[go: up one dir, main page]

TWI707246B - Key management system based on distributed multi-layered recursive and method thereof - Google Patents

Key management system based on distributed multi-layered recursive and method thereof Download PDF

Info

Publication number
TWI707246B
TWI707246B TW107139085A TW107139085A TWI707246B TW I707246 B TWI707246 B TW I707246B TW 107139085 A TW107139085 A TW 107139085A TW 107139085 A TW107139085 A TW 107139085A TW I707246 B TWI707246 B TW I707246B
Authority
TW
Taiwan
Prior art keywords
key
encryption
address
processing module
shared
Prior art date
Application number
TW107139085A
Other languages
Chinese (zh)
Other versions
TW202018568A (en
Inventor
林香伶
鍾辰
林子圻
陳昶吾
林祐德
陳岱鈴
謝宏濤
Original Assignee
開曼群島商現代財富控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 開曼群島商現代財富控股有限公司 filed Critical 開曼群島商現代財富控股有限公司
Priority to TW107139085A priority Critical patent/TWI707246B/en
Publication of TW202018568A publication Critical patent/TW202018568A/en
Application granted granted Critical
Publication of TWI707246B publication Critical patent/TWI707246B/en

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

A key management system based on distributed multi-layered recursive and method thereof is disclosed. By recursively executing a secret sharing algorithm, encrypting according to a selected encryption key, calculating an index key according to a selected address and combining the selected address, so as to decompose the key, the selected encryption key and each address combination into a plurality of parts, wherein each different parts of the key, encryption key, and address combination in different databases. The mechanism is help to improve the security of the key.

Description

分散式多層遞迴的密鑰保管系統及其方法Distributed multi-layer recursive key storage system and method

本發明涉及一種密鑰保管系統及其方法,特別是分散式多層遞迴的密鑰保管系統及其方法。 The invention relates to a key custody system and method, in particular to a decentralized multi-layer recursive key custody system and method.

近年來,隨著政府、組織及民眾等對資訊安全的重視,各種基於密鑰(Key)的應用便如雨後春筍般出現。因此,如何安全地保管密鑰便成為各家廠商亟欲解決的問題之一。 In recent years, as governments, organizations, and people attach importance to information security, various key-based applications have sprung up. Therefore, how to safely keep the keys has become one of the problems that manufacturers urgently want to solve.

一般而言,常見的密鑰保管方式是以特定設備單獨存放,如:將密鑰單獨存放於隨身碟,或者是將密鑰進行加密並設置密碼等等。然而,當隨身碟遺失或密碼外洩、被破解時,都會造成非授權者獲得密鑰導致整個信任鏈被摧毀的情況,故上述保管方式皆具有密鑰安全性不佳的問題。 Generally speaking, the common key storage method is to store the key separately in a specific device, such as storing the key separately on a flash drive, or encrypting the key and setting a password, and so on. However, when the USB flash drive is lost or the password is leaked or cracked, it will cause the unauthorized person to obtain the key and the entire chain of trust will be destroyed. Therefore, the above storage methods all have the problem of poor key security.

有鑑於此,便有廠商提出金鑰管理系統(Key Management System,KMS)的技術,用於統一生成、分發和管理裝置和應用程式的密鑰(或稱金鑰),並且以一個主要密鑰來管理眾多已生成的其它密鑰。然而,由於所述主要密鑰會完整地儲存在設備上,所以安全性仍然不足,當主要密鑰外洩時,同樣會導 致其管理的其它密鑰一併受到影響,故以此方式仍然無法有效解決密鑰安全性不佳的問題。 In view of this, some manufacturers have proposed the key management system (Key Management System, KMS) technology, which is used to uniformly generate, distribute and manage the keys (or key) of devices and applications, and use a master key To manage many other keys that have been generated. However, since the main key will be completely stored on the device, the security is still insufficient. When the main key is leaked, it will also lead As a result, other keys managed by it are also affected, so this method still cannot effectively solve the problem of poor key security.

綜上所述,可知先前技術中長期以來一直存在密鑰安全性不佳之問題,因此實有必要提出改進的技術手段,來解決此一問題。 In summary, it can be seen that the prior art has always had the problem of poor key security for a long time. Therefore, it is necessary to propose improved technical means to solve this problem.

本發明揭露一種分散式多層遞迴的密鑰保管系統及其方法。 The invention discloses a decentralized multi-layer recursive key storage system and method.

首先,本發明揭露一種分散式多層遞迴的密鑰保管系統,此系統包含:建立模組、加密處理模組、金鑰處理模組、結合模組、驅動模組及儲存模組。其中,建立模組用以建立密鑰、N個加密金鑰、2N個位址及M個資料庫,並且將此密鑰作為待分解資料,其中,N及M為正整數;加密處理模組連接建立模組,用以執行秘密共享演算法將待分解資料分解為對應的M個共享單元,並且在未曾選擇的加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的索引鍵值,並且根據每一資料庫的索引鍵值,將共享加密單元分別儲存在不同的資料庫;金鑰處理模組連接建立模組及加密處理模組,用以執行秘密共享演算法將加密處理模組選擇的加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的加密金鑰索引鍵值,以及根據每一資料庫的加密金鑰索引鍵值,將加密金鑰共享單元分別儲存在不同的資料庫;結合模組連接加密處理模組及金鑰處理模組,用以當存在尚未被選擇的位址時,以字串結合的方式結合在加密處理模組及金鑰處理模組中選擇的位址以作為待分解資料,使待分解 資料成為包含二個所述位址的位址組合並傳送至加密處理模組;驅動模組連接加密處理模組、金鑰處理模組及結合模組,用以當存在尚未被選擇的加密金鑰及位址時,驅動加密處理模組、金鑰處理模組及結合模組依序重複執行;儲存模組連接加密處理模組及金鑰處理模組,用以分別儲存加密處理模組及金鑰處理模組最後選擇的位址以提供還原密鑰時讀取。 First of all, the present invention discloses a distributed multi-layer recursive key storage system. The system includes: an establishment module, an encryption processing module, a key processing module, a combination module, a drive module, and a storage module. Among them, the establishment module is used to establish keys, N encryption keys, 2N addresses, and M databases, and use this key as the data to be decomposed, where N and M are positive integers; encryption processing module The connection establishment module is used to execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and choose one of the unselected encryption keys to encrypt each shared unit separately. Generate M shared encryption units and choose one of the unselected addresses to provide each database for hash calculation to generate the corresponding index key value, and according to the index key value of each database, the The shared encryption units are stored in different databases; the key processing module connects the establishment module and the encryption processing module to execute the secret sharing algorithm to decompose the encryption key selected by the encryption processing module into M encryption keys Shared unit, and choose one of the unselected addresses to provide each database to perform hash calculation to generate the corresponding encryption key index key value, and according to the encryption key index key value of each database , To store the encryption key sharing unit in different databases; the combination module connects the encryption processing module and the key processing module, so that when there is an address that has not been selected, it is combined in a string combination The address selected in the encryption processing module and the key processing module is used as the data to be decomposed, so that the The data becomes an address combination containing two of the addresses and is sent to the encryption processing module; the drive module is connected to the encryption processing module, the key processing module, and the combination module to be used when there is an unselected encryption fund Key and address, drive the encryption processing module, the key processing module and the combination module to execute repeatedly in sequence; the storage module is connected to the encryption processing module and the key processing module to store the encryption processing module and The address selected last by the key processing module is read when the key is restored.

另外,本發明揭露一種分散式多層遞迴的密鑰保管方法,其步驟包括:(A)建立密鑰、N個加密金鑰、2N個位址及M個資料庫,其中,N及M為正整數;(B)將密鑰作為待分解資料;(C)執行秘密共享演算法將待分解資料分解為對應的M個共享單元,並且在未曾選擇的加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的索引鍵值,並且根據每一資料庫的索引鍵值,將共享加密單元分別儲存在不同的資料庫;(D)執行秘密共享演算法將選擇的加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的加密金鑰索引鍵值,以及根據每一資料庫的加密金鑰索引鍵值,將加密金鑰共享單元分別儲存在不同的資料庫;(E)當存在尚未被選擇的所述位址時,以字串結合的方式結合步驟(C)及(D)中選擇的位址以作為待分解資料,使待分解資料成為包含二個所述位址的位址組合;(F)當存在尚未被選擇的加密金鑰及位址時,重複執行步驟(C)至(E);以及(G)儲存步驟(C)及(D)中最後選擇的位址,用以提供還原密鑰時讀取。 In addition, the present invention discloses a decentralized multi-layer recursive key storage method, the steps of which include: (A) establishing a key, N encryption keys, 2N addresses and M databases, where N and M are Positive integer; (B) use the key as the data to be decomposed; (C) execute the secret sharing algorithm to decompose the data to be decomposed into the corresponding M shared units, and choose one of the unselected encryption keys, use Encrypt each shared unit separately to generate M shared encryption units, and choose one of the unselected addresses to provide each database for hash calculation to generate the corresponding index key value, and according to For the index key value of each database, the shared encryption unit is stored in a different database; (D) The secret sharing algorithm is executed to decompose the selected encryption key into M encryption key sharing units, and in the unselected Choose one of the addresses to provide each database to perform hash calculation to generate the corresponding encryption key index key value, and divide the encryption key sharing unit according to the encryption key index key value of each database Stored in a different database; (E) When there is the address that has not been selected, the address selected in steps (C) and (D) is combined in a string combination as the data to be decomposed, so that the Decompose the data into an address combination containing two of the addresses; (F) when there is an encryption key and address that have not been selected, repeat steps (C) to (E); and (G) save step ( The last address selected in C) and (D) is used to read when providing the recovery key.

本發明所揭露之系統與方法如上,與先前技術的差異在於本發明是透過遞迴執行秘密共享演算法、根據選擇的加密金鑰進行加密、根據選擇的 位址計算索引鍵值及組合選擇的位址,用以將密鑰、加密金鑰及位址組合皆分解為多個部分,使不同的資料庫中,分別儲存密鑰、加密金鑰及位址組合的不同部分。 The system and method disclosed in the present invention are as above. The difference from the prior art is that the present invention executes the secret sharing algorithm recursively, encrypts according to the selected encryption key, and selects The address calculation index key value and the address selected by the combination are used to decompose the key, encryption key, and address combination into multiple parts, so that different databases can store the key, encryption key, and location separately Different parts of the address combination.

透過上述的技術手段,本發明可以達成提高密鑰的安全性之技術功效。 Through the above technical means, the present invention can achieve the technical effect of improving the security of the key.

110:建立模組 110: Create a module

111:資料庫 111: database

120:加密處理模組 120: Encryption processing module

130:金鑰處理模組 130: Key Processing Module

140:結合模組 140: Combined module

150:驅動模組 150: drive module

160:儲存模組 160: storage module

301:第一個資料庫 301: The first database

310:第M個資料庫 310: The Mth database

400:資料表 400: data sheet

步驟A:建立一密鑰、N個加密金鑰、2N個位址及M個資料庫,其中,N及M為正整數 Step A: Create a key, N encryption keys, 2N addresses, and M databases, where N and M are positive integers

步驟B:將該密鑰作為一待分解資料 Step B: Use the key as a data to be decomposed

步驟C:執行一秘密共享演算法將該待分解資料分解為對應的M個共享單元,並且在未曾選擇的所述加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一索引鍵值,並且根據每一資料庫的該索引鍵值,將所述共享加密單元分別儲存在不同的所述資料庫 Step C: Execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and choose one of the encryption keys that have not been selected to encrypt each shared unit separately Generate M shared encryption units, and choose one of the addresses that have not been selected to provide each database for hash calculation to generate a corresponding index key value, and according to the index of each database Key value, storing the shared encryption units in different databases

步驟D:執行該秘密共享演算法將選擇的所述加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一加密金鑰索引鍵值,以及根據每一資料庫的該加密金鑰索引鍵值,將所述加密金鑰共享單元分別儲存在不同的所述資料庫 Step D: Execute the secret sharing algorithm to decompose the selected encryption key into M encryption key sharing units, and choose one of the unselected addresses to provide each database for processing Hash calculation to generate a corresponding encryption key index key value, and according to the encryption key index key value of each database, the encryption key sharing unit is respectively stored in different said database

步驟E:當存在尚未被選擇的所述位址時,結合步驟(C)及(D)中選擇的所述位址以作為該待分解資料 Step E: When there is the address that has not been selected, combine the address selected in steps (C) and (D) as the data to be decomposed

步驟F:當存在尚未被選擇的所述加密金鑰及所述位址時,重複執行步驟(C)至(E) Step F: When there is the encryption key and the address that have not been selected, repeat steps (C) to (E)

步驟G:儲存步驟(C)及(D)中最後選擇的所述位址,用以提供還原該密鑰時讀取 Step G: Store the address selected last in steps (C) and (D) for reading when restoring the key

第1圖為本發明分散式多層遞迴的密鑰保管系統之系統方塊圖。 Figure 1 is a system block diagram of the decentralized multi-layer recursive key storage system of the present invention.

第2圖為本發明分散式多層遞迴的密鑰保管方法之方法流程圖。 Figure 2 is a method flow chart of the decentralized multi-layer recursive key storage method of the present invention.

第3圖為應用本發明基於密鑰產生共享加密單元並儲存至資料庫之示意圖。 Figure 3 is a schematic diagram of applying the present invention to generate a shared encryption unit based on a key and store it in a database.

第4圖為應用本發明基於加密金鑰產生加密金鑰共享單元,並儲存至資料庫之示意圖。 Figure 4 is a schematic diagram of the application of the present invention to generate an encryption key sharing unit based on the encryption key and store it in the database.

第5圖為應用本發明結合選擇的位址產生共享加密單元,並儲存至資料庫之示意圖。 Figure 5 is a schematic diagram of the application of the present invention in combination with the selected address to generate a shared encryption unit and store it in the database.

第6圖為應用本發明的資料庫儲存內容之示意圖。 Figure 6 is a schematic diagram of the storage content of the database using the present invention.

以下將配合圖式及實施例來詳細說明本發明之實施方式,藉此對本發明如何應用技術手段來解決技術問題並達成技術功效的實現過程能充分理解並據以實施。 Hereinafter, the implementation of the present invention will be described in detail with the drawings and embodiments, so as to fully understand and implement the implementation process of how the present invention uses technical means to solve technical problems and achieve technical effects.

在說明本發明所揭露之分散式多層遞迴的密鑰保管系統及其方法之前,先對本發明所自行定義的名詞作說明,本發明所述的「共享單元(Share)」是指經過執行秘密共享演算法計算後所分解出的各部分;所述「共享加密單元」是指經過加密金鑰加密的「共享單元」;所述「加密金鑰共享單元」是指加密金鑰經過執行秘密共享演算法計算後所分解出的各部分,實際上,其與前述的共享單元的差別僅在於加密金鑰共享單元是基於加密金鑰所產生;所述「索引鍵值」及「加密金鑰索引鍵值」皆是資料庫將選擇的位址經過雜湊計算後所得到的值,差別在於前者是與「共享單元」相對應,後者是與「加密金鑰共享單元」相對應。特別要說明的是,由於每個資料庫所使用的雜湊函式(Hash function)都有不同的鹽(Salt)(亦即在雜湊前將位址的任意固定位置插入特定的字串),所以計算出來的值不會相同,換句話說,假設有五個共享加密單元,被分別儲存在五個不同的資料庫中,其對應的索引鍵值也不會相同,可以確保索引鍵值具有唯一性。 Before describing the decentralized multi-layer recursive key custody system and method disclosed in the present invention, the self-defined terminology of the present invention will be explained. The "Share" in the present invention refers to the secret after execution. The parts decomposed after the calculation of the shared algorithm; the "shared encryption unit" refers to the "shared unit" encrypted by the encryption key; the "encryption key sharing unit" refers to the encryption key after performing secret sharing The parts decomposed by the algorithm calculation, in fact, are different from the aforementioned shared unit only in that the encryption key shared unit is generated based on the encryption key; the "index key" and "encryption key index" The key value is the value obtained by hashing the selected address in the database. The difference is that the former corresponds to the "shared unit" and the latter corresponds to the "encrypted key shared unit". In particular, because the hash function used by each database has a different salt (that is, insert a specific string at any fixed position of the address before hashing), so The calculated value will not be the same. In other words, assuming that there are five shared encryption units, which are stored in five different databases, their corresponding index key values will not be the same, which can ensure that the index key values are unique Sex.

以下配合圖式對本發明分散式多層遞迴的密鑰保管系統及其方法做進一步說明,請先參閱「第1圖」,「第1圖」為本發明分散式多層遞迴的密鑰保管系統的系統方塊圖,此系統包含:建立模組110、加密處理模組120、金鑰處理模組130、結合模組140、驅動模組150及儲存模組160。其中,建立模組110用以建立密鑰、N個加密金鑰、2N個位址及M個資料庫111,並且將此密鑰作為待分解資料,其中,N及M為正整數。舉例來說,假設N為數值3、M為數值5,代表建立三個加密金鑰、六個位址及五個資料庫111。在實際實施上,所述密鑰可以是主要密鑰(Master Key),也就是用以管理其他私鑰(Private key)的密鑰。另外,所述位址在建立時,可執行編碼函式,使位址與區塊鏈位址的 格式相同,以便藉由相同的格式使資料庫111中出現許多類似的資料,進而達到混淆的功效,讓駭客不易分辨每筆資料的作用。至於所述加密金鑰的產生則可根據密鑰及其管理的私鑰所分別對應的公鑰,並且將每一私鑰作為待分解資料,用以執行秘密共享演算法將私鑰分解為共享單元、加密為共享加密單元、以及計算出對應的索引鍵值,再分別將不同的共享加密單元及其對應的索引鍵值儲存在不同的資料庫111。 The following is a further description of the distributed multi-layer recursive key custody system and method of the present invention in conjunction with the diagrams. Please refer to "Figure 1" first. "Figure 1" shows the distributed multi-layer recursive key custody system of the present invention. The system block diagram of the system includes: a creation module 110, an encryption processing module 120, a key processing module 130, a combining module 140, a driving module 150, and a storage module 160. Wherein, the creation module 110 is used to create a key, N encryption keys, 2N addresses, and M database 111, and use this key as the data to be decomposed, where N and M are positive integers. For example, assuming that N is a value of 3 and M is a value of 5, it means that three encryption keys, six addresses, and five databases 111 are created. In actual implementation, the key may be a master key (Master Key), that is, a key used to manage other private keys (Private keys). In addition, when the address is created, an encoding function can be executed to make the address and the blockchain address The format is the same, so that many similar data can appear in the database 111 through the same format, thereby achieving the effect of confusion and making it difficult for hackers to distinguish the role of each data. As for the generation of the encryption key, the public key corresponding to the key and the private key managed by it can be used, and each private key can be used as the data to be decomposed to execute the secret sharing algorithm to decompose the private key into shared Unit, encrypt as a shared encryption unit, and calculate the corresponding index key value, and then store different shared encryption units and their corresponding index key values in different database 111 respectively.

加密處理模組120連接建立模組110,用以執行秘密共享演算法將待分解資料分解為對應的M個共享單元,並且在未曾選擇的加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的位址中任選其一,用以提供每一資料庫111進行雜湊計算以生成對應的索引鍵值,並且根據每一資料庫111的索引鍵值,將共享加密單元分別儲存在不同的資料庫111。換句話說,每一個被選擇的加密金鑰在對各共享單元進行加密後,便不允許再次被選擇。在實際實施上,為了提高計算效率,加密金鑰可以是對稱式金鑰。另外,所述秘密共享演算法可包含沙米爾的秘密共享(Shamir’s Secret Sharing,SSS)、布萊克利的秘密共享(Blakley’s Secret Sharing,BSS)或其相似的演算法。 The encryption processing module 120 is connected to the establishment module 110 to execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and choose one of the encryption keys that have not been selected for each A shared unit encrypts to generate M shared encryption units, and selects one of the unselected addresses to provide each database 111 for hash calculation to generate the corresponding index key value, and according to each data The index key value of the library 111 stores the shared encryption unit in different database 111 respectively. In other words, each selected encryption key cannot be selected again after encrypting each shared unit. In actual implementation, in order to improve calculation efficiency, the encryption key can be a symmetric key. In addition, the secret sharing algorithm may include Shamir's Secret Sharing (SSS), Blakley's Secret Sharing (BSS) or similar algorithms.

金鑰處理模組130連接建立模組110及加密處理模組120,用以執行秘密共享演算法將加密處理模組選擇的加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的位址中任選其一,用以提供每一資料庫111進行雜湊計算以生成對應的加密金鑰索引鍵值,以及根據每一資料庫111的加密金鑰索引鍵值,將加密金鑰共享單元分別儲存在不同的資料庫111。所述金鑰處理模組130與加密處理模組120的差異在於前者並未對秘密共享演算法的結果進行加密,而 後者則使用加密金鑰對結果進行加密,以及前者是針對密鑰或結合的位址執行秘密共享演算法,而後者則是針對選擇的加密金鑰。 The key processing module 130 is connected to the establishment module 110 and the encryption processing module 120, and is used to execute a secret sharing algorithm to decompose the encryption key selected by the encryption processing module into M encryption key sharing units, and the unselected Choose one of the addresses to provide each database 111 for hash calculation to generate the corresponding encryption key index key value, and share the encryption key according to the encryption key index key value of each database 111 The units are stored in different databases 111 respectively. The difference between the key processing module 130 and the encryption processing module 120 is that the former does not encrypt the result of the secret sharing algorithm, and The latter uses an encryption key to encrypt the result, the former performs a secret sharing algorithm for the key or combined address, and the latter is for the selected encryption key.

結合模組140連接加密處理模組120及金鑰處理模組130,用以當存在尚未被選擇的位址時,結合在加密處理模組120及金鑰處理模組130中選擇的位址以作為待分解資料並傳送至加密處理模組120執行秘密共享演算法。在實際實施上,結合選擇的位址可以是字串的結合,例如:在加密處理模組120中選擇的位址為「0xabc......」、在金鑰處理模組130中選擇的位址為「0xdef......」,當經過結合模組140結合後,會生成包含二個位址的位址組合「0xabc......0xdef......」作為待分解資料,並且將其傳送至加密處理模組120執行秘密共享演算法。 The combining module 140 is connected to the encryption processing module 120 and the key processing module 130, and is used to combine the addresses selected in the encryption processing module 120 and the key processing module 130 when there are addresses that have not yet been selected As the data to be decomposed, it is sent to the encryption processing module 120 to execute the secret sharing algorithm. In actual implementation, the address selected in combination may be a combination of strings. For example, the address selected in the encryption processing module 120 is "0xabc...", and the address selected in the key processing module 130 is selected The address of is "0xdef...", when combined by the combination module 140, an address combination containing two addresses "0xabc......0xdef......" will be generated As the data to be decomposed, it is sent to the encryption processing module 120 to execute the secret sharing algorithm.

驅動模組150連接加密處理模組120、金鑰處理模組130及結合模組140,用以當存在尚未被選擇的加密金鑰及位址時,驅動加密處理模組120、金鑰處理模組130及結合模組140依序重複執行。由於每依序執行一次會使用一個加密金鑰及二個位址。因此,在N為數值3的例子中,加密處理模組120、金鑰處理模組130及結合模組140總共將依序執行三次才不存在未被選擇的加密金鑰及位址,每執行一次可視為一層處理。 The drive module 150 is connected to the encryption processing module 120, the key processing module 130, and the combining module 140, and is used to drive the encryption processing module 120, the key processing module when there is an encryption key and address that have not been selected yet. The group 130 and the combining module 140 are repeatedly executed in sequence. Because each execution in sequence will use one encryption key and two addresses. Therefore, in the example where N is the value 3, the encryption processing module 120, the key processing module 130, and the combining module 140 will be executed three times in sequence before there is no unselected encryption key and address. It can be treated as one layer at a time.

儲存模組160連接加密處理模組120及金鑰處理模組130,用以分別儲存加密處理模組120及金鑰處理模組130最後選擇的位址以提供還原密鑰時讀取。在實際實施上,可以透過金鑰管理配置檔案儲存這二個位址(即:加密處理模組120最後選擇的位址與金鑰處理模組130最後選擇的位址),以便在還原密鑰時,藉由讀取這二個位址得知相應的部分加密金鑰及經過此加密金鑰所加密的部分結合位址(此處所述的部分結合位址是指先經過結合模組140結合的 位址作為待分解資料,再經過加密處理模組120對此待分解資料執行秘密共享演算法所分解的共享單元),接著根據部分加密金鑰還原出完整的加密金鑰後,解密以此加密金鑰加密過的部分結合位址,以便還原出未加密的部分結合位址後,再還原為完整的結合位址以獲得其包含的二個位址,並以相同方式持續處理直到獲得部分密鑰後,還原出完整的密鑰為止。特別要說明的是,由於使用秘密共享演算法,所以在還原過程中,無須得到全部的部分加密金鑰即可還原出完整的加密金鑰,同樣地,無須得到全部的部分結合位址即可還原出完整的結合位址,以及無須得到全部的部分密鑰即可還原出完整的密鑰。一般而言,在M為5的情況下,只要擁有其中三個部分即可還原出完整的密鑰,不需要擁有全部的部分。 The storage module 160 is connected to the encryption processing module 120 and the key processing module 130, and is used to store the last selected addresses of the encryption processing module 120 and the key processing module 130 respectively for reading when the key is restored. In actual implementation, these two addresses (that is, the last selected address of the encryption processing module 120 and the last selected address of the key processing module 130) can be stored through the key management configuration file, so as to restore the key At the time, by reading these two addresses, the corresponding partial encryption key and the partial binding address encrypted by this encryption key are known (the partial binding address mentioned here refers to the combination of the combination module 140). of The address is used as the data to be decomposed, and the encryption processing module 120 executes the shared unit decomposed by the secret sharing algorithm on the data to be decomposed), and then restores the complete encryption key based on the partial encryption key, and then decrypts it to encrypt The key-encrypted part of the combined address in order to restore the unencrypted part of the combined address, and then restore it to the complete combined address to obtain the two addresses it contains, and continue processing in the same way until the partial encrypted address is obtained. After the key, the complete key is restored. In particular, due to the use of the secret sharing algorithm, in the restoration process, the complete encryption key can be restored without obtaining all the partial encryption keys. Similarly, it is not necessary to obtain all the partial binding addresses. The complete binding address is restored, and the complete key can be restored without obtaining all partial keys. Generally speaking, when M is 5, as long as you have three of the parts, you can restore the complete key, and you don't need to have all the parts.

特別要說明的是,在實際實施上,本發明所述的各模組皆可利用各種方式來實現,包含軟體、硬體或其任意組合,例如,在某些實施方式中,各模組可利用軟體及硬體或其中之一來實現,除此之外,本發明亦可部分地或完全地基於硬體來實現,例如,系統中的一個或多個模組可以透過積體電路晶片、系統單晶片(System on Chip,SoC)、複雜可程式邏輯裝置(Complex Programmable Logic Device,CPLD)、現場可程式邏輯閘陣列(Field Programmable Gate Array,FPGA)等來實現。本發明可以是系統、方法及/或電腦程式。電腦程式可以包括電腦可讀儲存媒體,其上載有用於使處理器實現本發明的各個方面的電腦可讀程式指令,電腦可讀儲存媒體可以是可以保持和儲存由指令執行設備使用的指令的有形設備。電腦可讀儲存媒體可以是但不限於電儲存設備、磁儲存設備、光儲存設備、電磁儲存設備、半導體儲存設備或上述的任意合適的組合。電腦可讀儲存媒體的更具體的例子(非窮舉的列表)包括:硬碟、隨 機存取記憶體、唯讀記憶體、快閃記憶體、光碟、軟碟以及上述的任意合適的組合。此處所使用的電腦可讀儲存媒體不被解釋為瞬時信號本身,諸如無線電波或者其它自由傳播的電磁波、通過波導或其它傳輸媒介傳播的電磁波(例如,通過光纖電纜的光信號)、或者通過電線傳輸的電信號。另外,此處所描述的電腦可讀程式指令可以從電腦可讀儲存媒體下載到各個計算/處理設備,或者通過網路,例如:網際網路、區域網路、廣域網路及/或無線網路下載到外部電腦設備或外部儲存設備。網路可以包括銅傳輸電纜、光纖傳輸、無線傳輸、路由器、防火牆、交換器、集線器及/或閘道器。每一個計算/處理設備中的網路卡或者網路介面從網路接收電腦可讀程式指令,並轉發此電腦可讀程式指令,以供儲存在各個計算/處理設備中的電腦可讀儲存媒體中。執行本發明操作的電腦程式指令可以是組合語言指令、指令集架構指令、機器指令、機器相關指令、微指令、韌體指令、或者以一種或多種程式語言的任意組合編寫的原始碼或目的碼(Object Code),所述程式語言包括物件導向的程式語言,如:Common Lisp、Python、C++、Objective-C、Smalltalk、Delphi、Java、Swift、C#、Perl、Ruby與PHP等,以及常規的程序式(Procedural)程式語言,如:C語言或類似的程式語言。計算機可讀程式指令可以完全地在電腦上執行、部分地在電腦上執行、作為一個獨立的軟體執行、部分在客戶端電腦上部分在遠端電腦上執行、或者完全在遠端電腦或伺服器上執行。 In particular, it should be noted that in actual implementation, each module described in the present invention can be implemented in various ways, including software, hardware, or any combination thereof. For example, in some embodiments, each module can be It can be implemented by software and hardware or one of them. In addition, the present invention can also be implemented partially or completely based on hardware. For example, one or more modules in the system can be implemented through integrated circuit chips, System on Chip (SoC), Complex Programmable Logic Device (CPLD), Field Programmable Gate Array (FPGA), etc. are implemented. The present invention can be a system, method and/or computer program. The computer program may include a computer-readable storage medium loaded with computer-readable program instructions for enabling the processor to implement various aspects of the present invention. The computer-readable storage medium may be a tangible storage medium that can hold and store instructions used by an instruction execution device. equipment. The computer-readable storage medium can be, but is not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (non-exhaustive list) of computer-readable storage media include: hard drives, Machine access memory, read-only memory, flash memory, CD-ROM, floppy disk, and any suitable combination of the above. The computer-readable storage medium used herein is not interpreted as a transient signal itself, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (for example, optical signals through fiber optic cables), or through wires Transmission of electrical signals. In addition, the computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to various computing/processing devices, or downloaded via a network, such as the Internet, local area network, wide area network, and/or wireless network To an external computer device or external storage device. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, hubs and/or gateways. The network card or network interface in each computing/processing device receives computer-readable program instructions from the network, and forwards the computer-readable program instructions for storage in the computer-readable storage medium in each computing/processing device in. The computer program instructions that perform the operations of the present invention may be combined language instructions, instruction set architecture instructions, machine instructions, machine-related instructions, micro instructions, firmware instructions, or source code or object code written in any combination of one or more programming languages (Object Code), the programming language includes object-oriented programming languages, such as: Common Lisp, Python, C++, Objective-C, Smalltalk, Delphi, Java, Swift, C#, Perl, Ruby, PHP, etc., as well as conventional programs Procedural programming language, such as C language or similar programming language. Computer readable program instructions can be executed entirely on the computer, partly on the computer, executed as a stand-alone software, partly on the client computer and partly on the remote computer, or entirely on the remote computer or server Executed on.

請參閱「第2圖,「第2圖」為本發明分散式多層遞迴的密鑰保管方法的方法流程圖,其步驟包括:建立密鑰、N個加密金鑰、2N個位址及M個資料庫111,其中,N及M為正整數(步驟A);將密鑰作為待分解資料(步驟B);執行秘密共享演算法將此待分解資料分解為對應的M個共享單元,並且在未曾選 擇的加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的位址中任選其一,用以提供每一資料庫111進行雜湊計算以生成對應的索引鍵值,並且根據每一資料庫111的索引鍵值,將共享加密單元分別儲存在不同的資料庫111(步驟C);執行秘密共享演算法將選擇的加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的位址中任選其一,用以提供每一資料庫111進行雜湊計算以生成對應的加密金鑰索引鍵值,以及根據每一資料庫111的加密金鑰索引鍵值,將加密金鑰共享單元分別儲存在不同的資料庫111(步驟D);當存在尚未被選擇的位址時,結合步驟(C)及(D)中選擇的位址以作為待分解資料(步驟E);當存在尚未被選擇的加密金鑰及位址時,重複執行步驟(C)至(E)(步驟F);以及儲存步驟(C)及(D)中最後選擇的位址,用以提供還原密鑰時讀取(步驟G)。透過上述步驟,即可透過遞迴執行秘密共享演算法、根據選擇的加密金鑰進行加密、根據選擇的位址計算索引鍵值及組合選擇的位址,用以將密鑰、加密金鑰及位址組合皆分解為多個部分,使不同的資料庫111中,分別儲存有密鑰、加密金鑰及位址組合的不同部分,而非在單一資料庫中儲存完整的密鑰、加密金鑰及位址組合。 Please refer to "Figure 2. "Figure 2" is a flow chart of the method for decentralized multi-layer recursive key storage of the present invention. The steps include: establishing a key, N encryption keys, 2N addresses, and M A database 111, where N and M are positive integers (step A); use the key as the data to be decomposed (step B); execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and Unselected Choose one of the selected encryption keys to separately encrypt each shared unit to generate M shared encryption units, and choose one of the unselected addresses to provide each database 111 Perform hash calculation to generate the corresponding index key value, and according to the index key value of each database 111, store the shared encryption units in different database 111 (step C); execute the secret sharing algorithm to select the encryption gold The key is decomposed into M encryption key sharing units, and one of the unselected addresses is selected to provide each database 111 for hash calculation to generate the corresponding encryption key index key value, and according to each The encryption key index key value of the database 111, and the encryption key sharing units are respectively stored in different databases 111 (step D); when there is an address that has not yet been selected, combine steps (C) and (D) The selected address is used as the data to be decomposed (step E); when there is an encryption key and address that have not been selected, repeat steps (C) to (E) (step F); and save steps (C) and The last selected address in (D) is used for reading when providing the recovery key (step G). Through the above steps, you can execute the secret sharing algorithm recursively, encrypt according to the selected encryption key, calculate the index key value according to the selected address, and combine the selected address to combine the key, encryption key and The address combination is decomposed into multiple parts, so that different databases 111 store the key, encryption key, and different parts of the address combination, instead of storing the complete key and encryption in a single database. Key and address combination.

以下配合「第3圖」至「第6圖」以實施例的方式進行如下說明,請先參閱「第3圖」,「第3圖」為應用本發明基於密鑰產生共享加密單元並儲存至資料庫之示意圖。假設已建立密鑰、N個加密金鑰、2N個位址及M個資料庫111,為了有效保護此密鑰,避免被非授權者取得,於是先執行秘密共享演算法將此密鑰分解成多個部分,即:共享單元1至共享單元M。接著,從N個加密金鑰中任選其一,以便對各個共享單元進行加密成為共享加密單元1至共享加密單元M,並且將這些共享加密單元分別儲存至不同的資料庫111,舉例來說,將共 享加密單元1儲存至第一個資料庫301、將共享加密單元2儲存至第二個資料庫,並且以此類推,將共享加密單元M儲存至第M個資料庫310。特別要說明的是,在儲存至資料庫之前,需要先從2N個位址中任選其一(例如:假設N為數值3,便是從六個位址中任選其一),提供給各資料庫進行雜湊計算以生成相應的索引鍵值,此索引鍵值具有唯一性。此時,即可將索引鍵值填入索引鍵(Key)的欄位,以及將共享加密單元填入值(Value)的欄位,稍後將配合圖式進一步說明資料庫的詳細儲存內容。至此,已將密鑰分解為M個部分,並且將每一部分加密後,連同相應的索引鍵值儲存至資料庫。 The following description will be given in the form of an embodiment in conjunction with "Figure 3" to "Figure 6". Please refer to "Figure 3". "Figure 3" is the application of the present invention to generate a shared encryption unit based on a key and store it in Schematic diagram of the database. Assuming that a key, N encryption keys, 2N addresses, and M databases 111 have been established, in order to effectively protect this key and prevent unauthorized persons from obtaining it, first execute a secret sharing algorithm to decompose this key into Multiple parts, namely: shared unit 1 to shared unit M. Then, choose one of the N encryption keys to encrypt each shared unit into shared encryption unit 1 to shared encryption unit M, and store these shared encryption units in different database 111, for example , Will total The shared encryption unit 1 is stored in the first database 301, the shared encryption unit 2 is stored in the second database, and so on, the shared encryption unit M is stored in the M-th database 310. In particular, before saving to the database, you need to choose one of the 2N addresses (for example, if N is the value 3, then choose one of the six addresses), and provide it to Each database performs a hash calculation to generate a corresponding index key value, which is unique. At this point, the index key value can be filled in the key field, and the shared encryption unit can be filled in the value field. The detailed storage content of the database will be further explained later in conjunction with the diagram. So far, the key has been decomposed into M parts, and each part is encrypted and stored in the database together with the corresponding index key value.

如「第4圖」所示意,「第4圖」為應用本發明基於加密金鑰產生加密金鑰共享單元,並儲存至資料庫之示意圖。前面提到,從N個加密金鑰中任選其一,以便對各個共享單元進行加密成為共享加密單元1至共享加密單元M。為了保護加密金鑰,同樣執行秘密共享演算法將其分解為M個部分,即:加密金鑰共享單元1至加密金鑰共享單元M。接著,在未曾選擇過的位址中任選其一,提供給各資料庫進行雜湊計算以生成相應的加密金鑰索引鍵值,也就是說,在「第3圖」的流程中所選擇的位址將被排除在外,因為已經被選擇過了。當,加密金鑰共享單元及加密金鑰索引鍵值皆生成後,便可以將各加密金鑰共享單元分別儲存至不同的資料庫中。至此,已將選擇的加密金鑰分解成M個部分,並且連同相應的索引鍵值儲存至資料庫,例如:第一個資料庫根據選擇的位址進行雜湊運算所產生的加密金鑰索引鍵值與儲存在第一個資料庫的加密金鑰共享單元(例如:加密金鑰共享單元1)相對應;第二個資料庫根據選擇的位址進行雜湊運算所產生的加密金鑰索引鍵值與儲存在第二個資料庫的加密金鑰共享單元(例如:加密金鑰共享單元2)相對應,並且以此類推,第M個資料庫根據選擇 的位址進行雜湊運算所產生的加密金鑰索引鍵值與儲存在第M個資料庫的加密金鑰共享單元(例如:加密金鑰共享單元M)相對應。 As shown in "Figure 4", "Figure 4" is a schematic diagram of applying the present invention to generate an encryption key sharing unit based on an encryption key and store it in a database. As mentioned earlier, any one of the N encryption keys can be selected to encrypt each shared unit into shared encryption unit 1 to shared encryption unit M. In order to protect the encryption key, the secret sharing algorithm is also executed to decompose it into M parts, namely: encryption key sharing unit 1 to encryption key sharing unit M. Then, choose one of the addresses that have not been selected before, and provide each database for hash calculation to generate the corresponding encryption key index key value, that is, the selected address in the process of "Figure 3" The address will be excluded because it has already been selected. After the encryption key sharing unit and the encryption key index key value are generated, each encryption key sharing unit can be stored in different databases. At this point, the selected encryption key has been decomposed into M parts, and stored in the database together with the corresponding index key value, for example: the encryption key index key generated by the hash operation of the first database according to the selected address The value corresponds to the encryption key sharing unit stored in the first database (for example: encryption key sharing unit 1); the second database performs a hash operation based on the selected address to generate the encryption key index key value Correspond to the encryption key sharing unit stored in the second database (for example: encryption key sharing unit 2), and so on, the Mth database is selected according to the selection The encryption key index key value generated by the hash operation at the address corresponds to the encryption key sharing unit (for example, the encryption key sharing unit M) stored in the M-th database.

如「第5圖」所示意,「第5圖」為應用本發明結合選擇的位址產生共享加密單元,並儲存至資料庫之示意圖。從上述說明可清楚得知,密鑰及選擇過的加密金鑰均已經過秘密共享演算法處理,而為了提升混淆性及安全性,故針對選擇的位址也進行相似的處理。首先,將「第3圖」及「第4圖」的流程中所選擇的位址進行結合,舉例來說,假設「第3圖」中所選擇的位址為「1234」、「第4圖」中所選擇的位址為「5678」,那麼可將字串結合為「12345678」。接著,將結合後的位址作為待分解資料,提供給秘密共享演算法進行計算以生成M個部分(即:共享單元1至共享單元M)。接下來,選擇未曾選擇過的一個加密金鑰,並且以這個加密金鑰分別對共享單元1至共享單元M進行加密成為共享加密單元1至共享加密單元M,以及選擇未曾選擇過的位址提供給各資料庫進行雜湊計算以生成相應的索引鍵值,再將這些加密共享單元(即:共享加密單元1至共享加密單元M)分別儲存至不同的資料庫中,舉例來說,第一個資料庫301根據選擇的位址進行雜湊運算所產生的索引鍵值與儲存在第一個資料庫301的共享加密單元(例如:共享加密單元1)相對應;第二個資料庫根據選擇的位址進行雜湊運算所產生的索引鍵值與儲存在第二個資料庫的共享加密單元(例如:共享加密單元2)相對應,並且以此類推,第M個資料庫310根據選擇的位址進行雜湊運算所產生的索引鍵值與儲存在第M個資料庫310的共享加密單元(例如:共享加密單元M)相對應。至此,已將結合的位址分解成M個部分,並且分別進行加密後,連同相應的索引鍵值儲存至不同的資料庫。 As shown in "Figure 5", "Figure 5" is a schematic diagram of applying the present invention in combination with the selected address to generate a shared encryption unit and store it in the database. From the above description, it is clear that the key and the selected encryption key have been processed by the secret sharing algorithm. In order to improve the confusion and security, similar processing is also performed on the selected address. First, combine the addresses selected in the processes of "Figure 3" and "Figure 4". For example, suppose the addresses selected in "Figure 3" are "1234" and "Figure 4" The selected address in "is "5678", then the string can be combined into "12345678". Then, the combined address is used as the data to be decomposed and provided to the secret sharing algorithm for calculation to generate M parts (ie, sharing unit 1 to sharing unit M). Next, select an encryption key that has not been selected, and use this encryption key to encrypt shared unit 1 to shared unit M to become shared encryption unit 1 to shared encryption unit M, and select an address that has not been selected before. Perform hash calculation for each database to generate the corresponding index key value, and then store these encrypted shared units (ie: shared encryption unit 1 to shared encryption unit M) in different databases, for example, the first The index key value generated by the database 301 performing the hash operation according to the selected address corresponds to the shared encryption unit (for example: shared encryption unit 1) stored in the first database 301; the second database is based on the selected bit The index key value generated by the hash operation of the address corresponds to the shared encryption unit (for example: shared encryption unit 2) stored in the second database, and so on, the M-th database 310 performs processing according to the selected address The index key value generated by the hash operation corresponds to the shared encryption unit (for example, the shared encryption unit M) stored in the M-th database 310. So far, the combined address has been decomposed into M parts, and after being encrypted separately, they are stored in different databases together with the corresponding index keys.

如「第6圖」所示意,「第6圖」為應用本發明的資料庫儲存內容之示意圖。在實際實施上,所述資料庫111可為「Key-Value資料庫」或其相似物,其中,經資料庫進行雜湊計算所產生的「索引鍵值」和「加密金鑰索引鍵值」,儲存在索引鍵(Key)的欄位;經執行秘密共享演算法所分解的M個部分(包含加密過的「共享加密單元」和未加密過的「加密金鑰共享單元」)則儲存在值(Value)的欄位。假設N為數值3、M為數值5,代表建立三個加密金鑰、六個位址(2*3=6)、五個資料庫,在經過本發明的分散式多層遞迴的密鑰保管方法處理後,以第三個資料庫所儲存的內容為例,可清楚看到資料表400中存在六筆紀錄,其中,「Hash(address1)」代表將第一個位址進行雜湊計算;「Hash(address2)」代表將第二個位址進行雜湊計算,並以此類推,「Hash(address6)」代表將第六個位址進行雜湊計算;「Encrypted(masterKey_share3,key1)」代表使用第一個加密金鑰對密鑰的第三部分進行加密後的值;「key1_share3」代表第一個加密金鑰經過執行秘密共享演算法後所分解出的第三部分;「key2_share3」代表第二個加密金鑰經過執行秘密共享演算法後所分解出的第三部分;「key3_share3」代表第三個加密金鑰經過執行秘密共享演算法後所分解出的第三部分;「Encrypted([address1+address2]_share3,key2)」代表第一次選擇的位址及第二次選擇的位址的結合,經過執行秘密共享演算法後所分解出的第三部分,以第二個加密金鑰進行加密;「Encrypted([address3+address4]_share3,key3)」代表第三次選擇的位址及第四次選擇的位址的結合,經過執行秘密共享演算法後所分解出的第三部分,以第三個加密金鑰進行加密。在此例中,會將第五個選擇的位址及第六個選擇的位址儲存在金鑰管理配置檔案,以提供還原密鑰時使用。在還原密鑰時,只要將金鑰管理配置檔案中所紀錄的位址作為進入點,並且進行反向 處理即可獲得密鑰。特別要說明的是,經過還原的密鑰僅存在於金鑰管理系統的記憶體中,不會以完整的形式存在於任何非揮發性的儲存裝置,故能夠大幅提高密鑰的安全性。 As shown in "Figure 6", "Figure 6" is a schematic diagram of the stored content of the database using the present invention. In actual implementation, the database 111 can be a "Key-Value database" or its analogues, where the "index key value" and "encryption key index key value" generated by the hash calculation of the database, Stored in the field of the index key (Key); the M parts (including the encrypted "shared encryption unit" and the unencrypted "encrypted key sharing unit") decomposed by executing the secret sharing algorithm are stored in the value (Value) field. Assuming that N is a value of 3 and M is a value of 5, it represents the creation of three encryption keys, six addresses (2*3=6), and five databases, which are stored in the distributed multi-layer recursive key storage of the present invention After the method is processed, taking the content stored in the third database as an example, it can be clearly seen that there are six records in the table 400, among which "Hash(address 1 )" represents the hash calculation of the first address; "Hash(address 2 )" represents the hash calculation of the second address, and so on, "Hash(address 6 )" represents the hash calculation of the sixth address; "Encrypted(masterKey_share 3 ,key 1 ) "Represents the value obtained by using the first encryption key to encrypt the third part of the key; "key 1 _share 3 " represents the third part decomposed by the first encryption key after executing the secret sharing algorithm; "Key 2 _share 3 " represents the third part of the second encryption key that is decomposed after executing the secret sharing algorithm; "key 3 _share 3 " represents the third encryption key that is decomposed after executing the secret sharing algorithm The third part of the output; "Encrypted([address 1 +address 2 ]_share 3 ,key 2 )" represents the combination of the address selected for the first time and the address selected for the second time. After executing the secret sharing algorithm The third part is decomposed and encrypted with the second encryption key; "Encrypted([address 3 +address 4 ]_share 3 ,key 3 )" represents the address selected for the third time and the address selected for the fourth time The third part decomposed after executing the secret sharing algorithm is encrypted with the third encryption key. In this example, the fifth selected address and the sixth selected address will be stored in the key management configuration file to provide the key to restore. When restoring the key, you only need to use the address recorded in the key management configuration file as the entry point and perform reverse processing to obtain the key. In particular, the restored key only exists in the memory of the key management system, and will not exist in a complete form in any non-volatile storage device, so the security of the key can be greatly improved.

綜上所述,可知本發明與先前技術之間的差異在於透過遞迴執行秘密共享演算法、根據選擇的加密金鑰進行加密、根據選擇的位址計算索引鍵值及組合選擇的位址,用以將密鑰、加密金鑰及位址組合皆分解為多個部分,使不同的資料庫中,分別儲存密鑰、加密金鑰及位址組合的不同部分,藉由此一技術手段可以解決先前技術所存在的問題,進而達成提高密鑰的安全性之技術功效。 In summary, it can be seen that the difference between the present invention and the prior art is that it executes the secret sharing algorithm recursively, encrypts according to the selected encryption key, calculates the index key value according to the selected address, and combines the selected address. Used to decompose the key, encryption key, and address combination into multiple parts, so that different parts of the key, encryption key, and address combination are stored in different databases. This technical method can Solve the problems existing in the prior art, and achieve the technical effect of improving the security of the key.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍內,當可作些許之更動與潤飾,因此本發明之專利保護範圍須視本說明書所附之申請專利範圍所界定者為準。 Although the present invention is disclosed in the foregoing embodiments as above, it is not intended to limit the present invention. Anyone familiar with similar art can make some changes and modifications without departing from the spirit and scope of the present invention. Therefore, the present invention The scope of patent protection shall be determined by the scope of the patent application attached to this specification.

110:建立模組 110: Create a module

111:資料庫 111: database

120:加密處理模組 120: Encryption processing module

130:金鑰處理模組 130: Key Processing Module

140:結合模組 140: Combined module

150:驅動模組 150: drive module

160:儲存模組 160: storage module

Claims (8)

一種分散式多層遞迴的密鑰保管系統,該系統包含:一建立模組,用以建立一密鑰、N個加密金鑰、2N個位址及M個資料庫,並且將該密鑰作為一待分解資料,其中,N及M為正整數;一加密處理模組,連接該建立模組,用以執行一秘密共享演算法將該待分解資料分解為對應的M個共享單元,並且在未曾選擇的所述加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一索引鍵值,並且根據每一資料庫的該索引鍵值,將所述共享加密單元分別儲存在不同的所述資料庫;一金鑰處理模組,連接該建立模組及該加密處理模組,用以執行該秘密共享演算法將該加密處理模組選擇的所述加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一加密金鑰索引鍵值,以及根據每一資料庫的該加密金鑰索引鍵值,將所述加密金鑰共享單元分別儲存在不同的所述資料庫;一結合模組,連接該加密處理模組及該金鑰處理模組,用以當存在尚未被選擇的所述位址時,以字串結合的方式結合在該加密處理模組及該金鑰處理模組中選擇的所述位址以作為該待分解 資料,使該待分解資料成為包含二個所述位址的一位址組合並傳送至該加密處理模組;一驅動模組,連接該加密處理模組、該金鑰處理模組及該結合模組,用以當存在尚未被選擇的所述加密金鑰及所述位址時,驅動該加密處理模組、該金鑰處理模組及該結合模組依序重複執行;以及一儲存模組,連接該加密處理模組及該金鑰處理模組,用以分別儲存該加密處理模組及該金鑰處理模組最後選擇的所述位址以提供還原該密鑰時讀取。 A decentralized multi-layer recursive key custody system. The system includes: an establishment module to establish a key, N encryption keys, 2N addresses, and M databases, and use the key as A data to be decomposed, where N and M are positive integers; an encryption processing module, connected to the establishment module, to execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and Choose one of the unselected encryption keys to encrypt each shared unit to generate M shared encryption units, and choose one of the unselected addresses to provide Each database performs hash calculation to generate a corresponding index key value, and according to the index key value of each database, the shared encryption unit is stored in a different database; a key processing module , Connect the establishment module and the encryption processing module to execute the secret sharing algorithm to decompose the encryption key selected by the encryption processing module into M encryption key sharing units, and perform the secret sharing algorithm Choose one of the addresses to provide each database to perform hash calculation to generate a corresponding encryption key index key value, and to encrypt the encryption key according to the encryption key index key value of each database The key sharing units are respectively stored in different said databases; a combination module, which connects the encryption processing module and the key processing module, is used when the address that has not yet been selected exists, with a string The method of combining combines the address selected in the encryption processing module and the key processing module as the to-be-decomposed Data, making the data to be decomposed into a one-address combination containing two of the addresses and sent to the encryption processing module; a drive module connected to the encryption processing module, the key processing module and the combination A module for driving the encryption processing module, the key processing module, and the combination module to execute repeatedly when the encryption key and the address that have not been selected exist; and a storage module The group is connected to the encryption processing module and the key processing module, and is used to store the last selected address of the encryption processing module and the key processing module respectively for reading when the key is restored. 根據申請專利範圍第1項之分散式多層遞迴的密鑰保管系統,其中所述位址在建立時,執行一編碼函式,使所述位址與區塊鏈位址的格式相同。 According to the distributed multi-layer recursive key storage system according to the first item of the scope of patent application, when the address is established, an encoding function is executed to make the address and the blockchain address have the same format. 根據申請專利範圍第1項之分散式多層遞迴的密鑰保管系統,其中該建立模組用以在該密鑰管理至少一私鑰時,根據該密鑰及每一私鑰所對應的一公鑰產生所述加密金鑰,並且將每一私鑰作為該待分解資料,由該加密處理模組執行該秘密共享演算法將所述私鑰分解為所述共享單元、加密為所述共享加密單元、以及計算出對應的該索引鍵值,再分別將不同的所述共享加密單元及其對應的該索引鍵值儲存在不同的所述資料庫。 The distributed multi-layer recursive key custody system according to item 1 of the scope of patent application, wherein the establishment module is used to manage at least one private key according to the key and a corresponding one of each private key The public key generates the encryption key, and each private key is used as the data to be decomposed. The encryption processing module executes the secret sharing algorithm to decompose the private key into the shared unit and encrypts the shared The encryption unit and the corresponding index key value are calculated, and then the different shared encryption units and the corresponding index key values are respectively stored in different databases. 根據申請專利範圍第1項之分散式多層遞迴的密鑰保管系統,其中所述秘密共享演算法包含沙米爾的秘密共享(Shamir’s Secret Sharing,SSS)及布萊克利的秘密共享(Blakley’s Secret Sharing,BSS)。 According to the decentralized multi-layer recursive key custody system according to the first item of the patent application, the secret sharing algorithm includes Shamir’s Secret Sharing (Shamir’s Secret Sharing). Sharing, SSS) and Blakley’s Secret Sharing (BSS). 一種分散式多層遞迴的密鑰保管方法,其步驟包括:(A)建立一密鑰、N個加密金鑰、2N個位址及M個資料庫,其中,N及M為正整數;(B)將該密鑰作為一待分解資料;(C)執行一秘密共享演算法將該待分解資料分解為對應的M個共享單元,並且在未曾選擇的所述加密金鑰中任選其一,用以分別對每一共享單元進行加密以生成M個共享加密單元,以及在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一索引鍵值,並且根據每一資料庫的該索引鍵值,將所述共享加密單元分別儲存在不同的所述資料庫;(D)執行該秘密共享演算法將選擇的所述加密金鑰分解為M個加密金鑰共享單元,並且在未曾選擇的所述位址中任選其一,用以提供每一資料庫進行雜湊計算以生成對應的一加密金鑰索引鍵值,以及根據每一資料庫的該加密金鑰索引鍵值,將所述加密金鑰共享單元分別儲存在不同的所述資料庫;(E)當存在尚未被選擇的所述位址時,以字串結合的方式結合步驟(C)及(D)中選擇的所述位址以作為該待分解資料,使該待分解資料成為包含二個所述位址的一位址組合;(F)當存在尚未被選擇的所述加密金鑰及所述位址時,重複執行步驟(C)至(E);以及 (G)儲存步驟(C)及(D)中最後選擇的所述位址,用以提供還原該密鑰時讀取。 A decentralized multi-layer recursive key storage method, the steps include: (A) establishing a key, N encryption keys, 2N addresses, and M databases, where N and M are positive integers; B) Use the key as a data to be decomposed; (C) Execute a secret sharing algorithm to decompose the data to be decomposed into corresponding M shared units, and choose one of the encryption keys that have not been selected , To separately encrypt each shared unit to generate M shared encryption units, and to choose one of the addresses that have not been selected, to provide each database for hash calculation to generate a corresponding index Key value, and according to the index key value of each database, the shared encryption unit is stored in a different database; (D) execute the secret sharing algorithm to decompose the selected encryption key into M encryption key sharing units, and choose one of the addresses that have not been selected, to provide each database for hash calculation to generate a corresponding encryption key index key value, and according to each data The encryption key index key value of the library, the encryption key sharing unit is respectively stored in the different said database; (E) when there is the address that has not been selected, it is combined by string combination The address selected in steps (C) and (D) is used as the data to be decomposed, so that the data to be decomposed becomes a combination of two addresses; (F) when there is an unselected one For the encryption key and the address, repeat steps (C) to (E); and (G) Store the address selected last in steps (C) and (D) for reading when the key is restored. 根據申請專利範圍第6項之分散式多層遞迴的密鑰保管方法,其中所述位址在建立時,執行一編碼函式,使所述位址與區塊鏈位址的格式相同。 According to the distributed multi-layer recursive key storage method according to item 6 of the scope of patent application, when the address is created, an encoding function is executed to make the address and the blockchain address have the same format. 根據申請專利範圍第6項之分散式多層遞迴的密鑰保管方法,其中所述加密金鑰的產生係根據該密鑰及該密鑰管理的至少一私鑰所分別對應的一公鑰,並且將每一私鑰作為該待分解資料,用以執行該秘密共享演算法將所述私鑰分解為所述共享單元、加密為所述共享加密單元、以及計算出對應的該索引鍵值,再分別將不同的所述共享加密單元及其對應的該索引鍵值儲存在不同的所述資料庫。 The distributed multi-layer recursive key storage method according to item 6 of the scope of patent application, wherein the encryption key is generated according to a public key corresponding to the key and at least one private key managed by the key, And each private key is used as the data to be decomposed to execute the secret sharing algorithm to decompose the private key into the shared unit, encrypt it into the shared encryption unit, and calculate the corresponding index key value, Then, the different shared encryption units and their corresponding index key values are stored in different databases. 根據申請專利範圍第6項之分散式多層遞迴的密鑰保管方法,其中所述秘密共享演算法包含沙米爾的秘密共享(Shamir’s Secret Sharing,SSS)及布萊克利的秘密共享(Blakley’s Secret Sharing,BSS)。 According to the distributed multi-layer recursive key custody method of item 6 of the scope of patent application, the secret sharing algorithm includes Shamir's Secret Sharing (SSS) and Blakley's Secret Sharing (Blakley's Secret Sharing, BSS).
TW107139085A 2018-11-05 2018-11-05 Key management system based on distributed multi-layered recursive and method thereof TWI707246B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107139085A TWI707246B (en) 2018-11-05 2018-11-05 Key management system based on distributed multi-layered recursive and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107139085A TWI707246B (en) 2018-11-05 2018-11-05 Key management system based on distributed multi-layered recursive and method thereof

Publications (2)

Publication Number Publication Date
TW202018568A TW202018568A (en) 2020-05-16
TWI707246B true TWI707246B (en) 2020-10-11

Family

ID=71895774

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107139085A TWI707246B (en) 2018-11-05 2018-11-05 Key management system based on distributed multi-layered recursive and method thereof

Country Status (1)

Country Link
TW (1) TWI707246B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1373877A (en) * 1999-07-30 2002-10-09 电脑联合想象公司 Method and system for displaying plurality of discrete files in compouns file
CN101569132A (en) * 2006-11-07 2009-10-28 安全第一公司 System and method for distributing data and securing data
CN1846396B (en) * 2003-07-11 2011-09-28 佳能株式会社 Key information processing method, device thereof
CN106844411A (en) * 2016-10-19 2017-06-13 中科聚信信息技术(北京)有限公司 A kind of big data random access system and method based on reducing subspaces

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1373877A (en) * 1999-07-30 2002-10-09 电脑联合想象公司 Method and system for displaying plurality of discrete files in compouns file
CN1846396B (en) * 2003-07-11 2011-09-28 佳能株式会社 Key information processing method, device thereof
CN101569132A (en) * 2006-11-07 2009-10-28 安全第一公司 System and method for distributing data and securing data
CN101569132B (en) 2006-11-07 2013-04-17 安全第一公司 Systems and methods for distributing and securing data
CN106844411A (en) * 2016-10-19 2017-06-13 中科聚信信息技术(北京)有限公司 A kind of big data random access system and method based on reducing subspaces

Also Published As

Publication number Publication date
TW202018568A (en) 2020-05-16

Similar Documents

Publication Publication Date Title
US10069625B2 (en) System and method for automatic key generation for self-encrypting drives
EP3066610B1 (en) Data protection in a storage system using external secrets
JP6732141B2 (en) Conversion key generation device, ciphertext conversion device, secret information processing system, conversion key generation method, conversion key generation program, ciphertext conversion method, and ciphertext conversion program
US11522671B2 (en) Homomorphic inference device, homomorphic inference method, computer readable medium, and privacy-preserving information processing system
US9122888B2 (en) System and method to create resilient site master-key for automated access
JP3871996B2 (en) Data division management method and program
WO2018205731A1 (en) Method and device for protecting block chain data and computer readable storage medium
TW202009776A (en) Multi-party safe calculation method and device, electronic equipment
US20170163413A1 (en) System and Method for Content Encryption in a Key/Value Store
CN111062045B (en) Information encryption and decryption method and device, electronic equipment and storage medium
US11075753B2 (en) System and method for cryptographic key fragments management
CN116011041B (en) Key management method, data protection method, system, chip and computer equipment
TWI597960B (en) Key splitting
US11599681B2 (en) Bit decomposition secure computation apparatus, bit combining secure computation apparatus, method and program
JP2023510311A (en) memory-based encryption
JP2022547942A (en) Cryptographic erase with internal and/or external actions
CN116361849A (en) Backup data encryption and decryption method and device for encrypted database
US10642786B2 (en) Security via data concealment using integrated circuits
CN111813544A (en) Processing method and device of computing task, scheduling and management system and medium
JP7248120B2 (en) CRYPTOGRAPHIC SYSTEM, KEY GENERATOR, ENCRYPTER, DECODER, AND PROGRAM
CN110086607B (en) Method, apparatus, computer device and storage medium for rapidly switching deployment keys
CN105404470B (en) Date storage method and safety device, data-storage system
EP4305799B1 (en) Encryption key management
TWI707246B (en) Key management system based on distributed multi-layered recursive and method thereof
CN112182636A (en) Method, device, equipment and medium for realizing joint modeling training