on informed range encryption | |
| Nagaty | A framework for secure online bank system based on Hybrid Cloud Architecture | |
| Karani et al. | Secure File Storage Using Hybrid Cryptography | |
| Pujari et al. | A Study of Data Storage Security Issues in Cloud Computing | |
| US20250310098A1 (en) | Systems, methods, and computer-readable media for selectively or fully protecting electronic and digitally signed electronic documents and specifying access thereof | |
| Reddy et al. | A New Framework Approach Enhances Security to Efficient Remote Collaboration in TPA Scheme for Cloud Storage | |
| Liu | Security Research and Solution of Data Exchange Platform | |
| de Souza et al. | SSICC: sharing sensitive information in a cloud-of-clouds | |
| Bardis et al. | A new approach of secret key management lifecycle for military applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Guo Jiayi Inventor after: Huang Hai Inventor after: Fan Yuan Inventor after: Wu Yongyue Inventor after: Zheng Xuexin Inventor after: Liu Tao Inventor before: Guo Jiayi Inventor before: Fan Yuan Inventor before: Wu Yongyue Inventor before: Zheng Xuexin Inventor before: Liu Tao |
|
| CB03 | Change of inventor or designer information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |