[go: up one dir, main page]

HK1259028B - Method and system for distributed cryptographic key - Google Patents

Method and system for distributed cryptographic key Download PDF

Info

Publication number
HK1259028B
HK1259028B HK19101516.2A HK19101516A HK1259028B HK 1259028 B HK1259028 B HK 1259028B HK 19101516 A HK19101516 A HK 19101516A HK 1259028 B HK1259028 B HK 1259028B
Authority
HK
Hong Kong
Prior art keywords
key
processing server
data signal
private key
access
Prior art date
Application number
HK19101516.2A
Other languages
Chinese (zh)
Other versions
HK1259028A1 (en
Inventor
S‧C‧戴维斯
Original Assignee
万事达卡国际股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US15/001,775 external-priority patent/US10103885B2/en
Application filed by 万事达卡国际股份有限公司 filed Critical 万事达卡国际股份有限公司
Publication of HK1259028A1 publication Critical patent/HK1259028A1/en
Publication of HK1259028B publication Critical patent/HK1259028B/en

Links

Description

用于分布式密码密钥的方法和系统Method and system for distributed cryptographic keys

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请要求2016年1月20日提交的美国专利申请第15/001,775号的申请日的优先权和权益,其全部内容通过引用合并于此。This application claims priority to and the benefit of the filing date of U.S. Patent Application No. 15/001,775, filed January 20, 2016, which is incorporated herein by reference in its entirety.

技术领域Technical Field

本公开涉及用于访问数据的多个密码密钥的分布,特别地说,使用椭圆曲线密码学来安全地分布多个密码密钥,该多个密码密钥被用于导出单个密钥以便密码密钥接收者访问需要协商数据所有权的数据。The present disclosure relates to the distribution of multiple cryptographic keys for accessing data, and in particular, to the use of elliptic curve cryptography to securely distribute multiple cryptographic keys that are used to derive a single key for a cryptographic key recipient to access data requiring negotiated data ownership.

背景技术Background Art

在计算设备数量为数十亿的世界中,数据不断被传输。数据可以从一个计算设备传输到另一个计算设备,从一个计算设备传输到许多其他计算设备,或从许多计算设备传输到单个计算设备。在许多情况下,数据传输的安全性可能与数据传输的位置同等重要。例如,如果数据得到适当保护,使得只有预定方能够查看数据,则可以使数据公开地可获得,以便更容易被预定方访问。具有高度安全性,即使公众可以访问,数据也可以免受除预定方以外的任何实体危害。因此,确保通过公共信道传输数据的安全性可能非常重要。In a world with billions of computing devices, data is constantly being transmitted. Data can be transferred from one computing device to another, from one device to many others, or from many devices to a single device. In many cases, the security of data transmission can be as important as the location of the data transmission. For example, if data is properly protected so that only intended parties can view it, it can be made publicly available to facilitate access by those intended. With high security, even if publicly accessible, data is protected from compromise by any entity other than the intended party. Therefore, ensuring the security of data transmitted over public channels can be extremely important.

然而,在数据要提供给一组预定实体的情况下,这样的预期可能会非常困难。例如,如果一方想要使得公开地可获得的数据让一组四个不同的人可访问,则该方可以加密该数据并为四个不同的人中的每一个人提供适合访问数据的密钥。在这种情况下,四个密钥中任何一个的泄露都可能会泄露正在传输的数据,从而导致安全状况明显降低。为了保持最高级别的安全性,只分布单个密钥来访问数据可能符合该方的最佳利益。然而,该四个人的组可能无法识别哪个人将接收单个密钥,或者这样的识别可能耗时或者对于该方不方便。However, this can be difficult to achieve when data is intended for a predetermined group of entities. For example, if a party wishes to make publicly available data accessible to a group of four different individuals, the party could encrypt the data and provide each of the four individuals with a key suitable for accessing the data. In this scenario, the compromise of any one of the four keys could compromise the data being transmitted, significantly compromising security. To maintain the highest level of security, it may be in the party's best interest to distribute only a single key for accessing the data. However, the group of four individuals may not be able to identify which individual will receive the single key, or such identification may be time-consuming or inconvenient for the party.

因此,需要一种通过使用单个访问密钥实现多个实体的可访问性的用于传输数据的技术解决方案。此外,需要一种技术解决方案,其中传输方可以向多个实体中的每一个提供数据以供实体进行所有权的协商,而无需传输方参与。在这样的情况下,数据可以被安全传输,被泄露的可能性最小,并且只有单个实体可以访问,该实体可以在多个实体中选择,而无需传输方的额外参与。Therefore, there is a need for a technical solution for transmitting data that enables accessibility to multiple entities using a single access key. Furthermore, there is a need for a technical solution in which a transmitting party can provide data to each of multiple entities for negotiation of ownership without the transmitting party's involvement. In such a scenario, data can be securely transmitted with minimal potential for disclosure, and only accessible to a single entity, which can be selected among the multiple entities without requiring additional involvement from the transmitting party.

发明内容Summary of the Invention

本公开提供了用于分布要在访问数据中使用的多个密码密钥的系统和方法的描述。This disclosure provides a description of systems and methods for distributing multiple cryptographic keys to be used in accessing data.

一种用于分布用于访问数据的多个密码密钥的方法包括:由处理服务器的接收设备接收叠加有访问密钥请求的数据信号,其中访问密钥请求至少包括大于1的数量为n的所请求密钥;由处理服务器的生成模块使用密钥对生成算法生成n个密钥对,其中每个密钥对包括私钥和公钥;所述处理服务器的导出模块通过将所述n个密钥对中的每个密钥对中包含的私钥应用于密钥导出算法来导出访问私钥;由所述处理服务器的生成模块使用所述密钥对生成算法生成与所述导出的访问私钥对应的访问公钥;以及通过所述处理服务器的发送设备针对n个密钥对中的每个密钥对以电子方式发送叠加有包含在所述n个密钥对中的每一个中的私钥的数据信号。A method for distributing multiple cryptographic keys for accessing data includes: receiving a data signal superimposed with an access key request by a receiving device of a processing server, wherein the access key request includes at least a number n of requested keys greater than 1; generating n key pairs by a generation module of the processing server using a key pair generation algorithm, wherein each key pair includes a private key and a public key; deriving an access private key by applying the private key contained in each of the n key pairs to the key derivation algorithm by the export module of the processing server; generating an access public key corresponding to the exported access private key by the generation module of the processing server using the key pair generation algorithm; and electronically sending a data signal superimposed with the private key contained in each of the n key pairs for each of the n key pairs through a sending device of the processing server.

一种用于分布用于访问数据的多个密码密钥的系统包括:处理服务器的发送设备;所述处理服务器的接收设备,被配置为接收叠加有访问密钥请求的数据信号,其中所述访问密钥请求至少包括数量为n个的所请求密钥;所述处理服务器的生成模块,被配置为使用密钥对生成算法来生成n个密钥对,其中每个密钥对包括私钥和公钥;以及所述处理服务器的导出模块,被配置为通过将包含在所述n个密钥对中的每一个中的私钥应用于密钥导出算法来导出访问私钥。处理服务器的生成模块还被配置为使用密钥对生成算法来生成与所导出的访问私钥对应的访问公钥。处理服务器的发送设备被配置为针对n个密钥对中的每一个以电子方式发送叠加有包含在n个密钥对中的一个密钥对中的私钥的数据信号。A system for distributing multiple cryptographic keys for accessing data includes: a sending device of a processing server; a receiving device of the processing server configured to receive a data signal superimposed with an access key request, wherein the access key request includes at least n requested keys; a generation module of the processing server configured to generate n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; and a derivation module of the processing server configured to derive an access private key by applying the private key included in each of the n key pairs to the key derivation algorithm. The generation module of the processing server is further configured to generate an access public key corresponding to the derived access private key using the key pair generation algorithm. The sending device of the processing server is configured to electronically send, for each of the n key pairs, a data signal superimposed with a private key included in one of the n key pairs.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

结合附图阅读下面对示例性实施例的详细描述,可以最好地理解本公开的范围。附图中包含以下图:The scope of the present disclosure is best understood by reading the following detailed description of exemplary embodiments in conjunction with the accompanying drawings, which include the following figures:

图1是示出根据示例性实施例的用于将密钥分布到多个实体以协商奖励所有权的高级别系统体系结构的框图。1 is a block diagram illustrating a high-level system architecture for distributing key keys to multiple entities to negotiate reward ownership, according to an exemplary embodiment.

图2是示出根据示例性实施例的图1的处理服务器的框图,该处理服务器用于将密码密钥分布到多个实体用于协商奖励所有权。2 is a block diagram illustrating the processing server of FIG. 1 for distributing cryptographic keys to multiple entities for negotiating reward ownership, according to an exemplary embodiment.

图3是示出根据示例性实施例的图2的处理服务器生成访问密钥以用于保护由多个实体协商所有权的数据的流程图。3 is a flow chart illustrating the processing server of FIG. 2 generating access keys for protecting data whose ownership is negotiated by multiple entities, according to an exemplary embodiment.

图4是示出根据示例性实施例的使用椭圆曲线密码学来传输访问密钥的处理流程的流程图。4 is a flow chart illustrating a process flow for transmitting access keys using elliptic curve cryptography according to an exemplary embodiment.

图5是示出根据示例性实施例的用于分布用于访问数据的多个密码密钥的示例性方法的流程图。5 is a flow chart illustrating an exemplary method for distributing multiple cryptographic keys used to access data, according to an exemplary embodiment.

图6是示出根据示例性实施例的计算机系统体系结构的框图。FIG6 is a block diagram illustrating a computer system architecture according to an exemplary embodiment.

根据下文提供的详细描述,本公开的进一步应用领域将变得显而易见。应该理解的是,示例性实施例的详细描述仅用于说明目的,因此不打算限制本公开的范围。Further areas of applicability of the present disclosure will become apparent from the detailed description provided hereinafter.It should be understood that the detailed description of the exemplary embodiments is provided for illustration purposes only and is not intended to limit the scope of the present disclosure.

具体实施方式DETAILED DESCRIPTION

术语表Glossary

区块链-符合与区块链相关的一个或多个标准或惯例的所有交易的分类账。一个或多个计算设备可以包括区块链网络,区块链网络可以被配置为处理和记录交易,作为区块链中的区块的一部分。一旦区块完成,该区块就将添加到区块链中,并由此更新交易记录。在许多情况下,区块链可以是按时间顺序的交易的分类账,或者可以以适合区块链网络使用的任何其他顺序呈现。在一些配置中,区块链可以是货币交易的分类账,其中记录在区块链中的交易可以包括目的地地址和货币量,使得区块链记录多少货币归属于特定地址。在一些这样的配置中,区块链可以使用基于区块链的数字货币,其对于相应的区块链可以是唯一的。在一些情况下,可以捕获附加信息,例如源地址、时间戳等。在一些实施例中,区块链还可以由区块链网络通过工作证明和/或与之相关的任何其他合适的验证技术来确认和验证的附加数据并且在一些情况下是任意数据构成。在某些情况下,此类数据可以作为交易的一部分包含在区块链中,例如包含在附加到交易数据的附加数据中。在某些情况下,将这些数据纳入区块链可能构成交易。在这种情况下,区块链可能不会与特定的数字、虚拟、法定或其他类型的货币直接相关联。区块链可以是私密的,其中只有授权的系统或设备可以访问区块链,或者可以是公开的,区块链可以由任何设备或系统访问。无论哪种情况,设备或系统向区块链添加交易的能力都可能受到限制。Blockchain - A ledger of all transactions that conform to one or more standards or conventions associated with blockchain. One or more computing devices may comprise a blockchain network, which may be configured to process and record transactions as part of blocks in a blockchain. Once a block is completed, it is added to the blockchain, thereby updating the transaction record. In many cases, a blockchain may be a chronological ledger of transactions, or it may be presented in any other order suitable for the blockchain network. In some configurations, a blockchain may be a ledger of monetary transactions, where transactions recorded in the blockchain may include a destination address and a monetary amount, such that the blockchain records how much money is attributed to a particular address. In some such configurations, the blockchain may utilize a blockchain-based digital currency, which may be unique to the respective blockchain. In some cases, additional information, such as a source address and a timestamp, may be captured. In some embodiments, a blockchain may also comprise additional, and in some cases arbitrary, data that is validated and verified by the blockchain network through proof-of-work and/or any other suitable verification technique. In some cases, such data may be included in the blockchain as part of a transaction, for example, in additional data appended to the transaction data. In some cases, the inclusion of such data in the blockchain may constitute a transaction. In such cases, the blockchain may not be directly associated with a specific digital, virtual, fiat, or other type of currency. A blockchain can be private, where only authorized systems or devices can access the blockchain, or public, where the blockchain can be accessed by any device or system. In either case, the ability of a device or system to add transactions to the blockchain may be restricted.

用于经由椭圆曲线密码学的密码密钥分布的系统System for cryptographic key distribution via elliptic curve cryptography

图1示出了用于使用椭圆曲线密码学来传输密码密钥以用于数据的安全传输的系统100。FIG. 1 illustrates a system 100 for transmitting cryptographic keys for secure transmission of data using elliptic curve cryptography.

系统100可以包括处理服务器102。下面更详细讨论的处理服务器102可以被配置为生成用于使用椭圆曲线密码学分布的多个密码密钥,所述多个密码密钥在多个计算设备104a、104b和104c对数据的可访问性中使用。这是以需要在计算机上的处理的方式完成的,该计算机专门编程为执行这里公开的功能,这些功能不能在通用计算机上执行,并且不能通过脑力过程或铅笔和纸以现实的方式完成,并且从而提供技术解决方案来在数据的安全传输中协商奖励所有权(reward ownership)。处理服务器102可以接收访问密钥请求,该访问密钥请求可以请求多个密钥以分布到计算设备104a、104b和104c以用于访问数据。访问密钥请求可以从诸如另一个计算设备或系统的外部设备接收,诸如使用合适的通信网络(例如,局域网、广域网、无线电频率、蓝牙、近场通信、因特网等)从这样的设备或系统经由以电子发送来接收,或者可以经由与处理服务器102连接的一个或多个输入设备(例如可以由处理服务器102的用户访问)来接收。访问密钥请求可以指定针对其请求访问密钥的计算设备的数量n。在图1所示的例子中,访问密钥请求可以针对三个访问密钥。The system 100 may include a processing server 102. The processing server 102, discussed in more detail below, may be configured to generate a plurality of cryptographic keys for distribution using elliptic curve cryptography, which are used in accessibility of data to a plurality of computing devices 104a, 104b, and 104c. This is accomplished in a manner requiring processing on a computer that is specifically programmed to perform the functions disclosed herein, which cannot be performed on a general-purpose computer and cannot be accomplished realistically through mental processes or pencil and paper, and thereby provides a technical solution to negotiate reward ownership in the secure transmission of data. The processing server 102 may receive an access key request that may request a plurality of keys to be distributed to the computing devices 104a, 104b, and 104c for use in accessing data. The access key request may be received from an external device, such as another computing device or system, such as via electronic transmission from such a device or system using a suitable communication network (e.g., a local area network, a wide area network, radio frequency, Bluetooth, near field communication, the Internet, etc.), or may be received via one or more input devices connected to processing server 102 (e.g., accessible by a user of processing server 102). The access key request may specify the number n of computing devices for which access keys are being requested. In the example shown in FIG1 , the access key request may be for three access keys.

处理服务器102然后可以生成所请求数量的n个密钥对。每个密钥对可以包括私钥和公钥,这里称为“奖励”密钥对,包括“奖励”私钥和公钥。处理服务器102可以在生成所请求数量的密钥对中使用合适的密钥对生成算法。在示例性实施例中,密钥对生成算法可以是椭圆曲线密钥协定方案(elliptic curve key agreement scheme)。在另一个实施例中,如本领域技术人员可以理解的,椭圆曲线迪菲-赫尔曼(elliptic curve Diffie-Hellman,ECDH)密钥协定协议可以用于产生n个密钥对中的每一个。在任何情况下,密钥对生成算法可以是适于使用共享秘密的密钥对生成算法,这在下面更详细地讨论。The processing server 102 can then generate the requested number of n key pairs. Each key pair can include a private key and a public key, referred to herein as a "reward" key pair, including the "reward" private key and public key. The processing server 102 can use a suitable key pair generation algorithm in generating the requested number of key pairs. In an exemplary embodiment, the key pair generation algorithm can be an elliptic curve key agreement scheme. In another embodiment, as will be appreciated by those skilled in the art, an elliptic curve Diffie-Hellman (ECDH) key agreement protocol can be used to generate each of the n key pairs. In any case, the key pair generation algorithm can be a key pair generation algorithm suitable for using a shared secret, which is discussed in more detail below.

一旦生成了n个奖励密钥对,处理服务器102就可以通过将来自n个奖励密钥对中的每一个的奖励私钥应用于密钥导出算法来导出访问私钥。在一些实施例中,密钥导出算法可以包括使用XOR逻辑运算。在示例性实施例中,密钥导出算法可以使得在导出访问私钥中奖励私钥的定序(ordering)或排序(sequencing)中的变化可以导致相同的访问私钥。在这样的实施例中,拥有每个奖励私钥并且知道所使用的密钥导出算法的任何实体可以能够再现访问私钥,而不管奖励私钥的定序或排序如何。Once n reward key pairs have been generated, the processing server 102 can derive the access private key by applying the reward private key from each of the n reward key pairs to a key derivation algorithm. In some embodiments, the key derivation algorithm can include the use of an XOR logical operation. In an exemplary embodiment, the key derivation algorithm can be such that a change in the ordering or sequencing of the reward private keys in the derived access private key can result in the same access private key. In such an embodiment, any entity in possession of each reward private key and knowing the key derivation algorithm used can reproduce the access private key regardless of the ordering or sequencing of the reward private keys.

处理服务器102还可以被配置为生成与导出访问私钥相对应的访问公钥。访问公钥可以通过使用密钥对生成算法来生成,该算法可以是用于生成奖励密钥对的相同的密钥对生成算法。例如,在示例性实施例中,处理服务器102可以使用ECDH密钥协定协议来生成访问公钥,作为具有导出访问私钥的密钥对的一部分。Processing server 102 may also be configured to generate a public access key corresponding to the derived private access key. The public access key may be generated using a key pair generation algorithm, which may be the same key pair generation algorithm used to generate the reward key pair. For example, in an exemplary embodiment, processing server 102 may use the ECDH key agreement protocol to generate the public access key as part of a key pair with the derived private access key.

处理服务器102可以使用导出的访问私钥来限制对数据的访问。可以使用用于使用私钥限制对数据的访问的任何合适的方法。例如,在一个示例中,可以使用访问私钥和合适的加密算法来对数据进行加密。在另一示例中,访问被限制的数据可以是经由区块链网络106可获得的区块链货币的量。在这样的示例中,访问公钥可以用于生成对于区块链货币量的目的地地址,其中访问私钥用于签名(sign)目的地地址并提供与其相关联的区块链货币的访问权限。使用区块链网络106使用密钥对传输和访问区块链货币对于相关领域的技术人员来说将是显而易见的。The processing server 102 can use the derived private access key to restrict access to data. Any suitable method for restricting access to data using a private key can be used. For example, in one example, the data can be encrypted using the private access key and a suitable encryption algorithm. In another example, the data to which access is restricted can be an amount of blockchain currency available via the blockchain network 106. In such an example, the public access key can be used to generate a destination address for the amount of blockchain currency, where the private access key is used to sign the destination address and provide access to the blockchain currency associated therewith. Using the blockchain network 106 to transmit and access blockchain currency using key pairs will be apparent to those skilled in the relevant art.

一旦处理服务器102使用访问私钥限制了对期望数据的访问,处理服务器102就可以将奖励私钥以电子方式发送给每个计算设备104a、104b和104c,使得每个计算设备接收不同的奖励私钥。例如,在图1所示的例子中,处理服务器102可以生成奖励私钥Ka,Kb和Kc,奖励私钥Ka,Kb和Kc可分别以电子方式发送到计算设备104a,104b和104c。在一些实施例中,可以使用因特网或另一合适的通信网络将奖励私钥叠加在以电子方式发送到相应计算设备104a、104b和104c的数据信号中。Once processing server 102 has restricted access to the desired data using the private access key, processing server 102 can electronically send a private reward key to each computing device 104a, 104b, and 104c, such that each computing device receives a different private reward key. For example, in the example shown in FIG1 , processing server 102 can generate private reward keys Ka, Kb, and Kc, which can be electronically sent to computing devices 104a, 104b, and 104c, respectively. In some embodiments, the private reward key can be superimposed on a data signal electronically sent to the respective computing devices 104a, 104b, and 104c using the Internet or another suitable communication network.

在示例性实施例中,奖励私钥可以在使用共享秘密进行传输之前被加密。在这样的实施例中,处理服务器102和每个计算设备104a、104b和104c可以生成密钥对以用于通过共享秘密进行奖励私钥的传输,加密和解密。处理服务器102和计算设备104a、104b和104c可以分别使用相同的密钥对生成算法来生成密钥对,该密钥对生成算法可以是ECDH密钥协定协议或适用于与共享秘密结合使用的其它算法。使用密钥对生成算法,处理服务器102可以生成在此被称为包括“传输”私钥和公钥的“传输”密钥对的密钥对。每个计算设备104a、104b和104c可以使用在此被称为包括“设备”私钥和公钥的“设备”密钥对的密钥对生成算法来生成密钥对。每个计算设备104a、104b和104c可以使用合适的通信方法将其相关联的设备公钥以电子方式发送到处理服务器102。处理服务器102还可以将传输公钥以电子方式传输到计算设备104a、104b和104c中的每一个。在一些情况下,传输公钥可以与加密的奖励私钥一起发送(例如,在相同或伴随的传输中)。In an exemplary embodiment, the reward private key may be encrypted prior to transmission using the shared secret. In such an embodiment, processing server 102 and each computing device 104a, 104b, and 104c may generate a key pair for transmission, encryption, and decryption of the reward private key using the shared secret. Processing server 102 and computing devices 104a, 104b, and 104c may each generate a key pair using the same key pair generation algorithm, which may be the ECDH key agreement protocol or another algorithm suitable for use with the shared secret. Using the key pair generation algorithm, processing server 102 may generate a key pair, referred to herein as a "transport" key pair, comprising a "transport" private key and a public key. Each computing device 104a, 104b, and 104c may generate a key pair using the key pair generation algorithm, referred to herein as a "device" key pair, comprising a "device" private key and a public key. Each computing device 104a, 104b, and 104c may electronically send its associated device public key to processing server 102 using a suitable communication method. The processing server 102 may also electronically transmit the transfer public key to each of the computing devices 104a, 104b, and 104c. In some cases, the transfer public key may be sent along with the encrypted reward private key (e.g., in the same or accompanying transmission).

在处理服务器102已经从计算设备104a、104b和104c接收到设备公钥之后,处理服务器102可以生成共享秘密。共享秘密可以使用传输私钥和设备公钥与在生成各个密钥中使用的密钥对生成算法相结合来生成。共享秘密可以是当使用第一密钥对的私钥和第二密钥对的公钥生成时或者当使用第一密钥对的公钥和第二密钥对的私钥生成时等效的秘密。例如,在所示示例中,处理服务器102可以使用由处理服务器102生成的传输私钥和从处理服务器102接收的设备公钥来生成用于将奖励私钥Ka传送给计算设备104a的共享秘密。计算设备104a可以使用从处理服务器102接收到的传输公钥和由计算设备104a生成的设备私钥来生成等同的共享秘密。After processing server 102 has received the device public keys from computing devices 104a, 104b, and 104c, processing server 102 may generate a shared secret. The shared secret may be generated using the transport private key and the device public key in combination with the key pair generation algorithm used in generating the respective keys. The shared secret may be an equivalent secret when generated using the private key of the first key pair and the public key of the second key pair, or when generated using the public key of the first key pair and the private key of the second key pair. For example, in the illustrated example, processing server 102 may use the transport private key generated by processing server 102 and the device public key received from processing server 102 to generate a shared secret for transmitting the reward private key Ka to computing device 104a. Computing device 104a may use the transport public key received from processing server 102 and the device private key generated by computing device 104a to generate an equivalent shared secret.

一旦处理服务器102已经生成了与计算设备104a、104b和104c相关联的共享秘密(例如,使用该特定计算设备的设备公钥),处理服务器102可以使用关联的共享秘密来对正被传送给该计算设备104a、104b和104c的奖励私钥进行加密。可以使用任何合适的加密算法,例如AES256加密算法。随后可以使用任何合适的通信方法将加密的奖励私钥以电子方式发送到关联的计算设备104a、104b和104c。在一些情况下,处理服务器102可以在用于传送已加密奖励私钥的电子通信中包括传输公钥。Once processing server 102 has generated a shared secret associated with computing devices 104a, 104b, and 104c (e.g., using the device public key of that particular computing device), processing server 102 may use the associated shared secret to encrypt the reward private key being transmitted to that computing device 104a, 104b, and 104c. Any suitable encryption algorithm may be used, such as the AES256 encryption algorithm. The encrypted reward private key may then be electronically transmitted to the associated computing devices 104a, 104b, and 104c using any suitable communication method. In some cases, processing server 102 may include a transmission public key in the electronic communication used to transmit the encrypted reward private key.

每个计算设备104a、104b和104c可以生成用于解密接收到的已加密奖励私钥的共享秘密。可以使用由处理服务器102以电子方式发送的传输公钥和计算设备的所生成的设备私钥来生成共享秘密。共享秘密可以使用计算设备104a、104b和104c和处理服务器102在生成相应密钥对中所使用的密钥对生成算法来生成。计算设备104a、104b和104c可以使用共享秘密来使用由处理服务器102使用的适当的加密算法来解密奖励私钥。例如,计算设备104a、104b和104c可以使用AES256算法来利用共享秘密解密奖励私钥。Each computing device 104a, 104b, and 104c can generate a shared secret for decrypting the received encrypted reward private key. The shared secret can be generated using the transmission public key electronically sent by processing server 102 and the computing device's generated device private key. The shared secret can be generated using a key pair generation algorithm used by computing devices 104a, 104b, and 104c and processing server 102 to generate the corresponding key pair. Computing devices 104a, 104b, and 104c can use the shared secret to decrypt the reward private key using an appropriate encryption algorithm used by processing server 102. For example, computing devices 104a, 104b, and 104c can use the AES256 algorithm to decrypt the reward private key using the shared secret.

一旦每个计算设备104a、104b和104c已经接收并解密(如果适用的话)其相应的奖励私钥,计算设备104a、104b和104c可以协商每个奖励私钥的拥有。在一些情况下,与计算设备104a、104b或104c相关联的用户可以在不使用计算设备104a、104b和104c的情况下协商奖励私钥的拥有。例如,在所示示例中,计算设备104a、104b和104c的三个用户可以离线协商以协定计算设备104a的用户将收集每个奖励私钥。在这种情况下,计算设备104b和104c可以使用合适的通信方法将他们的奖励私钥以电子方式发送到计算设备104a。Once each computing device 104a, 104b, and 104c has received and decrypted (if applicable) its corresponding reward private key, computing devices 104a, 104b, and 104c can negotiate possession of each reward private key. In some cases, users associated with computing devices 104a, 104b, or 104c can negotiate possession of the reward private key without using computing devices 104a, 104b, and 104c. For example, in the example shown, the three users of computing devices 104a, 104b, and 104c can negotiate offline to agree that the user of computing device 104a will collect each reward private key. In this case, computing devices 104b and 104c can electronically send their reward private keys to computing device 104a using a suitable communication method.

在一些实施例中,奖励私钥可以使用共享秘密在计算设备104a、104b和104c之间传输。在这样的实施例中,计算设备104a、104b和104c可以交换其相关联的设备公钥以用于生成用于加密奖励私钥以便传输的共享秘密。例如,计算设备104b可以使用由计算设备104b生成的设备私钥和由计算设备104a生成的设备公钥来生成用于对奖励私钥Kb加密的共享秘密,并且用共享秘密对奖励私钥Kb进行加密。计算设备104b可以使用合适的通信方法将加密的奖励私钥Kb以电子方式发送到计算设备104a。计算设备104a可以使用由计算设备104a生成的设备私钥和由计算设备104b生成的设备公钥来生成共享秘密,并且解密奖励私钥Kb。计算设备104a和104c可以重复计算设备104a接收和解密奖励私钥Kc的过程。In some embodiments, the reward private key can be transmitted between computing devices 104a, 104b, and 104c using a shared secret. In such an embodiment, computing devices 104a, 104b, and 104c can exchange their associated device public keys to generate a shared secret for encrypting the reward private key for transmission. For example, computing device 104b can use the device private key generated by computing device 104b and the device public key generated by computing device 104a to generate a shared secret for encrypting the reward private key Kb, and then encrypt the reward private key Kb using the shared secret. Computing device 104b can then electronically send the encrypted reward private key Kb to computing device 104a using a suitable communication method. Computing device 104a can then use the device private key generated by computing device 104a and the device public key generated by computing device 104b to generate the shared secret and decrypt the reward private key Kb. Computing devices 104a and 104c can then repeat the process of computing device 104a receiving and decrypting the reward private key Kc.

一旦计算设备104a、104b或104c拥有每个奖励私钥,计算设备104a、104b或104c就可以使用由处理服务器102在其导出中使用的密钥导出算法导出访问私钥。计算设备104a、104b和104c可以使用访问私钥来访问正在传输的数据。例如,如果数据是与区块链网络106相关联的区块链货币,则计算设备104a、104b和104c可以使用该访问私钥作为签名来访问传输到使用访问公钥生成的目的地地址的区块链货币。Once the computing device 104a, 104b, or 104c possesses each reward private key, the computing device 104a, 104b, or 104c can derive an access private key using the key derivation algorithm used by the processing server 102 in its derivation. The computing device 104a, 104b, or 104c can use the access private key to access the data being transferred. For example, if the data is a blockchain currency associated with the blockchain network 106, the computing device 104a, 104b, or 104c can use the access private key as a signature to access the blockchain currency transferred to the destination address generated using the access public key.

本文讨论的方法和系统可以实现能够使用必须经由分布到多个实体的多个密钥来导出的单个私钥来访问数据的传输。通过使用分布到多个实体的密钥,数据可以保持安全,直到由多个实体进行协商,而不需要传输方的参与。另外,因为访问密钥是使用分布到每个实体的密钥导出的,所以与使用单个密钥相比,数据可以具有显著更高的安全级别,这可以为数据提供更大的保护,特别是当数据可以公开可获得但是不可访问的情况下,例如在区块链网络106中。椭圆曲线密码学的使用可以提供更大的保护,因为即使奖励私钥也可以在其传输中具有增强的保护级别。这样,这里讨论的方法和系统可以在数据的传输和在传输的数据的访问中使用的密钥的传输方面提供更好的保护。The methods and systems discussed herein can enable the transmission of data that can be accessed using a single private key that must be derived via multiple keys distributed to multiple entities. By using keys distributed to multiple entities, data can remain secure until negotiated by multiple entities without requiring the participation of the transmitting party. Additionally, because the access key is derived using the keys distributed to each entity, the data can have a significantly higher level of security than using a single key, which can provide greater protection for the data, particularly in situations where the data is publicly available but inaccessible, such as in blockchain network 106. The use of elliptic curve cryptography can provide even greater protection, as even the exchange of private keys can have an enhanced level of protection in their transmission. Thus, the methods and systems discussed herein can provide improved protection in both the transmission of data and the transmission of keys used to access the transmitted data.

本文讨论的方法和系统的使用在用于访问安全数据的密码密钥的存储方面也可能是有益的。例如,实体可以使数据安全地存储,并且可以使用这里讨论的方法来生成单个私钥来加密数据,其中用于导出单个私钥的奖励私钥被分布到多个不同的计算系统,并且单个私钥被丢弃。在这种情况下,如果用于计算系统之一的密码密钥存储库泄露,则数据可能仍然是安全的,因为获得对奖励私钥的访问权的实体将不能导出用于加密数据的单个私钥。可以将泄露私钥提供给其他计算系统,并从中导出单个私钥并重复该过程以生成新的一组奖励私钥。在这种情况下,在任何加密密钥存储库泄露的任何时候时,数据都可以保持安全。如此,这里讨论的方法可能有益于提供安全的分布式密码密钥存储。The use of the methods and systems discussed herein may also be beneficial in the storage of cryptographic keys used to access secure data. For example, an entity may store data securely and use the methods discussed herein to generate a single private key to encrypt the data, wherein the reward private keys used to derive the single private key are distributed to multiple different computing systems, and the single private key is discarded. In this case, if the cryptographic key repository for one of the computing systems is compromised, the data may still be secure because the entity gaining access to the reward private keys will not be able to derive the single private key used to encrypt the data. The compromised private key can be provided to other computing systems, from which the single private key can be derived, and the process repeated to generate a new set of reward private keys. In this case, the data can remain secure at any time if any of the cryptographic key repositories are compromised. Thus, the methods discussed herein may be beneficial in providing secure distributed cryptographic key storage.

处理服务器Processing Server

图2示出了系统100的处理服务器102的实施例。对于相关领域的技术人员来说显而易见的是,图2中所示的处理服务器102的实施例仅作为说明提供,并且可能不是穷尽于处理服务器102适合于执行在此讨论的功能的所有可能的配置。例如,图6中所示并且在下面更详细讨论的计算机系统可以是处理服务器102的合适配置。FIG2 illustrates an embodiment of a processing server 102 of system 100. As will be apparent to those skilled in the relevant art(s), the embodiment of processing server 102 illustrated in FIG2 is provided for illustration only and may not be exhaustive of all possible configurations of processing server 102 suitable for performing the functions discussed herein. For example, the computer system illustrated in FIG6 and discussed in greater detail below may be a suitable configuration for processing server 102.

处理服务器102可以包括接收设备202。接收设备202可以被配置为经由一个或多个网络协议在一个或多个网络上接收数据。在一些情况下,接收设备202还可以被配置为经由合适的通信网络(诸如局域网、广域网、射频网络、因特网)从计算设备104a、104b和104c、区块链网络106和其他实体接收数据。在一些实施例中,接收设备202可以由多个设备组成,诸如用于通过不同网络接收数据的不同接收设备,诸如用于通过近场通信接收数据的第一接收设备和用于通过因特网接收数据的第二接收设备。接收设备202可以接收以电子方式发送的数据信号,其中数据可以被叠加在数据信号上并且通过被接收设备202接收数据信号而被解码,解析,读取或以其他方式获得。在一些情况下,接收设备202可以包括用于解析接收到的数据信号以获得叠加在其上的数据的解析模块。例如,接收设备202可以包括解析器程序,该解析器程序被配置为接收并且将接收到的数据信号变换成用于由处理设备执行以执行这里描述的方法和系统的功能的可用输入。Processing server 102 may include a receiving device 202. Receiving device 202 may be configured to receive data over one or more networks via one or more network protocols. In some cases, receiving device 202 may also be configured to receive data from computing devices 104a, 104b, and 104c, blockchain network 106, and other entities via a suitable communication network (such as a local area network, a wide area network, a radio frequency network, the Internet). In some embodiments, receiving device 202 may be comprised of multiple devices, such as different receiving devices for receiving data over different networks, such as a first receiving device for receiving data via near-field communication and a second receiving device for receiving data over the Internet. Receiving device 202 may receive an electronically transmitted data signal, wherein data may be superimposed on the data signal and decoded, parsed, read, or otherwise obtained by receiving the data signal at receiving device 202. In some cases, receiving device 202 may include a parsing module for parsing the received data signal to obtain the superimposed data. For example, receiving device 202 may include a parser program configured to receive and transform received data signals into usable input for execution by a processing device to perform the functions of the methods and systems described herein.

接收设备202可以被配置为接收由计算设备104a、104b和104c以电子方式发送的数据信号,以用于执行本文所讨论的功能。由计算设备104a、104b或104c以电子方式发送的数据信号可以与设备公钥叠加,例如用于生成共享秘密。接收设备202还可以接收来自附加设备和系统的数据信号,例如来自区块链网络106和/或与其相关联的节点,以用于经由区块链网络106传输数据(例如,区块链货币),并且诸如提交访问密钥请求的外部计算设备。在一些情况下,接收设备202可以接收叠加有针对n个奖励私钥的访问密钥请求的数据信号,用于访问来自计算设备104a、104b和104c的数据以接收奖励私钥之一。The receiving device 202 can be configured to receive data signals electronically transmitted by the computing devices 104a, 104b, and 104c for performing the functions discussed herein. The data signals electronically transmitted by the computing devices 104a, 104b, or 104c can be superimposed with a device public key, for example, to generate a shared secret. The receiving device 202 can also receive data signals from additional devices and systems, such as from the blockchain network 106 and/or nodes associated therewith, for transmitting data (e.g., blockchain currency) via the blockchain network 106, and such as external computing devices that submit access key requests. In some cases, the receiving device 202 can receive data signals superimposed with access key requests for n reward private keys for accessing data from the computing devices 104a, 104b, and 104c to receive one of the reward private keys.

处理服务器102还可以包括通信模块204。通信模块204可以被配置为在处理服务器102的模块、引擎、数据库、存储器和其他组件之间传输数据以用于执行本文所讨论的功能。通信模块204可以由一个或多个通信类型组成并且利用各种通信方法用于计算设备内的通信。例如,通信模块204可以包括总线、接触引脚连接器、导线等。在一些实施例中,通信模块204还可以被配置为在处理服务器102的内部组件和处理服务器102的外部组件之间进行通信,诸如外部连接的数据库、显示设备、输入设备等。处理服务器102还可以包括处理设备。处理设备可以被配置为执行在此讨论的处理服务器102的功能,这对于相关领域的技术人员来说是显而易见的。在一些实施例中,处理设备可以包括专门配置成执行处理设备的一个或多个功能的多个引擎和/或模块和/或由其组成,诸如查询模块218、生成模块206、导出模块208、加密模块210、解密模块212等。如本文所使用的,术语“模块”可以是特别被编程为接收输入,使用输入执行一个或多个处理并提供输出的软件或硬件。基于本公开内容,由各种模块执行的输入、输出和处理对于本领域技术人员将是显而易见的。Processing server 102 may also include a communication module 204. Communication module 204 may be configured to transfer data between modules, engines, databases, memories, and other components of processing server 102 for performing the functions discussed herein. Communication module 204 may be comprised of one or more communication types and utilize various communication methods for communication within the computing device. For example, communication module 204 may include a bus, contact pin connectors, wires, etc. In some embodiments, communication module 204 may also be configured to facilitate communication between internal components of processing server 102 and components external to processing server 102, such as externally connected databases, display devices, input devices, etc. Processing server 102 may also include a processing device. The processing device may be configured to perform the functions of processing server 102 discussed herein, as will be apparent to those skilled in the relevant art. In some embodiments, the processing device may include and/or be comprised of multiple engines and/or modules specifically configured to perform one or more functions of the processing device, such as query module 218, generation module 206, export module 208, encryption module 210, decryption module 212, etc. As used herein, the term "module" can be software or hardware that is specifically programmed to receive input, perform one or more processes using the input, and provide output. Based on this disclosure, the inputs, outputs, and processes performed by the various modules will be apparent to those skilled in the art.

处理服务器102可以包括查询模块218。查询模块218可以被配置为对数据库执行查询以识别信息。查询模块218可以接收一个或多个数据值或查询字符串,并且可以在指示的数据库(例如存储器216)上基于一个或多个数据值或查询字符串执行查询字符串以识别存储在其中的信息。查询模块218然后可以根据需要将识别的信息输出到处理服务器102的适当引擎或模块。查询模块218可以例如在存储器216上执行查询以识别从计算设备104a、104b和104c接收的或者由处理服务器102生成的用于在此讨论的方法中使用的一个或多个密钥。Processing server 102 may include a query module 218. Query module 218 may be configured to perform queries on a database to identify information. Query module 218 may receive one or more data values or query strings and may perform the query string on an indicated database (e.g., memory 216) based on the one or more data values or query strings to identify information stored therein. Query module 218 may then output the identified information to an appropriate engine or module of processing server 102 as needed. Query module 218 may, for example, perform a query on memory 216 to identify one or more keys received from computing devices 104a, 104b, and 104c or generated by processing server 102 for use in the methods discussed herein.

处理服务器102可以包括生成模块206。生成模块206可以被配置为生成密钥对和共享秘密。生成模块206可以接收作为输入的请求,该请求可以请求生成密钥对或共享秘密,并且可以包括与之一起使用的信息。生成模块206可以执行所请求的功能并且可以输出所请求的数据以供处理服务器102的另一个模块或引擎使用。例如,生成模块206可以被配置为使用在请求中包括或另外指示(例如,并且经由查询模块218在存储器216中识别)的密钥对生成算法来生成诸如奖励密钥对的密钥对。生成模块206还可以被配置为使用来自两个不同密钥对的公钥和私钥来生成共享秘密,这可以利用相同的密钥对生成算法。在一些情况下,生成模块206还可以被配置为使用密钥对生成算法生成对应于私钥的公钥。在示例性实施例中,生成模块206可以使用ECDH密钥协定协议。The processing server 102 may include a generation module 206. The generation module 206 may be configured to generate a key pair and a shared secret. The generation module 206 may receive as input a request that may request the generation of a key pair or a shared secret and may include information to be used therewith. The generation module 206 may perform the requested function and may output the requested data for use by another module or engine of the processing server 102. For example, the generation module 206 may be configured to generate a key pair, such as a reward key pair, using a key pair generation algorithm included in the request or otherwise indicated (e.g., and identified in the memory 216 via the query module 218). The generation module 206 may also be configured to generate a shared secret using public and private keys from two different key pairs, which may utilize the same key pair generation algorithm. In some cases, the generation module 206 may also be configured to generate a public key corresponding to a private key using a key pair generation algorithm. In an exemplary embodiment, the generation module 206 may use the ECDH key agreement protocol.

处理服务器102还可以包括导出模块208。导出模块208可以被配置为导出公钥和/或私钥。导出模块208可以接收一个或多个密钥以及密钥导出算法或其指示作为输入,可以导出所请求的一个或多个密钥,并且可以输出所请求的一个或多个密钥以供处理服务器102的另一个模块或引擎使用。例如,导出模块208可以接收由生成模块206生成的多个奖励私钥,并且可以使用合适的密钥导出算法基于多个奖励私钥导出相应的访问私钥。在一些实施例中,导出模块208可以使用算法,使得奖励私钥的定序或排序可以是无关紧要的,因为在导出中对奖励私钥的使用顺序的变化可导致相同的访问私钥。在这样的实施例中,密钥导出算法可以包括使用XOR逻辑运算。Processing server 102 may also include an export module 208. Export module 208 may be configured to export public and/or private keys. Export module 208 may receive one or more keys and a key derivation algorithm or an indication thereof as input, may derive the requested one or more keys, and may output the requested one or more keys for use by another module or engine of processing server 102. For example, export module 208 may receive multiple reward private keys generated by generation module 206 and may derive corresponding access private keys based on the multiple reward private keys using a suitable key derivation algorithm. In some embodiments, export module 208 may use an algorithm such that the ordering or ranking of the reward private keys is immaterial, as variations in the order in which the reward private keys are used in the derivation may result in the same access private key. In such embodiments, the key derivation algorithm may include use of an XOR logical operation.

处理服务器102还可以包括加密模块210。加密模块210可以被配置为使用合适的加密算法(诸如AES256算法)来加密数据。加密模块210可以接收待加密的数据和其使用的密钥作为输入,可以使用合适的算法加密数据,并且可以将加密的数据输出到处理服务器102的另一个模块或引擎以供其使用。在一些情况下,加密模块210可以接收加密算法或其指示作为输入。在其他情况下,加密模块210可以识别要使用的加密算法。例如,加密模块210可以使用与其关联产生的共享秘密来加密奖励私钥。The processing server 102 may also include an encryption module 210. The encryption module 210 may be configured to encrypt data using a suitable encryption algorithm, such as the AES256 algorithm. The encryption module 210 may receive as input the data to be encrypted and the key to be used, may encrypt the data using a suitable algorithm, and may output the encrypted data to another module or engine of the processing server 102 for use. In some cases, the encryption module 210 may receive as input an encryption algorithm or an indication thereof. In other cases, the encryption module 210 may identify the encryption algorithm to be used. For example, the encryption module 210 may encrypt the reward private key using a shared secret generated in association with the encryption module 210.

处理服务器102还可以包括解密模块212。解密模块212可以被配置为使用合适的加密算法(诸如AES256算法)来解密数据。解密模块212可以接收待解密的数据和其使用的密钥作为输入,可以使用合适的算法解密数据,并且可以将解密的数据输出到处理服务器102的另一个模块或引擎以供其使用。提供给解密模块212的输入可以包括要使用的加密算法,或者可以包括其指示,诸如用于经由查询模块218识别存储在存储器216中的加密算法的指示。解密模块212可以例如使用相关联的共享秘密对由计算设备104a、104b和104c提供的密钥进行解密。The processing server 102 may also include a decryption module 212. The decryption module 212 may be configured to decrypt data using a suitable encryption algorithm (such as the AES256 algorithm). The decryption module 212 may receive the data to be decrypted and the key used therefor as input, may decrypt the data using a suitable algorithm, and may output the decrypted data to another module or engine of the processing server 102 for use therefor. The input provided to the decryption module 212 may include the encryption algorithm to be used, or may include an indication thereof, such as an indication for identifying an encryption algorithm stored in the memory 216 via the query module 218. The decryption module 212 may, for example, decrypt the keys provided by the computing devices 104a, 104b, and 104c using the associated shared secret.

在一些实施例中,处理服务器102可以包括用于执行本文讨论的功能的附加模块或引擎。例如,处理服务器102可以包括用于结合区块链网络106使用的附加模块,诸如用于发起和提交区块链交易并且用于使用区块链网络106签名用于传输区块链货币的地址和交易请求。在一些情况下,图2中所示并且在此讨论的处理服务器102的模块可以被配置为与其相关联地执行附加功能。例如,生成模块206可以被配置为使用访问公钥来生成区块链目的地地址。In some embodiments, processing server 102 may include additional modules or engines for performing the functions discussed herein. For example, processing server 102 may include additional modules for use in conjunction with blockchain network 106, such as for initiating and submitting blockchain transactions and for signing addresses and transaction requests for transferring blockchain currency using blockchain network 106. In some cases, the modules of processing server 102 shown in FIG2 and discussed herein may be configured to perform additional functions in association therewith. For example, generation module 206 may be configured to generate a blockchain destination address using an access public key.

处理服务器102还可以包括发送设备214。发送设备214可以被配置为经由一个或多个网络协议在一个或多个网络上发送数据。在一些情况下,发送设备214可以被配置为经由合适的通信网络(诸如局域网、广域网、射频网络、因特网)向计算设备104a、104b和104c、区块链网络106和其他实体发送数据。在一些实施例中,发送设备214可以包括多个设备,诸如用于通过不同网络发送数据的不同发送设备,诸如用于通过近场通信发送数据的第一发送设备和用于通过因特网发送数据的第二发送设备。发送设备214可以以电子方式发送具有可以由接收计算设备解析的叠加有数据的数据信号。在一些情况下,发送设备214可以包括用于将数据叠加,编码或以其他方式格式化为适合于传输的数据信号的一个或多个模块。Processing server 102 may also include a transmitting device 214. Transmitting device 214 may be configured to transmit data over one or more networks via one or more network protocols. In some cases, transmitting device 214 may be configured to transmit data to computing devices 104a, 104b, and 104c, blockchain network 106, and other entities via a suitable communications network (such as a local area network, a wide area network, a radio frequency network, or the Internet). In some embodiments, transmitting device 214 may include multiple devices, such as different transmitting devices for transmitting data over different networks, such as a first transmitting device for transmitting data via near-field communication and a second transmitting device for transmitting data over the Internet. Transmitting device 214 may electronically transmit a data signal having data superimposed thereon that can be interpreted by a receiving computing device. In some cases, transmitting device 214 may include one or more modules for superimposing, encoding, or otherwise formatting the data into a data signal suitable for transmission.

发送设备214可以被配置为以电子方式向计算设备104a、104b和104c发送与公钥和/或私钥叠加的数据信号,这些公钥和/或私钥可以在一些情况下使用共享秘密进行加密。例如,发送设备214可以被配置为将与加密的奖励私钥叠加的数据信号发送到计算设备104a、104b和104c,加密的奖励私钥还可以与传输公钥叠加以供计算设备104a、104b和104c在生成共享秘密中使用。发送设备214还可以被配置为将数据信号发送到区块链网络106以用于传输区块链货币。The sending device 214 can be configured to electronically send a data signal superimposed with a public key and/or a private key to the computing devices 104a, 104b, and 104c. These public keys and/or private keys can, in some cases, be encrypted using a shared secret. For example, the sending device 214 can be configured to send a data signal superimposed with an encrypted reward private key to the computing devices 104a, 104b, and 104c. The encrypted reward private key can also be superimposed with a transfer public key for use by the computing devices 104a, 104b, and 104c in generating a shared secret. The sending device 214 can also be configured to send the data signal to the blockchain network 106 for use in transferring blockchain currency.

处理服务器102还可以包括存储器216。存储器216可以被配置为存储供处理服务器102用于执行在此讨论的功能的数据。存储器216可以被配置为使用合适的数据格式化方法和模式来存储数据,并且可以是任何适当类型的存储器,诸如只读存储器、随机存取存储器等。存储器216可以包括例如加密密钥和算法、通信协议和标准、数据格式化标准和协议、用于处理设备的模块和应用程序的程序代码以及可能适合于由处理服务器102在执行本文公开的功能时使用的其他数据,这对于相关领域的技术人员来说是显而易见的。存储器216可以被配置为存储用于执行在此讨论的处理服务器102的功能的密钥对生成算法、密钥导出算法和加密算法。Processing server 102 may also include memory 216. Memory 216 may be configured to store data used by processing server 102 to perform the functions discussed herein. Memory 216 may be configured to store data using suitable data formatting methods and schemas and may be any suitable type of memory, such as read-only memory, random access memory, etc. Memory 216 may include, for example, encryption keys and algorithms, communication protocols and standards, data formatting standards and protocols, program code for modules and applications for processing devices, and other data that may be suitable for use by processing server 102 in performing the functions disclosed herein, as will be apparent to those skilled in the relevant art. Memory 216 may be configured to store key pair generation algorithms, key derivation algorithms, and encryption algorithms used to perform the functions of processing server 102 discussed herein.

访问私钥的导出Access private key export

图3示出了用于导出访问私钥以用于经由生成用于分布到多个计算设备104a、104b和104c的多个密码密钥来访问数据的过程300。3 illustrates a process 300 for deriving a private access key for accessing data via generating multiple cryptographic keys for distribution to multiple computing devices 104a, 104b, and 104c.

在步骤302中,处理服务器102的生成模块206可以使用合适的密钥对生成算法来生成多个奖励密钥对304a、304b和304c,该密钥对生成算法可以是椭圆曲线密钥协定方案,诸如ECDH密钥协定协议。由生成模块206生成的奖励密钥对的数量可以基于由处理服务器102的接收设备202或者与处理服务器102接口连接的一个或多个输入设备所接收的访问密钥请求。In step 302, generation module 206 of processing server 102 may generate a plurality of bonus key pairs 304a, 304b, and 304c using a suitable key pair generation algorithm, which may be an elliptic curve key agreement scheme, such as the ECDH key agreement protocol. The number of bonus key pairs generated by generation module 206 may be based on an access key request received by receiving device 202 of processing server 102 or one or more input devices interfaced with processing server 102.

在图3所示的例子中,生成模块206可以生成三个奖励密钥对304a、304b和304c,图3所示为密钥对1 304a,密钥对2 304b和密钥对3 304c。每个奖励密钥对304a、304b和304c可以包括奖励私钥和相应的奖励公钥。在步骤306中,处理服务器102的导出模块208可以使用与来自每个奖励密钥对304a、304b和304c的奖励私钥的XOR逻辑运算来导出访问私钥308。通过使用XOR逻辑运算,用于导出访问私钥308的操作的顺序对于导出的访问私钥可能是不重要的。例如,在图3所示的过程300中,密钥对304a、304b和304c可以包括三个奖励私钥R1,R2和R3。通过XOR(R1,XOR(R2,R3))使用所有三个密钥的XOR逻辑运算导出的访问私钥308可以等同于经由运算XOR(R2,XOR(R1,R3))和XOR(R3,XOR(R1,R2))导出的访问私钥308。In the example shown in FIG3 , the generation module 206 can generate three reward key pairs 304a, 304b, and 304c, shown in FIG3 as key pair 1 304a, key pair 2 304b, and key pair 3 304c. Each reward key pair 304a, 304b, and 304c can include a reward private key and a corresponding reward public key. In step 306, the export module 208 of the processing server 102 can derive an access private key 308 using an XOR logic operation with the reward private key from each reward key pair 304a, 304b, and 304c. By using the XOR logic operation, the order of the operations used to derive the access private key 308 can be unimportant for the derived access private key. For example, in the process 300 shown in FIG3 , the key pairs 304a, 304b, and 304c can include three reward private keys R1, R2, and R3. The access secret key 308 derived using the XOR logic operation of all three keys via XOR(R1, XOR(R2, R3)) may be equivalent to the access secret key 308 derived via the operations XOR(R2, XOR(R1, R3)) and XOR(R3, XOR(R1, R2)).

处理服务器102随后可以使用所得到的访问私钥308来限制对数据的访问。例如,访问私钥308可以用于加密数据,或者可以用于签名用于接收与区块链网络106相关联的区块链货币的目的地地址。包括在每个奖励密钥对304a、304b和304c中的奖励私钥可以分布在计算设备104a、104b和104c中作为用于提供对受限数据的访问的手段。对于分布式密码密钥存储,实体可以使用访问私钥308来加密或以其他方式限制对数据的访问,可以丢弃访问私钥308,并且然后可以将每个奖励密钥对304a、304b和304c中的奖励私钥分布到计算设备,计算设备104a、104b和104c可以是实体的一部分(例如,附属或受控计算系统)或者可以是关联的可信实体。在这种情况下,如果任何计算设备104a、104b和104c的密钥存储泄露,则数据可以保持安全。The processing server 102 can then use the resulting private access key 308 to restrict access to the data. For example, the private access key 308 can be used to encrypt data or to sign a destination address for receiving blockchain currency associated with the blockchain network 106. The reward private key included in each reward key pair 304a, 304b, and 304c can be distributed among the computing devices 104a, 104b, and 104c as a means of providing access to restricted data. With distributed cryptographic key storage, an entity can use the private access key 308 to encrypt or otherwise restrict access to data, discard the private access key 308, and then distribute the reward private key in each reward key pair 304a, 304b, and 304c to computing devices. The computing devices 104a, 104b, and 104c can be part of the entity (e.g., an affiliated or controlled computing system) or can be associated trusted entities. In this case, if the key storage of any computing device 104a, 104b, and 104c is compromised, the data can remain secure.

用于通过椭圆曲线密码学传输密钥进行数据访问的过程A process for transmitting keys for data access via elliptic curve cryptography

图4示出了经由椭圆曲线密码学分布私钥的过程,例如用于使用图3所示的过程300生成的、用于导出用于访问数据的访问私钥的奖励私钥的分布。FIG4 illustrates a process for distributing private keys via elliptic curve cryptography, such as for distributing reward private keys generated using process 300 shown in FIG3 for deriving access private keys for accessing data.

在步骤402中,处理服务器102可以生成多个奖励密钥对并从中导出访问私钥,诸如使用图3所示并在上面讨论的过程300。在步骤404中,处理服务器102和计算设备104a、104b和104c可以交换公钥以用于生成共享秘密。计算设备104a、104b和104c可以使用诸如ECDH密钥协定协议的密钥对生成算法来生成设备密钥对,设备密钥对可以包括设备私钥和设备公钥。处理服务器102的生成模块206可以使用相同的密钥对生成算法来生成传输密钥对,从而得到传输私钥和传输公钥。公钥的交换可以包括设备公钥从计算设备104a、104b和104c到处理服务器102的电子通信以及传输公钥从处理服务器102(例如,经由发送设备214)到计算设备104a、104b和104c的电子通信。In step 402, processing server 102 may generate a plurality of reward key pairs and derive a private access key therefrom, such as using process 300 shown in FIG. 3 and discussed above. In step 404, processing server 102 and computing devices 104a, 104b, and 104c may exchange public keys for use in generating a shared secret. Computing devices 104a, 104b, and 104c may use a key pair generation algorithm, such as the ECDH key agreement protocol, to generate a device key pair, which may include a device private key and a device public key. Generation module 206 of processing server 102 may use the same key pair generation algorithm to generate a transport key pair, thereby obtaining a transport private key and a transport public key. The exchange of public keys may include electronic communication of the device public key from computing devices 104a, 104b, and 104c to processing server 102 and electronic communication of the transport public key from processing server 102 (e.g., via sending device 214) to computing devices 104a, 104b, and 104c.

在步骤406中,处理服务器102的生成模块206可以生成共享秘密。可以使用相同的密钥对生成算法(诸如ECDH密钥协定协议),使用由生成模块206生成的传输私钥和从计算设备104a、104b和104c接收的设备公钥来生成共享秘密。在步骤406中,计算设备104a、104b和104c可以使用先前由计算设备104a、104b或104c生成的设备私钥和从处理服务器102接收到的传输公钥来使用相同的密钥对生成算法生成等同的共享秘密。In step 406, generation module 206 of processing server 102 may generate a shared secret. The shared secret may be generated using the same key pair generation algorithm (such as the ECDH key agreement protocol) using the transport private key generated by generation module 206 and the device public key received from computing devices 104a, 104b, and 104c. In step 406, computing devices 104a, 104b, and 104c may use the device private key previously generated by computing device 104a, 104b, or 104c and the transport public key received from processing server 102 to generate an equivalent shared secret using the same key pair generation algorithm.

在步骤410中,处理服务器的加密模块210可以对在步骤402中生成的奖励私钥进行加密,并且将其用于通过合适的加密算法使用共享秘密来导出访问私钥。加密算法可以是例如AES256算法。在步骤412中,处理服务器102的发送设备214可以使用合适的通信网络和协议以电子方式将叠加有加密的奖励私钥的数据信号发送到计算设备104a、104b和104c。In step 410, the encryption module 210 of the processing server may encrypt the reward private key generated in step 402 and use it to derive the access private key using a shared secret using a suitable encryption algorithm. The encryption algorithm may be, for example, the AES256 algorithm. In step 412, the sending device 214 of the processing server 102 may electronically transmit the data signal superimposed with the encrypted reward private key to the computing devices 104a, 104b, and 104c using a suitable communication network and protocol.

在步骤414中,计算设备104a、104b和104c可以接收数据信号并且可以从中解析加密的奖励私钥。在步骤416中,计算设备104a、104b或104c可以解密奖励私钥。奖励私钥可以使用由处理服务器102使用共享秘密使用的相同加密算法来解密。当解密的奖励私钥与其他奖励私钥(例如,从其他计算设备104a、104b或104c接收的)使用适当的密钥导出算法组合时可用于导出访问私钥。In step 414, computing devices 104a, 104b, and 104c may receive the data signal and parse the encrypted reward private key therefrom. In step 416, computing device 104a, 104b, or 104c may decrypt the reward private key. The reward private key may be decrypted using the same encryption algorithm used by processing server 102 using the shared secret. The decrypted reward private key, when combined with other reward private keys (e.g., received from other computing devices 104a, 104b, or 104c) using an appropriate key derivation algorithm, may be used to derive the access private key.

分布用于访问数据的多个密码密钥的示例性方法Exemplary method of distributing multiple cryptographic keys for accessing data

图5示出了用于将多个密码密钥分布到多个计算设备的方法500,多个密码密钥可用于导出用于访问数据的访问密钥。FIG5 illustrates a method 500 for distributing a plurality of cryptographic keys to a plurality of computing devices, the plurality of cryptographic keys being usable to derive access keys for accessing data.

在步骤502中,叠加有访问密钥请求的数据信号可以由处理服务器(例如,处理服务器102)的接收设备(例如,接收设备202)接收,其中访问密钥请求至少包括大于1的数量为n的请求密钥。在步骤504中,可以由处理服务器的生成模块(例如,生成模块206)使用密钥对生成算法来生成n个密钥对,其中每个密钥对包括私钥和公钥。In step 502, a data signal superimposed with an access key request may be received by a receiving device (e.g., receiving device 202) of a processing server (e.g., processing server 102), wherein the access key request includes at least n request keys greater than 1. In step 504, a generation module (e.g., generation module 206) of the processing server may generate n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key.

在步骤506中,通过将包含在n个密钥对中的每一个中的私钥应用于密钥导出算法,可以由处理服务器的导出模块(例如,导出模块208)导出访问私钥。在步骤508中,可以由处理服务器的生成模块使用密钥对生成算法来生成与所导出的访问私钥对应的访问公钥。在步骤510中,与n个密钥对中的一个密钥对中包含的私钥叠加的数据信号可以由处理服务器的发送设备(例如,发送设备214)针对n个密钥对中的每一个以电子方式发送。In step 506, a private access key may be derived by a derivation module of the processing server (e.g., derivation module 208) by applying the private key contained in each of the n key pairs to a key derivation algorithm. In step 508, a public access key corresponding to the derived private access key may be generated by a generation module of the processing server using the key pair generation algorithm. In step 510, a data signal superimposed with the private key contained in one of the n key pairs may be electronically transmitted by a transmitting device of the processing server (e.g., transmitting device 214) for each of the n key pairs.

在一个实施例中,方法500还可以包括:在处理服务器的存储器(例如,存储器216)中存储包括传输公钥和传输私钥的传输密钥对;由处理服务器的接收设备从n个计算设备(例如,计算设备104a、104b或104c)中的每一个接收叠加有共享公钥的数据信号;由所述处理服务器的生成模块生成n个共享秘密,其中,每个共享秘密使用所述n个共享公钥中的共享公钥以及所述传输私钥和所述密钥对生成算法来生成;并且由处理服务器的加密模块(例如,加密模块210)使用加密算法用n个共享秘密中的一个共享秘密对n个密钥对中的每一个中包含的私钥进行加密,其中叠加包括在以电子方式发送的数据信号中的私钥是相应的已加密私钥。在进一步的实施例中,方法500可以进一步包括通过处理服务器的发送设备将叠加有传输公钥的数据信号以电子方式发送到n个计算设备。In one embodiment, method 500 may further include: storing a transmission key pair including a transmission public key and a transmission private key in a memory (e.g., memory 216) of the processing server; receiving, by a receiving device of the processing server, a data signal superimposed with the shared public key from each of n computing devices (e.g., computing devices 104a, 104b, or 104c); generating, by a generation module of the processing server, n shared secrets, wherein each shared secret is generated using a shared public key from the n shared public keys, the transmission private key, and the key pair generation algorithm; and encrypting, by an encryption module (e.g., encryption module 210) of the processing server, using an encryption algorithm, the private key included in each of the n key pairs with one of the n shared secrets, wherein the private key superimposed on the electronically transmitted data signal is the corresponding encrypted private key. In a further embodiment, method 500 may further include electronically transmitting, by a sending device of the processing server, the data signal superimposed with the transmission public key to the n computing devices.

在又一个实施例中,叠加有传输公钥的数据信号可以在接收到叠加有共享公钥的数据信号之前被以电子方式发送到n个计算设备。在另一个更进一步的实施例中,叠加有传输公钥的每个数据信号可以是与已加密的私钥叠加的每个数据信号相同的数据信号。在又一个实施例中,传输的数据信号可以以电子方式发送到区块链网络(例如,区块链网络106)中的节点,并且其中加密的私钥包括在交易请求中,该交易请求还包括对应于各自的共享公钥的目的地地址。In yet another embodiment, a data signal superimposed with the transmitted public key may be electronically transmitted to n computing devices prior to receiving a data signal superimposed with the shared public key. In yet another further embodiment, each data signal superimposed with the transmitted public key may be the same data signal as each data signal superimposed with the encrypted private key. In yet another embodiment, the transmitted data signal may be electronically transmitted to a node in a blockchain network (e.g., blockchain network 106), wherein the encrypted private key is included in a transaction request that also includes a destination address corresponding to the respective shared public key.

在一些实施例中,密钥对生成算法可以是椭圆曲线密钥协定方案。在进一步的实施例中,椭圆曲线密钥协定方案可以是椭圆曲线Diffie-Hellman密钥协定协议。在一个实施例中,密钥导出算法可以包括使用XOR逻辑运算。在一些实施例中,方法500可以进一步包括通过处理服务器的发送设备以电子方式将叠加有交易请求的数据信号发送到区块链网络中的节点,其中交易请求至少包括使用导出的访问私钥签名的目的地地址。In some embodiments, the key pair generation algorithm may be an elliptic curve key agreement scheme. In further embodiments, the elliptic curve key agreement scheme may be an elliptic curve Diffie-Hellman key agreement protocol. In one embodiment, the key derivation algorithm may include using an XOR logical operation. In some embodiments, method 500 may further include electronically transmitting, via a sending device of the processing server, a data signal superimposed with a transaction request to a node in the blockchain network, wherein the transaction request includes at least a destination address signed using the derived private access key.

计算机系统体系结构Computer system architecture

图6示出了计算机系统600,其中本公开的实施例或其部分可以被实现为计算机可读代码。例如,图1的处理服务器102可以使用硬件、软件、固件、其上存储有指令的非暂时性计算机可读介质或其组合来在计算机系统600中实施,并且可以在一个或多个计算机系统或其他处理系统中实施。硬件、软件或其任何组合可以体现用于实现图3-5的方法的模块和组件。FIG6 illustrates a computer system 600 in which embodiments of the present disclosure, or portions thereof, may be implemented as computer-readable code. For example, the processing server 102 of FIG1 may be implemented in the computer system 600 using hardware, software, firmware, a non-transitory computer-readable medium having instructions stored thereon, or a combination thereof, and may be implemented in one or more computer systems or other processing systems. Hardware, software, or any combination thereof may embody the modules and components for implementing the methods of FIG3-5.

如果使用可编程逻辑,则这样的逻辑可以在市场上可买到的处理平台或专用设备上执行。本领域的普通技术人员可以理解,可以使用各种计算机系统配置来实践所公开的主题的实施例,包括多核多处理器系统、小型计算机、大型计算机、与分布式功能链接或集群的计算机,以及几乎可以嵌入到任何设备中的普通或微型计算机。例如,可以使用至少一个处理器设备和存储器来实现上述实施例。If programmable logic is used, such logic can be executed on a commercially available processing platform or a dedicated device. Those skilled in the art will appreciate that various computer system configurations can be used to practice the embodiments of the disclosed subject matter, including multi-core multiprocessor systems, minicomputers, mainframe computers, computers linked or clustered with distributed functionality, and conventional or microcomputers that can be embedded in virtually any device. For example, the above embodiments can be implemented using at least one processor device and memory.

这里讨论的处理器单元或设备可以是单个处理器、多个处理器或其组合。处理器设备可具有一个或多个处理器“核心”。如本文讨论的术语“计算机程序介质”、“非暂时性计算机可读介质”和“计算机可用介质”通常用于指代有形介质,例如可移动存储单元618、可移动存储单元622以及安装在硬盘驱动器612中的硬盘。The processor units or devices discussed herein may be a single processor, a plurality of processors, or a combination thereof. A processor device may have one or more processor "cores." As discussed herein, the terms "computer program medium," "non-transitory computer-readable medium," and "computer-usable medium" are generally used to refer to tangible media, such as removable storage unit 618, removable storage unit 622, and a hard disk installed in hard disk drive 612.

根据该示例性计算机系统600描述本公开的各种实施例。在阅读本说明书之后,相关领域的技术人员将明白如何使用其他计算机系统和/或计算机体系结构来实现本公开。尽管操作可以被描述为顺序过程,但是一些操作实际上可以并行地,并发地和/或在分布式环境中执行,并且程序代码可以本地或远程存储以供单个或多个处理器机器访问。另外,在一些实施例中,可以对操作的顺序重新排布而不脱离所公开的主题的精神。Various embodiments of the present disclosure are described based on this exemplary computer system 600. After reading this specification, it will be apparent to those skilled in the relevant art how to implement the present disclosure using other computer systems and/or computer architectures. Although operations may be described as sequential processes, some operations may actually be performed in parallel, concurrently, and/or in a distributed environment, and program code may be stored locally or remotely for access by single or multiple processor machines. Additionally, in some embodiments, the order of operations may be rearranged without departing from the spirit of the disclosed subject matter.

处理器设备604可以是专门配置为执行本文讨论的功能的专用或通用处理器设备。处理器设备604可以连接到通信基础设施606,诸如总线、消息队列、网络、多核消息传递方案等。网络可以是适合于执行本文公开的功能的任何网络,并且可以包括局域网(LAN)、广域网(WAN)、无线网络(例如WiFi)、移动通信网络、卫星网络、因特网、光纤、同轴电缆、红外线、射频(RF)或其任何组合。其他合适的网络类型和配置对于相关领域的技术人员将是显而易见的。计算机系统600还可以包括主存储器608(例如,随机存取存储器、只读存储器等),并且还可以包括辅助存储器610。辅助存储器610可以包括硬盘驱动器612和可移动存储驱动器614,诸如软盘驱动器、磁带驱动器、光盘驱动器、闪存等。Processor device 604 can be a dedicated or general purpose processor device specifically configured to perform the functions discussed herein. Processor device 604 can be connected to communication infrastructure 606, such as bus, message queue, network, multi-core message passing scheme etc. The network can be any network suitable for performing the functions disclosed herein, and can include local area network (LAN), wide area network (WAN), wireless network (such as WiFi), mobile communication network, satellite network, Internet, optical fiber, coaxial cable, infrared, radio frequency (RF) or any combination thereof. Other suitable network types and configurations will be apparent to those skilled in the art. Computer system 600 can also include main memory 608 (for example, random access memory, read-only memory, etc.), and can also include auxiliary storage 610. The auxiliary storage 610 can include hard disk drive 612 and removable storage drive 614, such as floppy disk drive, tape drive, optical disk drive, flash memory etc.

可移动存储驱动器614可以以公知的方式从可移动存储单元618读取和/或写入可移动存储单元618。可移动存储单元618可以包括可移动存储驱动器614可以读取和写入的可移动存储介质。例如,如果可移动存储驱动器614是软盘驱动器或通用串行总线端口,则可移动存储单元618可以分别是软盘或便携式快闪驱动器。在一个实施例中,可移动存储单元618可以是非暂时性计算机可读记录介质。Removable storage drive 614 can read from and/or write to removable storage unit 618 in a known manner. Removable storage unit 618 can include removable storage media that removable storage drive 614 can read from and write to. For example, if removable storage drive 614 is a floppy disk drive or a universal serial bus port, removable storage unit 618 can be a floppy disk or a portable flash drive, respectively. In one embodiment, removable storage unit 618 can be a non-transitory computer-readable recording medium.

在一些实施例中,辅助存储器610可以包括用于允许计算机程序或其他指令被加载到计算机系统600中的替代装置,例如可移动存储单元622和接口620。这种装置的示例可以包括程序盒和盒接口(例如,如视频游戏系统中所见)、可移动存储器芯片(例如,EEPROM、PROM等)和相关联的插座,以及其他可移动存储单元622和接口620,这对于相关领域技术人员而言是显而易见的。In some embodiments, secondary memory 610 may include alternative means for allowing computer programs or other instructions to be loaded into computer system 600, such as a removable storage unit 622 and interface 620. Examples of such means may include a program cartridge and cartridge interface (e.g., as found in video game systems), a removable memory chip (e.g., EEPROM, PROM, etc.) and associated socket, as well as other removable storage units 622 and interfaces 620, as will be apparent to persons skilled in the relevant art(s).

存储在计算机系统600中(例如,在主存储器608和/或辅助存储器610中)的数据可以存储在任何类型的合适的计算机可读介质上,诸如光学存储装置(例如,紧凑式盘、数字多功能盘、蓝光盘等)或磁带存储器(例如,硬盘驱动器)。可以以任何类型的合适的数据库配置来配置数据,诸如关系数据库、结构化查询语言(SQL)数据库、分布式数据库、对象数据库等。合适的配置和存储类型对于相关领域技术人员而言是显而易见的。Data stored in the computer system 600 (e.g., in the main memory 608 and/or the secondary memory 610) can be stored on any type of suitable computer-readable medium, such as an optical storage device (e.g., a compact disk, a digital versatile disk, a Blu-ray disk, etc.) or a magnetic tape storage device (e.g., a hard drive). The data can be configured in any type of suitable database configuration, such as a relational database, a structured query language (SQL) database, a distributed database, an object database, etc. Suitable configurations and storage types will be apparent to those skilled in the relevant art.

计算机系统600还可以包括通信接口624。通信接口624可以被配置为允许软件和数据在计算机系统600和外部设备之间传输。示例性通信接口624可以包括调制解调器、网络接口(例如,以太网卡)、通信端口、PCMCIA插槽和卡等。经由通信接口624传输的软件和数据可以是信号的形式,其可以是电子、电磁、光学或其他信号,这对相关领域的技术人员来说是显而易见的。信号可以经由通信路径626行进,通信路径626可以被配置为承载信号并且可以使用电线、电缆、光纤、电话线、蜂窝电话链路、射频链路等来实现。The computer system 600 may also include a communication interface 624. The communication interface 624 can be configured to allow software and data to be transmitted between the computer system 600 and external devices. Exemplary communication interfaces 624 may include a modem, a network interface (e.g., an Ethernet card), a communication port, a PCMCIA slot and card, etc. The software and data transmitted via the communication interface 624 may be in the form of signals, which may be electronic, electromagnetic, optical or other signals, as will be apparent to those skilled in the relevant art. The signals may travel via a communication path 626, which may be configured to carry signals and may be implemented using wires, cables, optical fibers, telephone lines, cellular phone links, radio frequency links, etc.

计算机系统600还可以包括显示器接口602。显示器接口602可以被配置为允许数据在计算机系统600和外部显示器630之间传输。示例性显示器接口602可以包括高清晰度多媒体接口(HDMI)、数字视频接口(DVI)、视频图形阵列(VGA)等。显示器630可以是用于显示经由计算机系统600的显示器接口602发送的数据的任何适当类型的显示器,包括阴极射线管(CRT)显示器、液晶显示器(LCD)、发光二极管(LED)显示器、电容式触摸显示器、薄膜晶体管(TFT)显示器等。The computer system 600 may also include a display interface 602. The display interface 602 may be configured to allow data to be transferred between the computer system 600 and an external display 630. Exemplary display interfaces 602 may include a High-Definition Multimedia Interface (HDMI), a Digital Video Interface (DVI), a Video Graphics Array (VGA), or the like. The display 630 may be any suitable type of display for displaying data sent via the display interface 602 of the computer system 600, including cathode ray tube (CRT) displays, liquid crystal displays (LCDs), light emitting diode (LED) displays, capacitive touch displays, thin film transistor (TFT) displays, and the like.

计算机程序介质和计算机可用介质可以指存储器,诸如主存储器608和辅助存储器610,其可以是存储器半导体(例如,DRAM等)。这些计算机程序产品可以是用于向计算机系统600提供软件的装置。计算机程序(例如,计算机控制逻辑)可以存储在主存储器608和/或辅助存储器610中。计算机程序也可以经由通信接口624接收。这些计算机程序在被执行时可以使得计算机系统600能够实现本文所讨论的本方法。特别地,计算机程序在被执行时可以使得处理器设备604能够实现图3-5所示的方法。如在此讨论的那样。因此,这样的计算机程序可以表示计算机系统600的控制器。在使用软件实现本公开的情况下,可以将软件存储在计算机程序产品中,并且使用可移动存储驱动器614、接口620和硬盘驱动器612或通信接口624将软件加载到计算机系统600中。Computer program media and computer usable media can refer to memories, such as main memory 608 and auxiliary memory 610, which can be memory semiconductors (e.g., DRAM, etc.). These computer program products can be devices for providing software to computer system 600. Computer programs (e.g., computer control logic) can be stored in main memory 608 and/or auxiliary memory 610. Computer programs can also be received via communication interface 624. When executed, these computer programs can enable computer system 600 to implement the present methods discussed herein. In particular, when executed, the computer program can enable processor device 604 to implement the methods shown in Figures 3-5. As discussed herein. Therefore, such a computer program can represent a controller of computer system 600. In the case of implementing the present disclosure using software, the software can be stored in a computer program product and loaded into computer system 600 using removable storage drive 614, interface 620 and hard disk drive 612 or communication interface 624.

处理器设备604可以包括被配置为执行计算机系统600的功能的一个或多个模块或引擎。每个模块或引擎可以使用硬件来实现,并且在一些情况下也可以使用软件,诸如对应于程序代码和/或存储在主存储器608或辅助存储器610中的程序。在这种情况下,在由计算机系统600的硬件执行之前,程序代码可以由处理器设备604(例如,通过编译模块或引擎)编译。例如,程序代码可以是以编程语言编写的源代码,其被转换成诸如汇编语言或机器代码之类的较低级别的语言以供处理器设备604和/或计算机系统600的任何附加硬件组件来执行。编译过程可以包括使用词法分析、预处理、解析、语义分析、语法指导转换、代码生成、代码优化以及可适用于将程序代码转换成适合于控制计算机系统600执行本文公开的功能的较低级别语言的任何其他技术。相关领域的技术人员将明白,这样的过程导致计算机系统600是专门编程为执行上述功能的专门配置的计算机系统600。The processor device 604 may include one or more modules or engines configured to perform the functions of the computer system 600. Each module or engine may be implemented using hardware, and in some cases software may also be used, such as corresponding to program code and/or a program stored in the main memory 608 or the auxiliary memory 610. In this case, the program code may be compiled by the processor device 604 (e.g., by a compilation module or engine) before being executed by the hardware of the computer system 600. For example, the program code may be source code written in a programming language that is converted into a lower-level language such as assembly language or machine code for execution by the processor device 604 and/or any additional hardware components of the computer system 600. The compilation process may include the use of lexical analysis, preprocessing, parsing, semantic analysis, syntax-guided conversion, code generation, code optimization, and any other technology applicable to converting the program code into a lower-level language suitable for controlling the computer system 600 to perform the functions disclosed herein. Those skilled in the relevant art will appreciate that such a process results in the computer system 600 being a specially configured computer system 600 that is specifically programmed to perform the functions described above.

与本公开一致的技术提供了用于分布用于访问数据的多个密码密钥的系统和方法以及其他特征。虽然以上已经描述了所公开的系统和方法的各种示例性实施例,但应当理解,它们仅仅是为了示例的目的而提供的,而不是限制。这并非详尽无遗,并且不会将披露内容限制于所披露的确切形式。鉴于上述教导,修改和变化是可能的,或者可以从本公开的实践中获得,而不背离广度或范围。Technology consistent with the present disclosure provides systems and methods for distributing multiple cryptographic keys used to access data, among other features. While various exemplary embodiments of the disclosed systems and methods have been described above, it should be understood that they are provided for purposes of illustration only, not limitation. This is not exhaustive and does not limit the disclosure to the precise form disclosed. In light of the above teachings, modifications and variations are possible or may be acquired from practice of the disclosure without departing from its breadth or scope.

Claims (18)

1.一种用于分布用于访问数据的多个密码密钥的方法,包括:1. A method for distributing multiple cryptographic keys for accessing data, comprising: 由处理服务器的接收设备接收叠加有访问密钥请求的数据信号,其中,所述访问密钥请求至少包括大于1的数量为n的所请求密钥;The receiving device of the processing server receives a data signal superimposed with an access key request, wherein the access key request includes at least n requested keys greater than 1; 由所述处理服务器的生成模块使用密钥对生成算法生成n个密钥对,其中,每个密钥对包括私钥和公钥;The generation module of the processing server generates n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; 由所述处理服务器的导出模块通过将所述n个密钥对中的每个密钥对中包含的私钥应用于密钥导出算法来导出访问私钥;The processing server's export module derives the access private key by applying the private key contained in each of the n key pairs to a key export algorithm. 由所述处理服务器的所述生成模块使用所述密钥对生成算法生成与导出的访问私钥对应的访问公钥;The generation module of the processing server uses the key pair generation algorithm to generate and export the public key corresponding to the private key. 由所述处理服务器的发送设备针对所述n个密钥对中的每个密钥对以电子方式发送数据信号,该数据信号叠加有所述n个密钥对中的一个密钥对中包含的私钥;以及The transmitting device of the processing server electronically transmits a data signal for each of the n key pairs, the data signal superimposed with the private key contained in one of the n key pairs; and 在所述处理服务器的存储器中存储包括传输公钥和传输私钥的传输密钥对;The processing server stores a transmission key pair, including a transmission public key and a transmission private key, in its memory. 由所述处理服务器的所述接收设备从n个计算设备中的每一个接收叠加有共享公钥的数据信号;The receiving device of the processing server receives a data signal superimposed with a shared public key from each of the n computing devices; 由所述处理服务器的所述生成模块生成n个共享秘密,其中,每个共享秘密使用所述n个共享公钥中的共享公钥以及所述传输私钥和所述密钥对生成算法来生成;以及The generation module of the processing server generates n shared secrets, wherein each shared secret is generated using a shared public key from the n shared public keys, the transmission private key, and the key pair generation algorithm; and 由所述处理服务器的加密模块使用加密算法将所述n个密钥对中的每个密钥对中包含的私钥用所述n个共享秘密中的一个共享秘密进行加密,其中,The encryption module of the processing server uses an encryption algorithm to encrypt the private key contained in each of the n key pairs using one of the n shared secrets, wherein... 叠加包含在以电子方式发送的数据信号中的私钥是相应的已加密私钥。The private key superimposed on the data signal transmitted electronically is the corresponding encrypted private key. 2.根据权利要求1所述的方法,还包括:2. The method according to claim 1, further comprising: 由所述处理服务器的所述发送设备以电子方式将叠加有所述传输公钥的数据信号发送到n个计算设备。The sending device of the processing server electronically transmits a data signal superimposed with the transmission public key to n computing devices. 3.根据权利要求2所述的方法,其中,在接收叠加有所述共享公钥的所述数据信号之前,将叠加有所述传输公钥的所述数据信号以电子方式发送到所述n个计算设备。3. The method according to claim 2, wherein, before receiving the data signal superimposed with the shared public key, the data signal superimposed with the transmission public key is electronically transmitted to the n computing devices. 4.根据权利要求2所述的方法,其中,叠加有所述传输公钥的每个数据信号是与叠加有已加密私钥的每个数据信号相同的数据信号。4. The method according to claim 2, wherein each data signal superimposed with the public key is the same data signal as each data signal superimposed with the encrypted private key. 5.根据权利要求1所述的方法,其中,所发送的数据信号以电子方式被发送到区块链网络中的节点,并且其中,所述已加密私钥被包括在交易请求中,所述交易请求还包括与相应的共享公钥对应的目的地地址。5. The method of claim 1, wherein the transmitted data signal is electronically transmitted to a node in the blockchain network, and wherein the encrypted private key is included in the transaction request, the transaction request further including a destination address corresponding to the shared public key. 6.根据权利要求1所述的方法,其中,所述密钥对生成算法是椭圆曲线密钥协定方案。6. The method according to claim 1, wherein the key pair generation algorithm is an elliptic curve key agreement scheme. 7.根据权利要求6所述的方法,其中,所述椭圆曲线密钥协定方案是椭圆曲线迪菲-赫尔曼密钥协定协议。7. The method according to claim 6, wherein the elliptic curve key agreement scheme is an elliptic curve Diffie-Hellman key agreement protocol. 8.根据权利要求1所述的方法,其中,所述密钥导出算法包括使用XOR逻辑运算。8. The method of claim 1, wherein the key derivation algorithm includes using an XOR logical operation. 9.根据权利要求1所述的方法,还包括:9. The method according to claim 1, further comprising: 由所述处理服务器的所述发送设备以电子方式将叠加有交易请求的数据信号发送到区块链网络中的节点,其中,所述交易请求至少包括使用所导出的访问私钥签名的目的地地址。The sending device of the processing server electronically transmits a data signal superimposed with a transaction request to a node in the blockchain network, wherein the transaction request includes at least a destination address signed using a derived access private key. 10.一种用于分布用于访问数据的多个密码密钥的系统,包括:10. A system for distributing multiple cryptographic keys for accessing data, comprising: 处理服务器的发送设备;The device that handles the sending of data from the server; 所述处理服务器的接收设备,被配置为接收叠加有访问密钥请求的数据信号,其中,所述访问密钥请求至少包括数量为n的所请求密钥;The receiving device of the processing server is configured to receive a data signal superimposed with an access key request, wherein the access key request includes at least n requested keys; 所述处理服务器的生成模块,被配置为使用密钥对生成算法来生成n个密钥对,其中,每个密钥对包括私钥和公钥;以及The generation module of the processing server is configured to generate n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; and 所述处理服务器的导出模块,被配置为通过将包含在所述n个密钥对中的每个密钥对中的私钥应用于密钥导出算法来导出访问私钥,其中,The export module of the processing server is configured to export the access private key by applying the private key contained in each of the n key pairs to a key export algorithm, wherein... 所述处理服务器的所述生成模块进一步被配置为使用所述密钥对生成算法生成与所导出的访问私钥对应的访问公钥,The generation module of the processing server is further configured to use the key pair generation algorithm to generate an access public key corresponding to the exported access private key. 所述处理服务器的所述发送设备被配置为针对所述n个密钥对中的每个密钥对以电子方式发送叠加有n个密钥对中的一个密钥对中包含的私钥的数据信号;并且The transmitting device of the processing server is configured to electronically transmit a data signal superimposed with the private key contained in one of the n key pairs for each of the n key pairs; and 所述系统还包括:The system also includes: 所述处理服务器的加密模块;以及The encryption module of the processing server; and 所述处理服务器的存储器,被配置为存储包括传输公钥和传输私钥的传输密钥对,其中,The memory of the processing server is configured to store a transmission key pair including a transmission public key and a transmission private key, wherein, 所述处理服务器的所述接收设备还被配置为从n个计算设备中的每一个接收叠加有共享公钥的数据信号,The receiving device of the processing server is further configured to receive a data signal superimposed with a shared public key from each of the n computing devices. 所述处理服务器的所述生成模块还被配置为生成n个共享秘密,其中,每个共享秘密使用所述n个共享公钥中的共享公钥以及所述传输私钥和所述密钥对生成算法来生成,The generation module of the processing server is further configured to generate n shared secrets, wherein each shared secret is generated using a shared public key from the n shared public keys, the transmission private key, and the key pair generation algorithm. 所述处理服务器的所述加密模块被配置为使用加密算法用所述n个共享秘密中的一个共享秘密对所述n个密钥对中的每个密钥对中包含的私钥进行加密,并且The encryption module of the processing server is configured to use an encryption algorithm to encrypt the private key contained in each of the n key pairs using one of the n shared secrets, and 叠加包含在以电子方式发送的数据信号中的私钥是相应的已加密私钥。The private key superimposed on the data signal transmitted electronically is the corresponding encrypted private key. 11.根据权利要求10所述的系统,其中,所述处理服务器的所述发送设备还被配置为以电子方式将叠加有所述传输公钥的数据信号发送到所述n个计算设备。11. The system of claim 10, wherein the transmitting device of the processing server is further configured to electronically transmit a data signal superimposed with the transmission public key to the n computing devices. 12.根据权利要求11所述的系统,其中,在接收叠加有所述共享公钥的所述数据信号之前,以电子方式将叠加有所述传输公钥的所述数据信号发送到所述n个计算设备。12. The system of claim 11, wherein the data signal superimposed with the transmission public key is transmitted electronically to the n computing devices before receiving the data signal superimposed with the shared public key. 13.根据权利要求11所述的系统,其中,叠加有所述传输公钥的每个数据信号是与叠加有已加密私钥的每个数据信号相同的数据信号。13. The system of claim 11, wherein each data signal superimposed with the transmission public key is the same data signal as each data signal superimposed with the encrypted private key. 14.根据权利要求10所述的系统,其中,所发送的数据信号以电子方式被发送到区块链网络中的节点,并且其中,所述已加密私钥被包括在交易请求中,所述交易请求还包括与相应的共享公钥对应的目的地地址。14. The system of claim 10, wherein the transmitted data signal is sent electronically to a node in the blockchain network, and wherein the encrypted private key is included in a transaction request, the transaction request further including a destination address corresponding to the shared public key. 15.根据权利要求10所述的系统,其中,所述密钥对生成算法是椭圆曲线密钥协定方案。15. The system according to claim 10, wherein the key pair generation algorithm is an elliptic curve key agreement scheme. 16.根据权利要求15所述的系统,其中,所述椭圆曲线密钥协定方案是椭圆曲线迪菲-赫尔曼密钥协定协议。16. The system of claim 15, wherein the elliptic curve key agreement scheme is an elliptic curve Diffie-Hellman key agreement protocol. 17.根据权利要求10所述的系统,其中,所述密钥导出算法包括使用XOR逻辑运算。17. The system of claim 10, wherein the key derivation algorithm includes using an XOR logical operation. 18.根据权利要求10所述的系统,其中,所述处理服务器的所述发送设备进一步被配置为以电子方式将叠加有交易请求的数据信号发送到区块链网络中的节点,其中,所述交易请求至少包含使用所导出的访问私钥签名的目的地地址。18. The system of claim 10, wherein the sending device of the processing server is further configured to electronically send a data signal superimposed with a transaction request to a node in the blockchain network, wherein the transaction request at least includes a destination address signed using a derived access private key.
HK19101516.2A 2016-01-20 2017-01-06 Method and system for distributed cryptographic key HK1259028B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US15/001,775 US10103885B2 (en) 2016-01-20 2016-01-20 Method and system for distributed cryptographic key provisioning and storage via elliptic curve cryptography
US15/001,775 2016-01-20
PCT/US2017/012437 WO2017127238A1 (en) 2016-01-20 2017-01-06 Method and system for distributed cryptographic key provisioning and storage via elliptic curve cryptography

Publications (2)

Publication Number Publication Date
HK1259028A1 HK1259028A1 (en) 2019-11-22
HK1259028B true HK1259028B (en) 2021-05-21

Family

ID=

Similar Documents

Publication Publication Date Title
JP7370371B2 (en) Method and system for providing and storing distributed cryptographic keys using elliptic curve cryptography
CN111953496B (en) Method and system for blockchain modification using digital signatures
US11368441B2 (en) Method and system for general data protection compliance via blockchain
US12413389B2 (en) Method and system for the atomic exchange of blockchain assets using transient key pairs
EP4453846A1 (en) Method and system of providing for offline transactions in digital currencies
JP7757537B2 (en) METHOD AND SYSTEM FOR ENABLED TRACKABLE, PRIVACY-PRESERVING, MULTI-HOP, OFFLINE TRANSACTIONS FOR DIGITAL CURRENCY
HK1259028B (en) Method and system for distributed cryptographic key
US12457100B2 (en) Method and system for quantum key distribution (QKD) within blockchain platforms
HK40049900A (en) Method and system for distributed cryptographic key
HK40101543A (en) Method and system for the atomic exchange of blockchain assets using transient key pairs