[go: up one dir, main page]

CN118944877B - An efficient key management system for integrated security gateway system - Google Patents

An efficient key management system for integrated security gateway system Download PDF

Info

Publication number
CN118944877B
CN118944877B CN202411193958.7A CN202411193958A CN118944877B CN 118944877 B CN118944877 B CN 118944877B CN 202411193958 A CN202411193958 A CN 202411193958A CN 118944877 B CN118944877 B CN 118944877B
Authority
CN
China
Prior art keywords
key
represented
backup
signature
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202411193958.7A
Other languages
Chinese (zh)
Other versions
CN118944877A (en
Inventor
翁武焰
邓宙锦
张传辉
金华松
何颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Zhongxin Wang 'an Information Technology Co ltd
Original Assignee
Fujian Zhongxin Wang 'an Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Zhongxin Wang 'an Information Technology Co ltd filed Critical Fujian Zhongxin Wang 'an Information Technology Co ltd
Priority to CN202411193958.7A priority Critical patent/CN118944877B/en
Publication of CN118944877A publication Critical patent/CN118944877A/en
Application granted granted Critical
Publication of CN118944877B publication Critical patent/CN118944877B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3033Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to pseudo-prime or prime number generation, e.g. primality test
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种用于综合安全网关系统的高效密钥管理系统,具体涉及密钥管理技术领域,包括有效负载监控模块、密钥生成模块、密钥备份与恢复模块、密钥签名验证模块;本发明通过深度包检测技术实时分析网络流量,利用Wireshark捕获数据包,并通过DPI系统详细检查;该过程包括数据包捕获、过滤、分析和报告异常流量;有效负载计算基于权重系数和CPU采集长度,与阈值对比以评估网络安全状态;密钥生成模块使用高强度算法创建密钥对,并进行签名处理以确保安全传输;备份与恢复模块负责密钥的安全存储和恢复;而签名验证模块则确保密钥真实性,防止数据泄露;该系统强化了网络安全防护,确保数据传输的完整性和安全性。

The invention discloses an efficient key management system for an integrated security gateway system, and specifically relates to the technical field of key management, including a payload monitoring module, a key generation module, a key backup and recovery module, and a key signature verification module; the invention uses a deep packet inspection technology to analyze network traffic in real time, uses Wireshark to capture data packets, and performs detailed inspections through a DPI system; the process includes data packet capture, filtering, analysis, and reporting of abnormal traffic; the payload calculation is based on a weight coefficient and a CPU acquisition length, and is compared with a threshold to evaluate the network security status; the key generation module uses a high-intensity algorithm to create a key pair, and performs signature processing to ensure secure transmission; the backup and recovery module is responsible for the secure storage and recovery of the key; and the signature verification module ensures the authenticity of the key and prevents data leakage; the system strengthens network security protection and ensures the integrity and security of data transmission.

Description

Efficient key management system for comprehensive security gateway system
Technical Field
The present invention relates to the field of key management technology, and more particularly, to a high-efficiency key management system for an integrated security gateway system.
Background
The comprehensive security gateway system simplifies the management and maintenance of security equipment, reduces the security input cost, and improves the security protection efficiency and reliability by integrating multiple security functions, and is characterized in that the comprehensive security gateway system provides security remote access service of an internal network or an application program for users and end-to-end data security transmission and security access between local area networks of various branches of enterprises by modern cryptographic technology.
With the explosive development of information technology, networks have become an important infrastructure for enterprise operations. The comprehensive security gateway system is used as an important component of an enterprise network and plays a key role of protecting enterprise internal data and resisting external network threats, however, network attack means are increasingly subtle and complex, traditional security protection measures are difficult to meet current security demands, key management is used as a data security foundation stone, the importance of the key management is self-evident, and the comprehensive security gateway can not only carry out deep detection and filtration on network traffic to prevent malicious traffic from entering, but also monitor outbound traffic to prevent sensitive information from leaking.
However, when the key management system is actually used, some disadvantages still exist, such as the existing key management system often has the problems of insufficient generation, storage, transmission and use security, and the like, and cannot adapt to the rapidly-changing network environment and the security challenges of continuous upgrading.
Disclosure of Invention
In order to overcome the above-mentioned drawbacks of the prior art, embodiments of the present invention provide an efficient key management system for an integrated security gateway system to solve the above-mentioned problems set forth in the background art.
In order to achieve the above purpose, the present invention provides the following technical solutions:
The effective load monitoring module is used for monitoring and analyzing the effective load in real time by a deep packet inspection technology;
The key generation module is used for generating a key pair by adopting a high-strength encryption algorithm, selecting the key length and signing the key pair, and transmitting the key after signing to the key backup and recovery module;
the key backup and recovery module is used for periodically carrying out incremental backup on the key to the safe offline storage equipment, providing a key recovery mechanism and transmitting the backed-up key to the key exchange module;
the key signature verification module is used for carrying out signature verification on the exchanged keys and operating according to the instruction after signature verification.
Preferably, in the payload monitoring module, a network traffic analyzer (Wireshark) is used to capture and analyze the data packet transmitted through the network interface, and then the DPI system is deployed to check the content and the payload of the data packet, wherein the method for capturing the data packet and checking the data packet specifically comprises the following steps:
The method comprises the steps of starting data packet capturing, monitoring a designated network interface in real time, collecting data packets transmitted through a network, performing flow screening by using a filter in the capturing process, wherein the flow screening comprises the steps of filtering specific IP addresses, protocols and ports to reduce the size of the captured data packets, storing the data packets into a pcap file after the capturing is completed for subsequent analysis, opening the captured data packet file by using a data packet analysis tool Wireshark, checking a captured data packet list in the tool interface, checking specific data packets, wherein each data packet generally comprises information such as a time stamp, a source address, a destination address, a protocol type, a length and the like, clicking specific data packets, checking detailed information of the specific data packets, including the data packet header comprising an Ethernet header, an IP header and a transmission layer header, carrying out protocol analysis on the data packets to understand the structure and the content of the data packets, checking specific meanings and data of each protocol field during analysis, and recombining a plurality of data packets into a complete flow for TCP protocol to help understand the interaction process and content;
the Wireshark provides a TCP stream reorganization function, utilizes a color highlighting and filtering function to identify abnormal traffic and abnormal load, checks transmitted contents to identify suspicious data and malicious traffic aiming at a specific protocol, and collates inspection results into reports including found problems, suspicious traffic and analysis conclusion.
Preferably, in the key generation module, the key generation method specifically includes:
Parameters are determined, wherein the parameters need to be determined before the key generation, and the parameters comprise big prime numbers f and h, a generation element g and a key length; the calculation method of the generator g specifically comprises the following steps:
where g is denoted as generator, f is denoted as first large prime, h is denoted as second large prime, mod is denoted as modulo operation, j is denoted as any one less than E is expressed as a natural constant;
Generating a private key and a public key after the parameters are determined; an integer x is selected as a private key in a pseudo-random manner to meet 0< x < h, and the calculation method of the public key parameters specifically comprises the following steps:
Wherein y is denoted as a public key parameter, g is denoted as a generator, x is denoted as a private key, f is denoted as a first large prime number, mod is denoted as a modulo operation;
the public key is expressed as The private key is x, and the key length selects 2048 bits of key.
The secret key is signed, and the signing method specifically comprises the following steps:
The method for calculating the first signature element by selecting a random integer n specifically comprises the following steps:
, wherein, Expressed as a first signature element, g expressed as a generator element, n expressed as an integer, e expressed as a natural constant, f expressed as a first large prime number, h expressed as a second large prime number, mod expressed as a modulo operation;
the calculation method of the second signature element specifically comprises the following steps:
, wherein, Represented as a second signature element, n is represented as an integer,Represented as hashed the generated element after the processing is processed,Represented as a private key and is provided with a key,Represented as a first signature element and is provided,Denoted as the second largest prime number, mod is denoted as modulo operation;
the first signature element and the second signature element form a signature, and the signature is expressed as
Preferably, in the key backup and recovery module, the key backup method specifically includes:
Before incremental backup, a full-volume backup is performed once, wherein the full-volume backup contains all data of the system and provides a reference for the incremental backup. During each incremental backup, the system needs to detect all changes, including newly added, modified and deleted data, since the last backup, and uses the time stamp, checksum version number of the file to determine which data has changed.
The method comprises the steps of carrying out backup on detected change data and storing the change data in a backup medium, recording changed metadata so that the change can be correctly identified and applied in a recovery process, maintaining and updating a backup index, and recording the time stamp of each backup, the change condition of data and the dependency relationship of the backup.
Preferably, in the key signature verification module, the signature verification method specifically includes:
after the receiver receives the signed key, it verifies AndOf the numerical range of (1)The numerical range of (2) is withinA kind of electronic deviceThe numerical range of (2) is withinThe first pass of verification is passed;
the verification value calculation method specifically includes:
wherein Z is represented as a verification value, g is represented as a generator, Denoted as first authentication parameter, y denoted as public key parameter,Denoted as second verification parameter, mod is denoted as modulo operation, f is denoted as first large prime number, and h is denoted as second large prime number;
and if the calculated verification value is not equal to the first signature element, the verification signature fails, the key is attacked, the data is leaked, and early warning is started.
The invention has the technical effects and advantages that:
The invention provides a high-efficiency key management system for a comprehensive security gateway system, which is used for analyzing network traffic in real time through a payload monitoring module and a deep packet detection technology, identifying abnormal load and potential attack, capturing a data packet by using Wireshark and storing the data packet as a.pcap file, and carrying out subsequent analysis. The effective load calculation method comprises the steps of comparing parameters such as a weight coefficient of a historical measured value and a load judgment factor with a preset threshold value, sending a corresponding instruction, generating a key pair by a key generation module through a high-strength encryption algorithm, carrying out signature processing, transmitting the key pair to a key backup and recovery module for incremental backup, verifying the key signature after exchange by a key signature verification module, ensuring that the key is not attacked, and ensuring the security of the key in the process of generating, storing, transmitting and using through the modules and steps through a high-strength encryption algorithm and a strict key management strategy, and preventing unauthorized access and tampering.
Drawings
Fig. 1 is a schematic diagram of a system module connection according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, the present invention provides a high-efficiency key management system for an integrated security gateway system, which includes a payload monitoring module, a key generating module, a key backup and recovery module, and a key signature verification module.
The payload monitoring module is connected with the key generation module, the key generation module is connected with the key backup and recovery module, and the key backup and recovery module is connected with the key signature verification module.
The effective load monitoring module is used for monitoring and analyzing effective load in real time by a deep packet inspection technology;
In the payload monitoring module, a network traffic analyzer (Wireshark) is used for capturing and analyzing the data packet transmitted through a network interface, a DPI system is deployed again for checking the content and the payload of the data packet, and the method for capturing the data packet and checking the data packet comprises the following steps:
The method comprises the steps of starting data packet capturing, monitoring a designated network interface in real time, collecting data packets transmitted through a network, performing flow screening by using a filter in the capturing process, wherein the flow screening comprises the steps of filtering specific IP addresses, protocols and ports to reduce the size of the captured data packets, storing the data packets into a pcap file after the capturing is completed for subsequent analysis, opening the captured data packet file by using a data packet analysis tool Wireshark, checking a captured data packet list in the tool interface, checking specific data packets, wherein each data packet generally comprises information such as a time stamp, a source address, a destination address, a protocol type, a length and the like, clicking specific data packets, checking detailed information of the specific data packets, including the data packet header comprising an Ethernet header, an IP header and a transmission layer header, carrying out protocol analysis on the data packets to understand the structure and the content of the data packets, checking specific meanings and data of each protocol field during analysis, and recombining a plurality of data packets into a complete flow for TCP protocol to help understand the interaction process and content;
the Wireshark provides a TCP stream reorganization function, utilizes a color highlighting and filtering function to identify abnormal traffic and abnormal load, checks transmitted content to identify suspicious data and malicious traffic aiming at a specific protocol, and collates the checking result into a report including found problems, suspicious traffic and analysis conclusion;
The method for calculating the effective load comprises the following steps:
, wherein, Represented as a payload of a material,The weight coefficient expressed as a historical measurement value,The gateway performance measurement, denoted as t, L is denoted as CPU acquisition length,Expressed as a load judgment factor;
The calculation method of the load judgment factor specifically comprises the following steps:
, wherein, Denoted as load judgment factor, L denoted as CPU acquisition length,Represented as a load value for gateway number b,The number of CPUs denoted gateway number b;
the calculation method of the weight coefficient of the history measured value specifically comprises the following steps:
, wherein, The weight coefficient expressed as a history measured value, and L expressed as a CPU acquisition length;
comparing the calculated effective load with a preset effective load threshold, if the calculated effective load is larger than the preset effective load threshold, issuing a dangerous instruction, transferring to a key generation module, encrypting the transmitted data, and if the calculated effective load is smaller than the preset effective load threshold, issuing a safe instruction, and continuing to operate.
The key generation module is used for generating a key pair by adopting a high-strength encryption algorithm, selecting the key length and signing the key pair, and transmitting the key after signing to the key backup and recovery module;
In the key generation module, the key generation method specifically comprises the following steps:
Parameters are determined, wherein the parameters need to be determined before the key generation, and the parameters comprise big prime numbers f and h, a generation element g and a key length; the calculation method of the generator g specifically comprises the following steps:
where g is denoted as generator, f is denoted as first large prime, h is denoted as second large prime, mod is denoted as modulo operation, j is denoted as any one less than E is expressed as a natural constant;
Generating a private key and a public key after the parameters are determined; an integer x is selected as a private key in a pseudo-random manner to meet 0< x < h, and the calculation method of the public key parameters specifically comprises the following steps:
Wherein y is denoted as a public key parameter, g is denoted as a generator, x is denoted as a private key, f is denoted as a first large prime number, mod is denoted as a modulo operation;
the public key is expressed as The private key is x, and the key length selects 2048 bits of key.
The secret key is signed, and the signing method specifically comprises the following steps:
The method for calculating the first signature element by selecting a random integer n specifically comprises the following steps:
, wherein, Expressed as a first signature element, g expressed as a generator element, n expressed as an integer, e expressed as a natural constant, f expressed as a first large prime number, h expressed as a second large prime number, mod expressed as a modulo operation;
the calculation method of the second signature element specifically comprises the following steps:
, wherein, Represented as a second signature element, n is represented as an integer,Represented as hashed the generated element after the processing is processed,Represented as a private key and is provided with a key,Represented as a first signature element and is provided,Denoted as the second largest prime number, mod is denoted as modulo operation;
the first signature element and the second signature element form a signature, and the signature is expressed as
The key backup and recovery module is used for periodically carrying out incremental backup on the key to the safe offline storage equipment, providing a key recovery mechanism and transmitting the backed-up key to the key exchange module;
In the key backup and recovery module, the key backup method specifically comprises the following steps:
Before incremental backup, a full-volume backup is performed once, wherein the full-volume backup contains all data of the system and provides a reference for the incremental backup. During each incremental backup, the system needs to detect all changes, including newly added, modified and deleted data, since the last backup, and uses the time stamp, checksum version number of the file to determine which data has changed.
The method comprises the steps of detecting change data, carrying out backup on the detected change data and storing the change data in a backup medium, recording changed metadata so as to correctly identify and apply the changes in a recovery process, maintaining and updating a backup index, and recording the time stamp of each backup, the change condition of the data and the dependency relationship of the backup;
the method of the recovery process specifically comprises the following steps:
And importing the data of the full backup into a target system to ensure the data integrity, and applying all the incremental backups one by one according to the time sequence. Each incremental backup should be applied based on the previous incremental backup, ensuring that the sequence of the incremental backups is consistent with the time stamp at the time of the backup. The restore should start from the earliest incremental backup and gradually apply back until the latest incremental backup.
The method comprises the steps of recording the time stamp of each incremental backup so as to check in the recovery process, merging data after each incremental backup is applied to ensure that new data and existing data are integrated correctly, and checking data consistency to ensure that the recovered data is consistent with the data in the backup process and avoid data loss or inconsistency.
The key signature verification module is used for carrying out signature verification on the exchanged keys and operating according to the instruction after signature verification;
In the key signature verification module, the signature verification method specifically comprises the following steps:
after the receiver receives the signed key, it verifies AndOf the numerical range of (1)The numerical range of (2) is withinA kind of electronic deviceThe numerical range of (2) is withinThe first verification is passed, and a first verification parameter is calculated, wherein the calculation method of the first verification parameter specifically comprises the following steps:
, wherein, Represented as a first verification parameter, is provided,Denoted as hashed generator, u denoted as a first validation parameter influencing factor,Expressed as the second largest prime number;
the calculation method of the first verification parameter influence factor specifically comprises the following steps:
Where u is denoted as the verification parameter influencing factor, Denoted as second signature element, h as second largest prime number and mod as modulo operation;
the calculation method of the second verification parameter specifically comprises the following steps:
, wherein, Represented as a second verification parameter, which is a second verification parameter,Denoted as first signature element, u as verification parameter influencing factor, h as second large prime number, mod as modulo operation;
the verification value calculation method specifically comprises the following steps:
wherein Z is represented as a verification value, g is represented as a generator, Denoted as first authentication parameter, y denoted as public key parameter,Denoted as second verification parameter, mod is denoted as modulo operation, f is denoted as first large prime number, and h is denoted as second large prime number;
and if the calculated verification value is not equal to the first signature element, the verification signature fails, the key is attacked, the data is leaked, and early warning is started.
Finally, the foregoing description of the preferred embodiment of the invention is provided for the purpose of illustration only, and is not intended to limit the invention to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Claims (2)

1.一种用于综合安全网关系统的高效密钥管理系统,其特征在于,包括:1. An efficient key management system for an integrated security gateway system, comprising: 有效负载监控模块:用于通过深度包检测技术实时监控和分析有效负载;识别异常负载和潜在的攻击;Payload Monitoring Module: used to monitor and analyze payloads in real time through deep packet inspection technology; identifying abnormal payloads and potential attacks; 所述有效负载监控模块中,使用网络流量分析器Wireshark捕获和分析通过网络接口传输的数据包;再部署 DPI 系统检查数据包的内容和有效负载;In the payload monitoring module, a network traffic analyzer Wireshark is used to capture and analyze data packets transmitted through the network interface; and a DPI system is deployed to check the content and payload of the data packets; 有效负载的计算方法具体为:The effective load is calculated as follows: ,其中,表示为有效负载,表示为历史测量值的权重系数,表示为t时刻的网关性能测量值,L表示为CPU采集长度,表示为负载判断因数; ,in, Represented as a payload, Expressed as the weight coefficient of historical measurements, It is represented as the gateway performance measurement value at time t, L is the CPU acquisition length, It is expressed as load judgment factor; 负载判断因数的计算方法具体为:The calculation method of the load judgment factor is as follows: ,其中,表示为负载判断因数,L表示为CPU采集长度,表示为网关编号为b的负载值,表示为网关编号为b的CPU数量; ,in, It is expressed as the load judgment factor, L is the CPU acquisition length, It is represented by the load value of the gateway numbered b. It is represented by the number of CPUs with gateway number b; 历史测量值的权重系数的计算方法具体为:The calculation method of the weight coefficient of historical measurement values is as follows: ,其中,表示为历史测量值的权重系数,L表示为CPU采集长度; ,in, It is represented as the weight coefficient of the historical measurement value, and L is the CPU acquisition length; 将计算出的有效负载与预设的有效负载阈值进行对比,若计算出的有效负载大于预设的有效负载阈值,则发出危险指令,转至密钥生成模块,并将传输的数据进行加密;若计算出的有效负载小于预设的有效负载阈值,则发出安全指令,继续运行The calculated payload is compared with the preset payload threshold. If the calculated payload is greater than the preset payload threshold, a dangerous instruction is issued to transfer to the key generation module and encrypt the transmitted data; if the calculated payload is less than the preset payload threshold, a safe instruction is issued to continue running. 密钥生成模块:用于采用高强度加密算法生成密钥对,并选择密钥长度和对密钥对进行签名处理,将经过签名处理后的密钥传输至密钥备份与恢复模块;Key generation module: used to generate a key pair using a high-strength encryption algorithm, select the key length and sign the key pair, and transmit the signed key to the key backup and recovery module; 所述密钥生成模块中,密钥生成的方法具体为:In the key generation module, the key generation method is specifically as follows: 参数确定:密钥生成前需要确定参数,参数包括大素数f、h,生成元g以及密钥长度;生成元g的计算方法具体为:Parameter determination: Parameters need to be determined before key generation. The parameters include large prime numbers f and h, generator g, and key length. The calculation method of generator g is as follows: ,其中,g表示为生成元,f表示为第一个大素数,h表示为第二个大素数,mod表示为模运算,j表示为任意一个小于的正整数,e表示为自然常数; , where g represents the generator, f represents the first large prime number, h represents the second large prime number, mod represents the modular operation, and j represents any number less than A positive integer, e is represented as a natural constant; 私钥和公钥生成:在参数确定后,生成私钥和公钥;通过伪随机选择一个整数x作为私钥,满足0<x<h;则公钥参数的计算方法具体为:Private key and public key generation: After the parameters are determined, the private key and public key are generated; an integer x is pseudo-randomly selected as the private key, satisfying 0<x<h; the calculation method of the public key parameters is as follows: ,其中,y表示为公钥参数,g表示为生成元,x表示为私钥,f表示为第一个大素数,mod表示为模运算; , where y represents the public key parameter, g represents the generator, x represents the private key, f represents the first large prime number, and mod represents the modular operation; 则公钥表示为,私钥为x;密钥长度选择2048位的密钥;The public key is represented as , the private key is x; the key length is 2048 bits; 对密钥进行签名处理,签名处理的方法具体为:Sign the key. The specific signing method is as follows: 选取一个随机整数n,第一签名元的计算方法具体为:Select a random integer n, and the calculation method of the first signature element is as follows: ,其中,表示为第一签名元,g表示为生成元,n表示为整数,e表示为自然常数,f表示为第一个大素数,h表示为第二个大素数,mod表示为模运算; ,in, represents the first signature element, g represents the generator, n represents an integer, e represents a natural constant, f represents the first large prime number, h represents the second large prime number, and mod represents the modular operation; 第二签名元的计算方法具体为:The calculation method of the second signature element is specifically as follows: ,其中,表示为第二签名元,n表示为整数,H(v)表示为经过哈希处理后的生成元,表示为私钥,表示为第一签名元,表示为第二个大素数,mod表示为模运算; ,in, is represented as the second signature element, n is represented as an integer, and H(v) is represented as the generator after hash processing. Represented as a private key, Represented as the first signature element, It is represented as the second large prime number, and mod is represented as the modular operation; 将第一签名元与第二签名元组成签名,则签名表示为The first signature element and the second signature element form a signature, and the signature is expressed as ; 密钥备份与恢复模块:用于定期将密钥进行增量备份至安全的离线存储设备,提供密钥恢复机制,将备份后的密钥传输至密钥交换模块;Key backup and recovery module: used to regularly perform incremental backup of keys to a secure offline storage device, provide a key recovery mechanism, and transfer the backed-up keys to the key exchange module; 密钥签名验证模块:用于将交换后的密钥进行签名验证,并根据签名验证后的指令进行操作;Key signature verification module: used to verify the signature of the exchanged key and perform operations according to the instructions after signature verification; 所述密钥签名验证模块中,签名验证的方法具体为:In the key signature verification module, the signature verification method is specifically as follows: 接收者接收到带有签名的密钥后,验证的数值范围,若的数值范围在,并且的数值范围在,则第一道验证通过,计算第一验证参数,则第一验证参数的计算方法具体为:After the receiver receives the key with the signature, he verifies and If the value range of The value range is ,and The value range is , then the first verification is passed, and the first verification parameter is calculated. The specific calculation method of the first verification parameter is: ,其中,表示为第一验证参数,H(v)表示为经过哈希处理后的生成元,u表示为第一验证参数影响因数,表示为第二个大素数; ,in, is represented as the first verification parameter, H(v) is represented as the generator after hash processing, and u is represented as the influencing factor of the first verification parameter. Represented as the second largest prime number; 第二验证参数的计算方法具体为:The calculation method of the second verification parameter is specifically as follows: ,其中,表示为第二验证参数,表示为第一签名元,u表示为验证参数影响因数,h表示为第二个大素数,mod表示为模运算; ,in, Represented as the second verification parameter, It is represented as the first signature element, u is represented as the verification parameter influencing factor, h is represented as the second large prime number, and mod is represented as the modular operation; 验证值的计算方法具体为:The calculation method of the verification value is as follows: ,其中,Z表示为验证值,g表示为生成元,表示为第一验证参数,y表示为公钥参数,表示为第二验证参数,mod表示为模运算,f表示为第一个大素数,h表示为第二个大素数; , where Z represents the verification value and g represents the generator. is represented as the first verification parameter, y is represented as the public key parameter, represents the second verification parameter, mod represents the modular operation, f represents the first large prime number, and h represents the second large prime number; 将计算出的验证值与第一签名元进行比较,若计算出的验证值与第一签名元相等,则验证签名成功,密钥未遭到攻击;若计算出的验证值与第一签名元不相等,则验证签名失败,密钥遭到攻击,数据泄漏,启动预警。The calculated verification value is compared with the first signature element. If the calculated verification value is equal to the first signature element, the signature verification is successful and the key has not been attacked. If the calculated verification value is not equal to the first signature element, the signature verification fails, the key has been attacked, the data has been leaked, and an early warning is initiated. 2.根据权利要求1所述的一种用于综合安全网关系统的高效密钥管理系统,其特征在于:所述密钥备份与恢复模块中,密钥备份的方法具体为:2. According to claim 1, an efficient key management system for an integrated security gateway system is characterized in that: in the key backup and recovery module, the key backup method is specifically: 在进行增量备份之前,先进行一次完整的全量备份;全量备份包含系统的所有数据,为增量备份提供了基准;在每次增量备份时,系统需检测自上次备份以来的所有更改,包括新增、修改和删除的数据;使用文件的时间戳、校验和版本号确定哪些数据发生了变化;Before performing an incremental backup, perform a complete full backup first; a full backup contains all the data in the system and provides a baseline for incremental backups; during each incremental backup, the system needs to detect all changes since the last backup, including new, modified, and deleted data; use the file's timestamp, checksum, and version number to determine which data has changed; 将检测到的更改数据进行备份,并存储在备份介质中;记录变更的元数据,以便在恢复过程中能正确识别和应用这些更改;维护和更新备份索引,记录每个备份的时间戳、数据变更情况以及备份的依赖关系。Back up the detected changed data and store it in the backup medium; record the metadata of the changes so that these changes can be correctly identified and applied during the recovery process; maintain and update the backup index, record the timestamp of each backup, data changes, and backup dependencies.
CN202411193958.7A 2024-08-28 2024-08-28 An efficient key management system for integrated security gateway system Active CN118944877B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411193958.7A CN118944877B (en) 2024-08-28 2024-08-28 An efficient key management system for integrated security gateway system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411193958.7A CN118944877B (en) 2024-08-28 2024-08-28 An efficient key management system for integrated security gateway system

Publications (2)

Publication Number Publication Date
CN118944877A CN118944877A (en) 2024-11-12
CN118944877B true CN118944877B (en) 2025-04-22

Family

ID=93362455

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411193958.7A Active CN118944877B (en) 2024-08-28 2024-08-28 An efficient key management system for integrated security gateway system

Country Status (1)

Country Link
CN (1) CN118944877B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network
CN116346352A (en) * 2023-03-09 2023-06-27 武汉大学 An anti-double authentication signature method and system based on SM9

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8788805B2 (en) * 2008-02-29 2014-07-22 Cisco Technology, Inc. Application-level service access to encrypted data streams
EP2975873A1 (en) * 2014-07-17 2016-01-20 Telefonica Digital España, S.L.U. A computer implemented method for classifying mobile applications and computer programs thereof
CN113141375A (en) * 2021-05-08 2021-07-20 国网新疆电力有限公司喀什供电公司 Network security monitoring method and device, storage medium and server
CN116405216A (en) * 2023-03-06 2023-07-07 武汉大学 Anti-double authentication signature method and device based on SM2

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113079016A (en) * 2021-03-23 2021-07-06 中国人民解放军国防科技大学 Identity-based authentication method facing space-based network
CN116346352A (en) * 2023-03-09 2023-06-27 武汉大学 An anti-double authentication signature method and system based on SM9

Also Published As

Publication number Publication date
CN118944877A (en) 2024-11-12

Similar Documents

Publication Publication Date Title
US10805393B2 (en) System and method for data management structure using auditable delta records in a distributed environment
Trenwith et al. Digital forensic readiness in the cloud
CN104639311B (en) The polymerization and system of electricity consumption privacy and integrity protection in a kind of intelligent grid
Accorsi Safe-keeping digital evidence with secure logging protocols: State of the art and challenges
CN112749232A (en) Production data monitoring method and device, block chain node and storage medium
CN118368080A (en) Enterprise privacy analysis and anomaly detection method, device, equipment and storage medium
Chhabra et al. Distributed network forensics framework: A systematic review
CN111817844B (en) Double-link wireless ad hoc network and security defense method in emergency scene
CN120200830A (en) An industrial Internet encryption method and system based on blockchain evidence storage
CN119363461A (en) Bidirectional trusted identity authentication method and system based on offline files
CN120150949A (en) A lightweight jump-key encryption system based on national secret algorithm
CN120342744A (en) Energy storage terminal remote security upgrade method and system based on end-to-end encryption
CN107919970A (en) A kind of log management realization method and system of safe O&M service cloud platform
CN112564985A (en) Safe operation and maintenance management method based on block chain
CN118944877B (en) An efficient key management system for integrated security gateway system
CN119603047A (en) Industrial firewall isolation method for DCS system
Mendes et al. Validating and securing DLMS/COSEM implementations with the ValiDLMS framework
CN118051934A (en) Data management method and device for transformer substation and electronic equipment
KR20190027207A (en) System and method for verifying integrity of personal information
CN112016131B (en) Distributed cloud evidence obtaining credibility verification system and method thereof
Colelli et al. Blockchain application in simulated environment for Cyber-Physical Systems Security
CN120415925B (en) Data security processing method and system
CN119583227B (en) Shell command encryption remote transmission method and system
CN119676001B (en) Data encryption transmission method and device with early warning mechanism
CN116094842B (en) State recognition system and method of network cipher machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant