[go: up one dir, main page]

WO2021164167A1 - Key access method, apparatus, system and device, and storage medium - Google Patents

Key access method, apparatus, system and device, and storage medium Download PDF

Info

Publication number
WO2021164167A1
WO2021164167A1 PCT/CN2020/098033 CN2020098033W WO2021164167A1 WO 2021164167 A1 WO2021164167 A1 WO 2021164167A1 CN 2020098033 W CN2020098033 W CN 2020098033W WO 2021164167 A1 WO2021164167 A1 WO 2021164167A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
key data
data
target
format conversion
Prior art date
Application number
PCT/CN2020/098033
Other languages
French (fr)
Chinese (zh)
Inventor
邢希双
Original Assignee
苏州浪潮智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州浪潮智能科技有限公司 filed Critical 苏州浪潮智能科技有限公司
Publication of WO2021164167A1 publication Critical patent/WO2021164167A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present invention relates to the technical field of data security, in particular to a key access method, device, system, equipment and computer-readable storage medium.
  • the application programs on the cloud host and the server are the bearers that provide services to the outside world, which provide users with the required services by processing a variety of business data.
  • Business data contains a lot of sensitive information.
  • Hackers can easily obtain benefits after obtaining this sensitive information. Therefore, business data has attracted the attention of external hackers, and preventing the leakage of sensitive information in business data has become a top priority.
  • the most commonly used means to protect sensitive information in business data is encryption, including encrypted storage and encrypted transmission.
  • the most important aspect of encryption is key management.
  • Key management is so important that it determines that the key management system must be sufficiently secure and robust. Key management methods are usually designed as independent hardware, such as hardware security modules (HSM), hardware devices with USB interfaces (USB Key); independent systems, such as key management systems (Key Management Service, KMS), Key Management Center (KMC); or an independent chip, such as a security chip (Trusted Platform Module, TPM), to achieve sufficient security independent of the operating system where the application program is located.
  • HSM hardware security modules
  • USB Key USB interfaces
  • KMS Key Management Service
  • KMC Key Management Center
  • TPM Trustet Platform Module
  • the purpose of the embodiments of the present invention is to provide a key access method, device, system, equipment and storage medium, which can reduce the cost of security protection of key data.
  • an embodiment of the present invention provides a key access method, including:
  • the corresponding target key data is acquired from the kernel memory.
  • the storing the application identifier and the key data after the format conversion in a set physical hard disk includes:
  • the method further includes:
  • each data packet is copied from the physical hard disk, and the spliced data packets are stored in the kernel memory.
  • acquiring the corresponding target key data from the kernel memory includes:
  • the method further includes:
  • the user state memory is released.
  • the method further includes:
  • the step of obtaining the corresponding target key data from the kernel memory is executed.
  • the format conversion of the key data according to a set algorithm includes:
  • the key data is XORed with the preset parameters, and the processing result is used as the key data after the format conversion.
  • the key generation rule is stored in a code obfuscation manner.
  • the embodiment of the present invention also provides a key access device, which includes a generation unit, a conversion unit, a preservation unit, and an acquisition unit;
  • the generating unit is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received;
  • the conversion unit is configured to perform format conversion on the key data according to a set algorithm
  • the saving unit is configured to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk;
  • the acquiring unit is configured to acquire the corresponding target key data from the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired.
  • the storage unit includes a segmentation subunit and a storage subunit
  • the segmentation subunit is used to perform segmentation processing on the key data after the format conversion to obtain at least one data packet;
  • the storage subunit is used to store each of the data packets in a corresponding file; wherein, all files are set on the physical hard disk, and the file attributes of all files are set to hidden.
  • it also includes a copy unit
  • the copy unit is used for copying each data packet from the physical hard disk when the operating system restarts, and storing each spliced data packet in the kernel memory.
  • the acquiring unit includes a judging subunit and a copying subunit;
  • the judging subunit is used for judging whether there is target key data matching the target application identifier in the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired; if so, Then trigger the copy subunit;
  • the copy subunit is used to copy the target key data to the user state memory provided by the business application program.
  • it further includes a release unit
  • the conversion unit is further configured to perform format conversion on the target key data according to the set algorithm
  • the releasing unit is configured to release the user state memory after the encryption and decryption operation of the target service data is completed by using the target key data after the format conversion.
  • it also includes a verification unit
  • the verification unit is configured to verify the validity of the key acquisition request according to the set verification rules; when the verification is passed, trigger the acquisition unit to execute the acquisition of the corresponding target secret from the kernel memory Key data steps.
  • the conversion unit is specifically configured to perform XOR processing on the key data and preset parameters, and use the processing result as the key data after format conversion.
  • the key generation rule is stored in a code obfuscation manner.
  • the embodiment of the present invention also provides a key access system, including a business application module and a filter driving module;
  • the service application module is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received; Format conversion of the key data; use a preset secure communication verification mechanism to establish a communication connection with the filter drive module, and transmit the application identifier and the key data after format conversion to the filter drive module; When obtaining the key acquisition instruction, send a key acquisition request carrying the target application identifier to the filter driver module;
  • the filter driving module is used to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk; when the key carrying the target application identifier sent by the business application is obtained, the key data is obtained Upon request, obtain the corresponding target key data from the kernel memory.
  • the embodiment of the present invention also provides a key access device, including:
  • Memory used to store computer programs
  • the processor is configured to execute the computer program to implement the steps of the key access method described in any one of the above.
  • the embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the key access method as described in any one of the above is implemented A step of.
  • the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data.
  • the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged.
  • the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data.
  • the storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
  • Figure 1 is a flowchart of a key access method provided by an embodiment of the present invention
  • FIG. 2 is a flowchart of a method for storing key data according to an embodiment of the present invention
  • FIG. 3 is a schematic structural diagram of a key access device provided by an embodiment of the present invention.
  • FIG. 4 is a schematic structural diagram of a key access system provided by an embodiment of the present invention.
  • Fig. 5 is a schematic structural diagram of a key access device provided by an embodiment of the present invention.
  • Fig. 1 is a flowchart of a key access method provided by an embodiment of the present invention, and the method includes:
  • the key data refers to the key information on which the business data is encrypted and decrypted.
  • the key generation rule is used to indicate the specific way of generating the key.
  • the key data can be generated by transforming and combining the MAC address of the hardware network card, the ID of the hardware CPU, the current system time, and the currently generated random number.
  • the operating system relies on preset key generation rules to generate key data.
  • the key generation rules can be saved in a code obfuscation manner.
  • the key data used in the encryption processing of different business data is different.
  • corresponding application identifiers can be set for different business data.
  • the application identifier and the key data have a corresponding relationship.
  • S102 Perform format conversion on the key data according to the set algorithm.
  • the presentation format of the key data can be converted to convert the key data into a data format that cannot be used directly.
  • the key data cannot be directly used to decrypt the business data.
  • bit operations can be performed on the key data.
  • the key data can be XORed with the preset parameters, and the processing result can be used as the key data after the format conversion.
  • the operating system strictly distinguishes the memory used by the kernel mode and the user mode, and the application program cannot see and use the kernel memory. Therefore, in the embodiment of the present invention, in order to ensure the security of the key data, the key data is stored in the kernel memory .
  • the operating system can save the key data to the preset while saving the key data to the kernel memory.
  • Physical hard drive The physical hard disk has the characteristic of not being lost after power failure, so it can ensure the persistent storage of key data.
  • the required key data can be obtained from the kernel memory.
  • the key data When saving the key data, it is saved according to the correspondence between the application ID and the key data.
  • the application ID corresponding to the business data is fixed. Therefore, when the key data needs to be obtained, the target application can be sent to the operating system. Identified key acquisition request.
  • the operating system When the operating system receives the key acquisition request, it can query whether there is an application identifier that is the same as the target application identifier in the kernel memory.
  • the key data corresponding to the application identifier that is the same as the target application identifier is what the user needs Target key data.
  • the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data.
  • the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged.
  • the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data.
  • the storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
  • the key data can be split into Multiple data segments are stored separately.
  • Fig. 2 is a flowchart of a method for storing key data according to an embodiment of the present invention, and the method includes:
  • S202 Perform format conversion on the key data according to the set algorithm.
  • S203 Perform segmentation processing on the key data after the format conversion to obtain at least one data packet.
  • multiple files can be set on the physical hard disk, and when the operating system obtains the format-converted key data, the format-converted key data can be segmented to obtain at least one data packet.
  • the number of files can be preset, and in which file each data packet is specifically stored can also be preset.
  • the first data packet can be stored in the first file
  • the second data packet can be stored in the last file
  • the third data packet can be stored in the second file
  • Store the fourth data packet in the penultimate file and so on to complete the storage of each data packet.
  • polling can be performed again in the above manner, or all remaining data packets can be stored in the last remaining file.
  • the file attributes of all files can be set to hidden, and the operating system can block all non-business applications from accessing these hidden files.
  • the key data after the format conversion is stored in segments, which effectively improves the security of the key data.
  • a certain piece of key data is maliciously obtained by an illegal user, due to the secret obtained by the illegal user
  • the key data is not complete, so illegal users cannot directly use the key data to perform data decryption operations.
  • the kernel memory has the problem of data loss when the system is powered off, after saving the key data after the application identification and format conversion to the kernel memory and the set physical hard disk, whenever the operating system restarts, it can be automatically downloaded from Each data packet is copied in the physical hard disk, and the spliced data packets are stored in the kernel memory, so as to ensure that the operating system can obtain the key data from the kernel memory.
  • a user-mode memory can be allocated to store the key data by calling a function.
  • the target key data that matches the target application identifier exists in the kernel memory, then Copy the target key data to the user-mode memory provided by the business application.
  • the target key data is the data after format conversion
  • the key data completes the encryption and decryption operations on the target business data.
  • the user mode memory can be released.
  • the storage time of the target key data in the user state memory can be reduced, thereby improving the security of the target key data.
  • the corresponding target is obtained from the kernel memory.
  • the legality of the key acquisition request can be verified according to the set verification rules; after the verification is passed, the step of obtaining the corresponding target key data from the kernel memory is executed.
  • FIG. 3 is a schematic structural diagram of a key access device provided by an embodiment of the present invention, which includes a generation unit 31, a conversion unit 32, a storage unit 33, and an acquisition unit 34;
  • the generating unit 31 is configured to generate application identification and key data corresponding to the service data according to the preset key generation rule when the service data is received;
  • the conversion unit 32 is used for format conversion of the key data according to the set algorithm
  • the saving unit 33 is used to save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk;
  • the obtaining unit 34 is configured to obtain the corresponding target key data from the kernel memory when the key obtaining request carrying the target application identifier sent by the business application is obtained.
  • the storage unit includes a segmentation subunit and a storage subunit
  • the segmentation subunit is used to perform segmentation processing on the key data after the format conversion to obtain at least one data packet;
  • the storage sub-unit is used to store each data packet in a corresponding file; among them, all the files are set on the physical hard disk, and the file attributes of all the files are set to hidden.
  • it also includes a copy unit
  • the copy unit is used to copy data packets from the physical hard disk when the operating system restarts, and store the spliced data packets in the kernel memory.
  • the acquiring unit includes a judging subunit and a copying subunit;
  • the judging subunit is used for judging whether there is target key data matching the target application identifier in the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is obtained; if so, trigger the copy sub unit;
  • the copy subunit is used to copy the target key data to the user state memory provided by the business application.
  • it further includes a release unit
  • the conversion unit is also used for format conversion of the target key data according to the set algorithm
  • the releasing unit is used to release the user state memory after the encryption and decryption operation of the target service data is completed by using the target key data after the format conversion.
  • it also includes a verification unit
  • the verification unit is used to verify the validity of the key acquisition request according to the set verification rules; when the verification is passed, the acquisition unit is triggered to execute the step of acquiring the corresponding target key data from the kernel memory.
  • the conversion unit is specifically configured to perform XOR processing on the key data and preset parameters, and use the processing result as the key data after format conversion.
  • the key generation rule is stored in a code obfuscation manner.
  • the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data.
  • the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged.
  • the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data.
  • the storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
  • FIG. 4 is a schematic structural diagram of a key access system 40 provided by an embodiment of the present invention, which includes a service application module 41 and a filter driver module 42;
  • the business application module 41 is used to generate the application identification and key data corresponding to the business data according to the preset key generation rules when the business data is received; to convert the key data format according to the set algorithm ; Use the preset secure communication verification mechanism to establish a communication connection with the filter driver module, and transmit the key data after the application identification and format conversion to the filter driver module; when the key acquisition instruction is obtained, the filter driver The module sends a key acquisition request carrying the target application identifier;
  • the filter driver module 42 is used to save the key data of the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, Obtain the corresponding target key data from the kernel memory.
  • the business application module 41 When the business application module 41 is started, it generates key data according to the key generation rules, and connects to the filter driver module 42 through a preset secure communication verification mechanism.
  • the business application module 41 delivers its own application identification and key data to the filter driver module 42.
  • the business application module 41 does not store the key data itself, and applies to the filter driver module 42 to obtain the key data when the key is needed.
  • the drive module 42 is integrated in the operating system kernel and runs together with the operating system, which is not perceivable by upper-layer applications, thereby effectively ensuring the security of the key data.
  • the filter driver module 42 After the filter driver module 42 is started, it removes itself from the kernel module linked list, and any other application program except the service application module 41 cannot find the filter driver module 42 and cannot communicate with it.
  • the application identification and key data are stored in the kernel memory of the filter driver module 42, and the key data is stored in hidden files designated by the physical hard disk in blocks.
  • the filter driver module 42 can intercept all access to the file storing the key data , To improve the security of key data storage.
  • anti-debugging technology can be adopted to prevent illegal users from obtaining the key data dynamically allocated to the user-mode memory before use through the debugging method.
  • FIG. 5 is a schematic structural diagram of a key access device 50 provided by an embodiment of the present invention, including:
  • the memory 51 is used to store computer programs
  • the processor 52 is configured to execute a computer program to implement the steps of the key access method described in any one of the above embodiments.
  • the embodiment of the present invention also provides a computer-readable storage medium, and a computer program is stored on the computer-readable storage medium. step.
  • the steps of the method or algorithm described in the embodiments disclosed in this document can be directly implemented by hardware, a software module executed by a processor, or a combination of the two.
  • the software module can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or all areas in the technical field. Any other known storage media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A key access method, apparatus, system and device, and a storage medium. The method comprises: when service data is received, generating an application identifier and key data corresponding to the service data according to a preset key generation rule; performing format conversion on the key data according to a set algorithm; storing the application identifier and the key data subjected to format conversion into a kernel memory and a set physical hard disk, so as to realize persistent storage of the key data; and when a key obtaining request carrying a target application identifier and sent by a service application is obtained, obtaining corresponding target key data from the kernel memory. When an operating system is started, a kernel space is started before all the applications are started, and key data can be well protected from being damaged by storing the key data into a kernel memory. Additional hardware devices are not needed, so that the confidentiality and availability of the key data are ensured, and the costs of carrying out security protection on the key data are reduced.

Description

一种密钥存取方法、装置、系统、设备和存储介质Key access method, device, system, equipment and storage medium
本申请要求于2020年02月21日提交中国专利局、申请号为202010108469.2、发明名称为“一种密钥存取方法、装置、系统、设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on February 21, 2020, the application number is 202010108469.2, and the invention title is "a key access method, device, system, equipment, and storage medium". The entire content is incorporated into this application by reference.
技术领域Technical field
本发明涉及数据安全技术领域,特别是涉及一种密钥存取方法、装置、系统、设备和计算机可读存储介质。The present invention relates to the technical field of data security, in particular to a key access method, device, system, equipment and computer-readable storage medium.
背景技术Background technique
随着云计算、大数据等新型技术的发展,对云主机和服务器的安全性要求越来越高。云主机和服务器上的应用程序是对外提供服务的承载者,其通过处理各种各样的业务数据来为用户提供所需的服务。With the development of new technologies such as cloud computing and big data, the security requirements for cloud hosts and servers are getting higher and higher. The application programs on the cloud host and the server are the bearers that provide services to the outside world, which provide users with the required services by processing a variety of business data.
业务数据包含许多敏感信息,黑客获取到这些敏感信息后,可以很容易获取利益。因此业务数据受到了外部黑客的重点关注,防止业务数据中的敏感信息泄露也就成了重中之重。保护业务数据中的敏感信息最常用的手段就是加密,包括加密保存和加密传输。加密中最重要的方面就是密钥管理。Business data contains a lot of sensitive information. Hackers can easily obtain benefits after obtaining this sensitive information. Therefore, business data has attracted the attention of external hackers, and preventing the leakage of sensitive information in business data has become a top priority. The most commonly used means to protect sensitive information in business data is encryption, including encrypted storage and encrypted transmission. The most important aspect of encryption is key management.
试想一下,黑客面对一份加密后的业务数据,就相当于面对了一个上锁的大门,是无法获取任何有价值的信息的。如果黑客获取了密钥,就相当于拿到了上锁的大门的钥匙,可以轻松打开大门,随意获取所需的任何信息。密钥管理如此重要,就决定了密钥管理系统要足够安全,足够健壮。密钥管理方法,通常被设计为独立的硬件,例如:硬件安全模块(HSM)、USB接口的硬件设备(USB Key);独立的系统,例如:密钥管理系统(Key Management Service,KMS)、密钥管理中心(Key Management Center,KMC);或者是独立的芯片,例如:安全芯片(Trusted Platform Module,TPM),以独立于应用程序所在的操作系统,达到足够的安全。Imagine that when a hacker faces a piece of encrypted business data, it is equivalent to facing a locked door and cannot obtain any valuable information. If the hacker obtains the key, it is equivalent to the key to the locked door, and can easily open the door and obtain any information needed at will. Key management is so important that it determines that the key management system must be sufficiently secure and robust. Key management methods are usually designed as independent hardware, such as hardware security modules (HSM), hardware devices with USB interfaces (USB Key); independent systems, such as key management systems (Key Management Service, KMS), Key Management Center (KMC); or an independent chip, such as a security chip (Trusted Platform Module, TPM), to achieve sufficient security independent of the operating system where the application program is located.
但是在实际生产环境下,一些小型系统本身投入就很低,如果再引入 独立的硬件/系统/芯片,系统厂商将不能接受。另外,一些现有业务系统的安全升级改造,运营商或客户也不允许再添加另外的硬件/系统/芯片。However, in the actual production environment, some small systems themselves have very low investment. If independent hardware/systems/chips are introduced, system manufacturers will not be able to accept them. In addition, for the security upgrades of some existing business systems, operators or customers are not allowed to add additional hardware/systems/chips.
可见,如何降低对密钥数据进行安全保护的成本,是本领域技术人员需要解决的问题。It can be seen that how to reduce the cost of security protection of key data is a problem that needs to be solved by those skilled in the art.
发明内容Summary of the invention
本发明实施例的目的是提供一种密钥存取方法、装置、系统、设备和存储介质,可以降低对密钥数据进行安全保护的成本。The purpose of the embodiments of the present invention is to provide a key access method, device, system, equipment and storage medium, which can reduce the cost of security protection of key data.
为解决上述技术问题,本发明实施例提供一种密钥存取方法,包括:To solve the above technical problems, an embodiment of the present invention provides a key access method, including:
当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;When the service data is received, according to a preset key generation rule, an application identifier and key data corresponding to the service data are generated;
按照设定的算法对所述密钥数据进行格式转换;Format conversion of the key data according to the set algorithm;
将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;Saving the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk;
当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。When the key acquisition request carrying the target application identifier sent by the business application is acquired, the corresponding target key data is acquired from the kernel memory.
可选地,所述将所述应用标识和格式转换后的密钥数据存储至设定的物理硬盘中包括:Optionally, the storing the application identifier and the key data after the format conversion in a set physical hard disk includes:
将所述格式转换后的密钥数据进行分段处理,得到至少一个数据包;Performing segmentation processing on the key data after the format conversion to obtain at least one data packet;
将各所述数据包存储至相应的文件中;其中,所有文件均设置于所述物理硬盘上,并且所有文件的文件属性设置为隐藏。Store each of the data packets in a corresponding file; wherein, all files are set on the physical hard disk, and the file attributes of all files are set to hidden.
可选地,在将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘之后还包括:Optionally, after saving the key data after the application identification and format conversion to the kernel memory and the set physical hard disk, the method further includes:
当操作系统重启时,从所述物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至所述内核内存。When the operating system restarts, each data packet is copied from the physical hard disk, and the spliced data packets are stored in the kernel memory.
可选地,所述当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据包括:Optionally, when acquiring the key acquisition request carrying the target application identifier sent by the business application, acquiring the corresponding target key data from the kernel memory includes:
当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,判断内核内存中是否存在与所述目标应用标识相匹配的目标密钥数据;When the key acquisition request carrying the target application identifier sent by the business application is obtained, determine whether there is target key data matching the target application identifier in the kernel memory;
若是,则将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中。If yes, copy the target key data to the user state memory provided by the business application program.
可选地,在将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中之后还包括:Optionally, after copying the target key data to the user mode memory provided by the business application program, the method further includes:
按照所述设定的算法对所述目标密钥数据进行格式转换;Format conversion of the target key data according to the set algorithm;
当利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作之后,释放所述用户态内存。After the target key data after the format conversion is used to complete the encryption and decryption operation of the target service data, the user state memory is released.
可选地,在获取到业务应用程序发送的携带有目标应用标识的密钥获取请求之后,在所述从内核内存中获取相对应的目标密钥数据之前还包括:Optionally, after obtaining the key obtaining request carrying the target application identifier sent by the business application, before the obtaining the corresponding target key data from the kernel memory, the method further includes:
按照设定的验证规则,对所述密钥获取请求进行合法性验证;Perform legality verification on the key acquisition request according to the set verification rule;
当验证通过之后,则执行所述从内核内存中获取相对应的目标密钥数据的步骤。After the verification is passed, the step of obtaining the corresponding target key data from the kernel memory is executed.
可选地,所述按照设定的算法对所述密钥数据进行格式转换包括:Optionally, the format conversion of the key data according to a set algorithm includes:
将所述密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。The key data is XORed with the preset parameters, and the processing result is used as the key data after the format conversion.
可选地,所述密钥生成规则采用代码混淆的方式保存。Optionally, the key generation rule is stored in a code obfuscation manner.
本发明实施例还提供了一种密钥存取装置,包括生成单元、转换单元、保存单元和获取单元;The embodiment of the present invention also provides a key access device, which includes a generation unit, a conversion unit, a preservation unit, and an acquisition unit;
所述生成单元,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;The generating unit is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received;
所述转换单元,用于按照设定的算法对所述密钥数据进行格式转换;The conversion unit is configured to perform format conversion on the key data according to a set algorithm;
所述保存单元,用于将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;The saving unit is configured to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk;
所述获取单元,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The acquiring unit is configured to acquire the corresponding target key data from the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired.
可选地,所述存储单元包括分段子单元和存储子单元;Optionally, the storage unit includes a segmentation subunit and a storage subunit;
所述分段子单元,用于将所述格式转换后的密钥数据进行分段处理,得到至少一个数据包;The segmentation subunit is used to perform segmentation processing on the key data after the format conversion to obtain at least one data packet;
所述存储子单元,用于将各所述数据包存储至相应的文件中;其中, 所有文件均设置于所述物理硬盘上,并且所有文件的文件属性设置为隐藏。The storage subunit is used to store each of the data packets in a corresponding file; wherein, all files are set on the physical hard disk, and the file attributes of all files are set to hidden.
可选地,还包括拷贝单元;Optionally, it also includes a copy unit;
所述拷贝单元,用于当操作系统重启时,从所述物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至所述内核内存。The copy unit is used for copying each data packet from the physical hard disk when the operating system restarts, and storing each spliced data packet in the kernel memory.
可选地,所述获取单元包括判断子单元和拷贝子单元;Optionally, the acquiring unit includes a judging subunit and a copying subunit;
所述判断子单元,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,判断内核内存中是否存在与所述目标应用标识相匹配的目标密钥数据;若是,则触发所述拷贝子单元;The judging subunit is used for judging whether there is target key data matching the target application identifier in the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired; if so, Then trigger the copy subunit;
所述拷贝子单元,用于将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中。The copy subunit is used to copy the target key data to the user state memory provided by the business application program.
可选地,还包括释放单元;Optionally, it further includes a release unit;
所述转换单元还用于按照所述设定的算法对所述目标密钥数据进行格式转换;The conversion unit is further configured to perform format conversion on the target key data according to the set algorithm;
所述释放单元,用于当利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作之后,释放所述用户态内存。The releasing unit is configured to release the user state memory after the encryption and decryption operation of the target service data is completed by using the target key data after the format conversion.
可选地,还包括验证单元;Optionally, it also includes a verification unit;
所述验证单元,用于按照设定的验证规则,对所述密钥获取请求进行合法性验证;当验证通过之后,则触发所述获取单元执行所述从内核内存中获取相对应的目标密钥数据的步骤。The verification unit is configured to verify the validity of the key acquisition request according to the set verification rules; when the verification is passed, trigger the acquisition unit to execute the acquisition of the corresponding target secret from the kernel memory Key data steps.
可选地,所述转换单元具体用于将所述密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。Optionally, the conversion unit is specifically configured to perform XOR processing on the key data and preset parameters, and use the processing result as the key data after format conversion.
可选地,所述密钥生成规则采用代码混淆的方式保存。Optionally, the key generation rule is stored in a code obfuscation manner.
本发明实施例还提供了一种密钥存取系统,包括业务应用模块和过滤驱动模块;The embodiment of the present invention also provides a key access system, including a business application module and a filter driving module;
所述业务应用模块,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;按照设定的算法对所述密钥数据进行格式转换;利用预先设定的安全通信验证机制,建立与所述过滤驱动模块的通信连接,并将所述应用标识和格式转换后的密钥数据传输至所述过滤驱动模块;当获取到密钥获取指令时,向所述过 滤驱动模块发送携带有目标应用标识的密钥获取请求;The service application module is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received; Format conversion of the key data; use a preset secure communication verification mechanism to establish a communication connection with the filter drive module, and transmit the application identifier and the key data after format conversion to the filter drive module; When obtaining the key acquisition instruction, send a key acquisition request carrying the target application identifier to the filter driver module;
所述过滤驱动模块,用于将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The filter driving module is used to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk; when the key carrying the target application identifier sent by the business application is obtained, the key data is obtained Upon request, obtain the corresponding target key data from the kernel memory.
本发明实施例还提供了一种密钥存取设备,包括:The embodiment of the present invention also provides a key access device, including:
存储器,用于存储计算机程序;Memory, used to store computer programs;
处理器,用于执行所述计算机程序以实现如上述任意一项所述密钥存取方法的步骤。The processor is configured to execute the computer program to implement the steps of the key access method described in any one of the above.
本发明实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上述任意一项所述密钥存取方法的步骤。The embodiment of the present invention also provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the key access method as described in any one of the above is implemented A step of.
由上述技术方案可以看出,当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据;按照设定的算法对密钥数据进行格式转换;通过格式转换改变了密钥数据的呈现方式,从而提升密钥数据的安全性。将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。操作系统启动时,内核空间的启动先于所有应用程序启动,通过将密钥数据保存至内核内存,能够很好的保护密钥数据不被破坏。并且考虑到系统掉电内核内存中数据丢失的情况,可以将密钥数据同时存储至物理硬盘中,实现了密钥数据的持久性保存。该技术方案密钥数据的存储只需依赖于操作系统内部的内核内存以及物理硬盘,无需借助额外的硬件设备,在保证密钥数据的机密性和可用性的同时,降低了对密钥数据进行安全保护的成本。It can be seen from the above technical solution that when the service data is received, the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data. When the operating system is started, the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged. And considering that the data in the kernel memory is lost when the system is powered off, the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data. The storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
附图说明Description of the drawings
为了更清楚地说明本发明实施例,下面将对实施例中所需要使用的附图做简单的介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实 施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention more clearly, the following will briefly introduce the drawings needed in the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. As far as personnel are concerned, they can also obtain other drawings based on these drawings without creative work.
图1为本发明实施例提供的一种密钥存取方法的流程图;Figure 1 is a flowchart of a key access method provided by an embodiment of the present invention;
图2为本发明实施例提供的一种密钥数据存储方法的流程图;2 is a flowchart of a method for storing key data according to an embodiment of the present invention;
图3为本发明实施例提供的一种密钥存取装置的结构示意图;FIG. 3 is a schematic structural diagram of a key access device provided by an embodiment of the present invention;
图4为本发明实施例提供的一种密钥存取系统的结构示意图;4 is a schematic structural diagram of a key access system provided by an embodiment of the present invention;
图5为本发明实施例提供的一种密钥存取设备的结构示意图。Fig. 5 is a schematic structural diagram of a key access device provided by an embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下,所获得的所有其他实施例,都属于本发明保护范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
为了使本技术领域的人员更好地理解本发明方案,下面结合附图和具体实施方式对本发明作进一步的详细说明。In order to enable those skilled in the art to better understand the solution of the present invention, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
接下来,详细介绍本发明实施例所提供的一种密钥存取方法。图1为本发明实施例提供的一种密钥存取方法的流程图,该方法包括:Next, a key access method provided by an embodiment of the present invention will be described in detail. Fig. 1 is a flowchart of a key access method provided by an embodiment of the present invention, and the method includes:
S101:当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据。S101: When the service data is received, according to a preset key generation rule, an application identifier and key data corresponding to the service data are generated.
密钥数据指的是对业务数据进行加解密处理时所依赖的密钥信息。The key data refers to the key information on which the business data is encrypted and decrypted.
密钥生成规则用于指示生成密钥的具体方式。在实际应用中,可以采用硬件网卡的MAC地址、硬件CPU的ID、当前系统时间、当前生成的随机数进行变换和组合的方式生成密钥数据。The key generation rule is used to indicate the specific way of generating the key. In practical applications, the key data can be generated by transforming and combining the MAC address of the hardware network card, the ID of the hardware CPU, the current system time, and the currently generated random number.
在本发明实施例中,操作系统依赖于预先设定的密钥生成规则生成密钥数据,为了提升密钥生成规则的安全性,可以采用代码混淆的方式保存密钥生成规则。In the embodiment of the present invention, the operating system relies on preset key generation rules to generate key data. In order to improve the security of the key generation rules, the key generation rules can be saved in a code obfuscation manner.
不同的业务数据加密处理时所采用的密钥数据有所不同,为了便于区 分不同的业务数据,在本发明实施例中,可以针对于不同的业务数据设置相应的应用标识。应用标识和密钥数据具有对应关系。The key data used in the encryption processing of different business data is different. In order to facilitate the distinction between different business data, in the embodiment of the present invention, corresponding application identifiers can be set for different business data. The application identifier and the key data have a corresponding relationship.
S102:按照设定的算法对密钥数据进行格式转换。S102: Perform format conversion on the key data according to the set algorithm.
为了保证密钥数据的安全性,在生成密钥数据之后,可以对该密钥数据的呈现格式进行转换,将密钥数据转换为无法直接使用的数据格式。通过转换密钥数据的格式,即使密钥数据被非法获取,也无法直接利用该密钥数据对业务数据进行解密处理。In order to ensure the security of the key data, after the key data is generated, the presentation format of the key data can be converted to convert the key data into a data format that cannot be used directly. By converting the format of the key data, even if the key data is obtained illegally, the key data cannot be directly used to decrypt the business data.
对密钥数据进行格式转换的方式可以有多种,例如,可以对密钥数据进行位运算。以异或运算为例,可以将密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。There can be many ways to perform format conversion on the key data, for example, bit operations can be performed on the key data. Take the XOR operation as an example, the key data can be XORed with the preset parameters, and the processing result can be used as the key data after the format conversion.
S103:将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中。S103: Save the key data after the application identifier and format conversion to the kernel memory and the set physical hard disk.
操作系统严格区分内核态和用户态使用的内存,应用程序无法看到和使用内核内存,因此,在本发明实施例中,为了保证密钥数据的安全性,将密钥数据保存至内核内存中。The operating system strictly distinguishes the memory used by the kernel mode and the user mode, and the application program cannot see and use the kernel memory. Therefore, in the embodiment of the present invention, in order to ensure the security of the key data, the key data is stored in the kernel memory .
考虑到在系统掉电重启后,内核内存的数据会丢失,为了保证密钥数据的持久性保存,操作系统在将密钥数据保存至内核内存的同时也可以将密钥数据保存至预先设定的物理硬盘中。物理硬盘具有掉电不丢失的特性,因此,可以保证密钥数据的持久化存储。Considering that the data in the kernel memory will be lost after the system is powered off and restarted, in order to ensure the persistence of the key data, the operating system can save the key data to the preset while saving the key data to the kernel memory. Physical hard drive. The physical hard disk has the characteristic of not being lost after power failure, so it can ensure the persistent storage of key data.
S104:当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。S104: When the key acquisition request carrying the target application identifier sent by the business application is acquired, acquire the corresponding target key data from the kernel memory.
当需要对加密的业务数据进行解密处理时,可以从内核内存中获取所需的密钥数据。When the encrypted business data needs to be decrypted, the required key data can be obtained from the kernel memory.
在保存密钥数据时,是按照应用标识和密钥数据的对应关系保存的,业务数据所对应的应用标识是固定的,因此当需要获取密钥数据时,可以向操作系统发送携带有目标应用标识的密钥获取请求。When saving the key data, it is saved according to the correspondence between the application ID and the key data. The application ID corresponding to the business data is fixed. Therefore, when the key data needs to be obtained, the target application can be sent to the operating system. Identified key acquisition request.
当操作系统接收到该密钥获取请求时,可以查询内核内存中是否存在与该目标应用标识相同的应用标识,与该目标应用标识相同的应用标识所对应的密钥数据即为用户所需的目标密钥数据。When the operating system receives the key acquisition request, it can query whether there is an application identifier that is the same as the target application identifier in the kernel memory. The key data corresponding to the application identifier that is the same as the target application identifier is what the user needs Target key data.
由上述技术方案可以看出,当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据;按照设定的算法对密钥数据进行格式转换;通过格式转换改变了密钥数据的呈现方式,从而提升密钥数据的安全性。将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。操作系统启动时,内核空间的启动先于所有应用程序启动,通过将密钥数据保存至内核内存,能够很好的保护密钥数据不被破坏。并且考虑到系统掉电内核内存中数据丢失的情况,可以将密钥数据同时存储至物理硬盘中,实现了密钥数据的持久性保存。该技术方案密钥数据的存储只需依赖于操作系统内部的内核内存以及物理硬盘,无需借助额外的硬件设备,在保证密钥数据的机密性和可用性的同时,降低了对密钥数据进行安全保护的成本。It can be seen from the above technical solution that when the service data is received, the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data. When the operating system is started, the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged. And considering that the data in the kernel memory is lost when the system is powered off, the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data. The storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
在本发明实施例中,考虑到密钥数据在物理硬盘上的存储时间较长,存储时间越久其安全风险越高,为了进一步提升密钥数据存储的安全性,可以将密钥数据拆分成多个数据段分别进行存储。In the embodiment of the present invention, considering that the storage time of the key data on the physical hard disk is longer, the longer the storage time, the higher the security risk. In order to further improve the security of the key data storage, the key data can be split into Multiple data segments are stored separately.
如图2所示为本发明实施例提供的一种密钥数据存储方法的流程图,该方法包括:Fig. 2 is a flowchart of a method for storing key data according to an embodiment of the present invention, and the method includes:
S201:当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据。S201: When the service data is received, according to a preset key generation rule, an application identifier and key data corresponding to the service data are generated.
其中,S201的具体实现方式可以参见S101的记载,在此不再赘述。For the specific implementation of S201, please refer to the record of S101, which will not be repeated here.
S202:按照设定的算法对密钥数据进行格式转换。S202: Perform format conversion on the key data according to the set algorithm.
其中,S202的具体实现方式可以参见S102的记载,在此不再赘述。For the specific implementation of S202, please refer to the record of S102, which will not be repeated here.
S203:将格式转换后的密钥数据进行分段处理,得到至少一个数据包。S203: Perform segmentation processing on the key data after the format conversion to obtain at least one data packet.
在具体实现中,可以在物理硬盘上设置多个文件,操作系统获取到格式转换后的密钥数据时,可以将格式转换后的密钥数据进行分段处理,得到至少一个数据包。In a specific implementation, multiple files can be set on the physical hard disk, and when the operating system obtains the format-converted key data, the format-converted key data can be segmented to obtain at least one data packet.
S204:将各数据包存储至相应的文件中。S204: Store each data packet in a corresponding file.
其中,所有文件均设置于物理硬盘上。Among them, all files are set on the physical hard disk.
在本发明实施例中,文件的个数可以预先设定,并且每个数据包具体存储于哪个文件中也可以预先设定。例如,按照数据包的组合顺序,可以将第一个数据包存储在第一个文件中,将第二个数据包存储在最后一个文件中,将第三个数据包存储在第二个文件中,将第四个数据包存储在倒数第二个文件中,依次类推,完成各数据包的存储。当数据包的个数大于文件的个数时,可以按照上述方式再次进行轮询,也可以将剩余的所有数据包存储在剩余的最后一个文件中。通过打乱数据包的存储顺序,可以进一步提升密钥数据存储的安全性。In the embodiment of the present invention, the number of files can be preset, and in which file each data packet is specifically stored can also be preset. For example, according to the combination order of the data packets, the first data packet can be stored in the first file, the second data packet can be stored in the last file, and the third data packet can be stored in the second file , Store the fourth data packet in the penultimate file, and so on to complete the storage of each data packet. When the number of data packets is greater than the number of files, polling can be performed again in the above manner, or all remaining data packets can be stored in the last remaining file. By disrupting the storage order of data packets, the security of key data storage can be further improved.
为了提升文件的安全性,可以将所有文件的文件属性设置为隐藏,操作系统可以拦截所有非业务应用程序对这些隐藏文件的访问。In order to improve the security of files, the file attributes of all files can be set to hidden, and the operating system can block all non-business applications from accessing these hidden files.
S205:当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。S205: When the key acquisition request carrying the target application identifier sent by the business application is acquired, acquire the corresponding target key data from the kernel memory.
其中,S205的具体实现方式可以参见S104的记载,在此不再赘述。For the specific implementation of S205, please refer to the record of S104, which will not be repeated here.
在本发明实施例中,通过将格式转换后的密钥数据进行分段存储,有效的提升了密钥数据的安全性,当某一段密钥数据被非法用户恶意获取,由于非法用户获取的密钥数据并不完整,因此非法用户也无法直接利用该密钥数据执行数据解密操作。即使非法用户获取密钥数据所对应的全部数据包,由于非法用户并不知道所有数据包的组合顺序,因此也无法直接利用获取到数据包执行数据解密操作。In the embodiment of the present invention, the key data after the format conversion is stored in segments, which effectively improves the security of the key data. When a certain piece of key data is maliciously obtained by an illegal user, due to the secret obtained by the illegal user The key data is not complete, so illegal users cannot directly use the key data to perform data decryption operations. Even if the illegal user obtains all the data packets corresponding to the key data, since the illegal user does not know the combination sequence of all the data packets, they cannot directly use the obtained data packets to perform data decryption operations.
考虑到内核内存存在系统掉电数据丢失的问题,在将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘之后,每当遇到操作系统重启时,则可以自动从物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至内核内存,从而保证操作系统可以从内核内存中获取到密钥数据。Considering that the kernel memory has the problem of data loss when the system is powered off, after saving the key data after the application identification and format conversion to the kernel memory and the set physical hard disk, whenever the operating system restarts, it can be automatically downloaded from Each data packet is copied in the physical hard disk, and the spliced data packets are stored in the kernel memory, so as to ensure that the operating system can obtain the key data from the kernel memory.
在实际应用中,当操作系统需要获取密钥数据时,可以通过调用函数分配一个用户态内存用于存储密钥数据,当内核内存中存在与目标应用标识相匹配的目标密钥数据时,则将目标密钥数据拷贝至业务应用程序提供的用户态内存中。In practical applications, when the operating system needs to obtain key data, a user-mode memory can be allocated to store the key data by calling a function. When the target key data that matches the target application identifier exists in the kernel memory, then Copy the target key data to the user-mode memory provided by the business application.
由于目标密钥数据是经过格式转换后的数据,因此,在对目标业务数 据进行加解密处理时,需要先按照设定的算法对目标密钥数据进行格式转换,然后利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作。Since the target key data is the data after format conversion, when encrypting and decrypting the target business data, it is necessary to first convert the target key data format according to the set algorithm, and then use the target secret after format conversion. The key data completes the encryption and decryption operations on the target business data.
当完成对目标业务数据的加解密操作之后,可以释放用户态内存。After the encryption and decryption operations on the target business data are completed, the user mode memory can be released.
通过释放用户态内存,可以降低目标密钥数据在用户态内存中的保存时间,从而提升目标密钥数据的安全性。By releasing the user state memory, the storage time of the target key data in the user state memory can be reduced, thereby improving the security of the target key data.
在本发明实施例中,为了防止其他非业务应用程序对内核内存的访问,在获取到业务应用程序发送的携带有目标应用标识的密钥获取请求之后,在从内核内存中获取相对应的目标密钥数据之前,可以按照设定的验证规则,对密钥获取请求进行合法性验证;当验证通过之后,则执行从内核内存中获取相对应的目标密钥数据的步骤。In the embodiment of the present invention, in order to prevent other non-business applications from accessing the kernel memory, after obtaining the key acquisition request carrying the target application identifier sent by the business application, the corresponding target is obtained from the kernel memory. Before the key data, the legality of the key acquisition request can be verified according to the set verification rules; after the verification is passed, the step of obtaining the corresponding target key data from the kernel memory is executed.
验证的方式可以有多种,例如,可以预先设定业务应用程序访问操作系统获取密钥数据时所需携带的特定字符串,当业务应用程序发送的密钥获取请求中携带有该特定字符串时,则说明密钥获取请求属于合法性请求。There are many ways to verify. For example, you can pre-set a specific string that a business application needs to carry when accessing the operating system to obtain key data. When the key acquisition request sent by the business application carries the specific string , It means that the key acquisition request is a legality request.
通过对密钥获取请求进行合法性验证,可以有效的降低非业务应用程序在非法获取到业务应用程序的应用标识时,冒充业务应用程序非法获取密钥数据的情况发生。By verifying the legality of the key acquisition request, it is possible to effectively reduce the occurrence of illegal acquisition of key data by impersonating a business application when a non-business application illegally acquires the application identifier of the business application.
图3为本发明实施例提供的一种密钥存取装置的结构示意图,包括生成单元31、转换单元32、保存单元33和获取单元34;FIG. 3 is a schematic structural diagram of a key access device provided by an embodiment of the present invention, which includes a generation unit 31, a conversion unit 32, a storage unit 33, and an acquisition unit 34;
生成单元31,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据;The generating unit 31 is configured to generate application identification and key data corresponding to the service data according to the preset key generation rule when the service data is received;
转换单元32,用于按照设定的算法对密钥数据进行格式转换;The conversion unit 32 is used for format conversion of the key data according to the set algorithm;
保存单元33,用于将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;The saving unit 33 is used to save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk;
获取单元34,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The obtaining unit 34 is configured to obtain the corresponding target key data from the kernel memory when the key obtaining request carrying the target application identifier sent by the business application is obtained.
可选地,存储单元包括分段子单元和存储子单元;Optionally, the storage unit includes a segmentation subunit and a storage subunit;
分段子单元,用于将格式转换后的密钥数据进行分段处理,得到至少一个数据包;The segmentation subunit is used to perform segmentation processing on the key data after the format conversion to obtain at least one data packet;
存储子单元,用于将各数据包存储至相应的文件中;其中,所有文件均设置于物理硬盘上,并且所有文件的文件属性设置为隐藏。The storage sub-unit is used to store each data packet in a corresponding file; among them, all the files are set on the physical hard disk, and the file attributes of all the files are set to hidden.
可选地,还包括拷贝单元;Optionally, it also includes a copy unit;
拷贝单元,用于当操作系统重启时,从物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至内核内存。The copy unit is used to copy data packets from the physical hard disk when the operating system restarts, and store the spliced data packets in the kernel memory.
可选地,获取单元包括判断子单元和拷贝子单元;Optionally, the acquiring unit includes a judging subunit and a copying subunit;
判断子单元,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,判断内核内存中是否存在与目标应用标识相匹配的目标密钥数据;若是,则触发拷贝子单元;The judging subunit is used for judging whether there is target key data matching the target application identifier in the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is obtained; if so, trigger the copy sub unit;
拷贝子单元,用于将目标密钥数据拷贝至业务应用程序提供的用户态内存中。The copy subunit is used to copy the target key data to the user state memory provided by the business application.
可选地,还包括释放单元;Optionally, it further includes a release unit;
转换单元还用于按照设定的算法对目标密钥数据进行格式转换;The conversion unit is also used for format conversion of the target key data according to the set algorithm;
释放单元,用于当利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作之后,释放用户态内存。The releasing unit is used to release the user state memory after the encryption and decryption operation of the target service data is completed by using the target key data after the format conversion.
可选地,还包括验证单元;Optionally, it also includes a verification unit;
验证单元,用于按照设定的验证规则,对密钥获取请求进行合法性验证;当验证通过之后,则触发获取单元执行从内核内存中获取相对应的目标密钥数据的步骤。The verification unit is used to verify the validity of the key acquisition request according to the set verification rules; when the verification is passed, the acquisition unit is triggered to execute the step of acquiring the corresponding target key data from the kernel memory.
可选地,转换单元具体用于将密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。Optionally, the conversion unit is specifically configured to perform XOR processing on the key data and preset parameters, and use the processing result as the key data after format conversion.
可选地,密钥生成规则采用代码混淆的方式保存。Optionally, the key generation rule is stored in a code obfuscation manner.
图3所对应实施例中特征的说明可以参见图1和图2所对应实施例的相关说明,这里不再一一赘述。For the description of the features in the embodiment corresponding to FIG. 3, reference may be made to the relevant description of the embodiment corresponding to FIG. 1 and FIG. 2, which will not be repeated here.
由上述技术方案可以看出,当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据;按照设定的算法对密钥数据进行格式转换;通过格式转换改变了密钥数据的呈现方式,从而提升密钥数据的安全性。将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目 标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。操作系统启动时,内核空间的启动先于所有应用程序启动,通过将密钥数据保存至内核内存,能够很好的保护密钥数据不被破坏。并且考虑到系统掉电内核内存中数据丢失的情况,可以将密钥数据同时存储至物理硬盘中,实现了密钥数据的持久性保存。该技术方案密钥数据的存储只需依赖于操作系统内部的内核内存以及物理硬盘,无需借助额外的硬件设备,在保证密钥数据的机密性和可用性的同时,降低了对密钥数据进行安全保护的成本。It can be seen from the above technical solution that when the service data is received, the application identification and key data corresponding to the service data are generated according to the preset key generation rules; the key data is formatted according to the set algorithm Conversion: The presentation of key data is changed through format conversion, thereby enhancing the security of key data. Save the key data after the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, the corresponding key data is obtained from the kernel memory The target key data. When the operating system is started, the kernel space is started before all application programs are started. By saving the key data to the kernel memory, the key data can be well protected from being damaged. And considering that the data in the kernel memory is lost when the system is powered off, the key data can be stored in the physical hard disk at the same time, realizing the persistent preservation of the key data. The storage of the key data of this technical solution only needs to rely on the kernel memory and physical hard disk inside the operating system, and no additional hardware equipment is needed. While ensuring the confidentiality and availability of the key data, the security of the key data is reduced. The cost of protection.
图4为本发明实施例提供的一种密钥存取系统40的结构示意图,包括业务应用模块41和过滤驱动模块42;4 is a schematic structural diagram of a key access system 40 provided by an embodiment of the present invention, which includes a service application module 41 and a filter driver module 42;
业务应用模块41,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与业务数据相对应的应用标识和密钥数据;按照设定的算法对密钥数据进行格式转换;利用预先设定的安全通信验证机制,建立与过滤驱动模块的通信连接,并将应用标识和格式转换后的密钥数据传输至过滤驱动模块;当获取到密钥获取指令时,向过滤驱动模块发送携带有目标应用标识的密钥获取请求;The business application module 41 is used to generate the application identification and key data corresponding to the business data according to the preset key generation rules when the business data is received; to convert the key data format according to the set algorithm ; Use the preset secure communication verification mechanism to establish a communication connection with the filter driver module, and transmit the key data after the application identification and format conversion to the filter driver module; when the key acquisition instruction is obtained, the filter driver The module sends a key acquisition request carrying the target application identifier;
过滤驱动模块42,用于将应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The filter driver module 42 is used to save the key data of the application identification and format conversion to the kernel memory and the set physical hard disk; when the key acquisition request carrying the target application identification sent by the business application is obtained, Obtain the corresponding target key data from the kernel memory.
业务应用模块41启动时,按照密钥生成规则生成密钥数据,通过预先设定的安全通信验证机制连接到过滤驱动模块42。业务应用模块41将自身应用标识和密钥数据下发到过滤驱动模块42,业务应用模块41自身并不保存密钥数据,在需要使用密钥时向过滤驱动模块42申请获取密钥数据,过滤驱动模块42集成在操作系统内核中,随操作系统一起运行,上层应用程序感知不到,从而有效的保证了密钥数据的安全性。When the business application module 41 is started, it generates key data according to the key generation rules, and connects to the filter driver module 42 through a preset secure communication verification mechanism. The business application module 41 delivers its own application identification and key data to the filter driver module 42. The business application module 41 does not store the key data itself, and applies to the filter driver module 42 to obtain the key data when the key is needed. The drive module 42 is integrated in the operating system kernel and runs together with the operating system, which is not perceivable by upper-layer applications, thereby effectively ensuring the security of the key data.
过滤驱动模块42启动后将自身从内核模块链表中摘除,除业务应用模块41以外的任何其它应用程序无法发现过滤驱动模块42,从而无法与其通信。After the filter driver module 42 is started, it removes itself from the kernel module linked list, and any other application program except the service application module 41 cannot find the filter driver module 42 and cannot communicate with it.
在过滤驱动模块42的内核内存中保存应用标识和密钥数据,并且将密 钥数据分块保存在物理硬盘指定的隐藏文件中,过滤驱动模块42可以拦截所有对保存密钥数据的文件的访问,以提升密钥数据存储的安全性。The application identification and key data are stored in the kernel memory of the filter driver module 42, and the key data is stored in hidden files designated by the physical hard disk in blocks. The filter driver module 42 can intercept all access to the file storing the key data , To improve the security of key data storage.
在本发明实施例中,业务应用模块41在获取及使用密钥数据时,可以采用反调试技术,以避免非法用户通过调试的方法获取到使用前动态分配到用户态内存中的密钥数据。In the embodiment of the present invention, when the service application module 41 obtains and uses the key data, anti-debugging technology can be adopted to prevent illegal users from obtaining the key data dynamically allocated to the user-mode memory before use through the debugging method.
图5为本发明实施例提供的一种密钥存取设备50的结构示意图,包括:FIG. 5 is a schematic structural diagram of a key access device 50 provided by an embodiment of the present invention, including:
存储器51,用于存储计算机程序;The memory 51 is used to store computer programs;
处理器52,用于执行计算机程序以实现如上述任意一项实施例所述的密钥存取方法的步骤。The processor 52 is configured to execute a computer program to implement the steps of the key access method described in any one of the above embodiments.
本发明实施例还提供了一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现如上述任意一项实施例所述的密钥存取方法的步骤。The embodiment of the present invention also provides a computer-readable storage medium, and a computer program is stored on the computer-readable storage medium. step.
以上对本发明实施例所提供的一种密钥存取方法、装置、系统、设备和存储介质进行了详细介绍。说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以对本发明进行若干改进和修饰,这些改进和修饰也落入本发明权利要求的保护范围内。The key access method, device, system, equipment, and storage medium provided by the embodiments of the present invention have been described in detail above. The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments can be referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method part. It should be pointed out that for those of ordinary skill in the art, without departing from the principle of the present invention, several improvements and modifications can be made to the present invention, and these improvements and modifications also fall within the protection scope of the claims of the present invention.
专业人员还可以进一步意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、计算机软件或者二者的结合来实现,为了清楚地说明硬件和软件的可互换性,在上述说明中已经按照功能一般性地描述了各示例的组成及步骤。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Professionals may further realize that the units and algorithm steps of the examples described in the embodiments disclosed in this article can be implemented by electronic hardware, computer software, or a combination of the two, in order to clearly illustrate the possibilities of hardware and software. Interchangeability, in the above description, the composition and steps of each example have been generally described in accordance with the function. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered as going beyond the scope of the present invention.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于 随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the method or algorithm described in the embodiments disclosed in this document can be directly implemented by hardware, a software module executed by a processor, or a combination of the two. The software module can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disks, removable disks, CD-ROMs, or all areas in the technical field. Any other known storage media.

Claims (19)

  1. 一种密钥存取方法,其特征在于,包括:A key access method, characterized in that it comprises:
    当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;When the service data is received, according to a preset key generation rule, an application identifier and key data corresponding to the service data are generated;
    按照设定的算法对所述密钥数据进行格式转换;Format conversion of the key data according to the set algorithm;
    将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;Saving the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk;
    当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。When the key acquisition request carrying the target application identifier sent by the business application is acquired, the corresponding target key data is acquired from the kernel memory.
  2. 根据权利要求1所述的方法,其特征在于,所述将所述应用标识和格式转换后的密钥数据存储至设定的物理硬盘中包括:The method according to claim 1, wherein the storing the application identifier and the key data after format conversion to a set physical hard disk comprises:
    将所述格式转换后的密钥数据进行分段处理,得到至少一个数据包;Performing segmentation processing on the key data after the format conversion to obtain at least one data packet;
    将各所述数据包存储至相应的文件中;其中,所有文件均设置于所述物理硬盘上,并且所有文件的文件属性设置为隐藏。Store each of the data packets in a corresponding file; wherein, all files are set on the physical hard disk, and the file attributes of all files are set to hidden.
  3. 根据权利要求2所述的方法,其特征在于,在将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘之后还包括:The method according to claim 2, characterized in that, after saving the key data after the application identification and format conversion to the kernel memory and the set physical hard disk, the method further comprises:
    当操作系统重启时,从所述物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至所述内核内存。When the operating system restarts, each data packet is copied from the physical hard disk, and the spliced data packets are stored in the kernel memory.
  4. 根据权利要求3所述的方法,其特征在于,所述当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据包括:The method according to claim 3, wherein when obtaining the key obtaining request carrying the target application identifier sent by the business application, obtaining the corresponding target key data from the kernel memory comprises:
    当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,判断内核内存中是否存在与所述目标应用标识相匹配的目标密钥数据;When the key acquisition request carrying the target application identifier sent by the business application is obtained, determine whether there is target key data matching the target application identifier in the kernel memory;
    若是,则将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中。If yes, copy the target key data to the user state memory provided by the business application program.
  5. 根据权利要求4所述的方法,其特征在于,在将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中之后还包括:The method according to claim 4, characterized in that, after copying the target key data into the user mode memory provided by the business application program, the method further comprises:
    按照所述设定的算法对所述目标密钥数据进行格式转换;Format conversion of the target key data according to the set algorithm;
    当利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作 之后,释放所述用户态内存。After the target key data after the format conversion is used to complete the encryption and decryption operation of the target service data, the user state memory is released.
  6. 根据权利要求1所述的方法,其特征在于,在获取到业务应用程序发送的携带有目标应用标识的密钥获取请求之后,在所述从内核内存中获取相对应的目标密钥数据之前还包括:The method according to claim 1, wherein after obtaining the key obtaining request carrying the target application identifier sent by the business application, before obtaining the corresponding target key data from the kernel memory include:
    按照设定的验证规则,对所述密钥获取请求进行合法性验证;Perform legality verification on the key acquisition request according to the set verification rule;
    当验证通过之后,则执行所述从内核内存中获取相对应的目标密钥数据的步骤。After the verification is passed, the step of obtaining the corresponding target key data from the kernel memory is executed.
  7. 根据权利要求1所述的方法,其特征在于,所述按照设定的算法对所述密钥数据进行格式转换包括:The method according to claim 1, wherein the format conversion of the key data according to a set algorithm comprises:
    将所述密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。The key data is XORed with the preset parameters, and the processing result is used as the key data after the format conversion.
  8. 根据权利要求1-7任意一项所述的方法,其特征在于,所述密钥生成规则采用代码混淆的方式保存。The method according to any one of claims 1-7, wherein the key generation rule is stored in a manner of code obfuscation.
  9. 一种密钥存取装置,其特征在于,包括生成单元、转换单元、保存单元和获取单元;A key access device, characterized in that it comprises a generating unit, a converting unit, a storing unit and an acquiring unit;
    所述生成单元,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;The generating unit is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received;
    所述转换单元,用于按照设定的算法对所述密钥数据进行格式转换;The conversion unit is configured to perform format conversion on the key data according to a set algorithm;
    所述保存单元,用于将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;The saving unit is configured to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk;
    所述获取单元,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The acquiring unit is configured to acquire the corresponding target key data from the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired.
  10. 根据权利要求9所述的装置,其特征在于,所述保存单元包括分段子单元和存储子单元;The device according to claim 9, wherein the storage unit comprises a segmentation subunit and a storage subunit;
    所述分段子单元,用于将所述格式转换后的密钥数据进行分段处理,得到至少一个数据包;The segmentation subunit is used to perform segmentation processing on the key data after the format conversion to obtain at least one data packet;
    所述存储子单元,用于将各所述数据包存储至相应的文件中;其中,所有文件均设置于所述物理硬盘上,并且所有文件的文件属性设置为隐藏。The storage subunit is used to store each of the data packets in a corresponding file; wherein, all files are set on the physical hard disk, and the file attributes of all files are set to hidden.
  11. 根据权利要求10所述的装置,其特征在于,还包括拷贝单元;The device according to claim 10, further comprising a copying unit;
    所述拷贝单元,用于当操作装置重启时,从所述物理硬盘中拷贝各数据包,并将拼接后的各数据包存储至所述内核内存。The copy unit is configured to copy each data packet from the physical hard disk when the operating device restarts, and store the spliced data packet in the kernel memory.
  12. 根据权利要求11所述的装置,其特征在于,所述获取单元包括判断子单元和拷贝子单元;The device according to claim 11, wherein the acquiring unit comprises a judging subunit and a copying subunit;
    所述判断子单元,用于当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,判断内核内存中是否存在与所述目标应用标识相匹配的目标密钥数据;若是,则触发所述拷贝子单元;The judging subunit is used for judging whether there is target key data matching the target application identifier in the kernel memory when the key acquisition request carrying the target application identifier sent by the business application program is acquired; if so, Then trigger the copy subunit;
    所述拷贝子单元,用于将所述目标密钥数据拷贝至所述业务应用程序提供的用户态内存中。The copy subunit is used to copy the target key data to the user state memory provided by the business application program.
  13. 根据权利要求12所述的装置,其特征在于,还包括释放单元;The device according to claim 12, further comprising a release unit;
    所述转换单元还用于按照所述设定的算法对所述目标密钥数据进行格式转换;The conversion unit is further configured to perform format conversion on the target key data according to the set algorithm;
    所述释放单元,用于当利用格式转换后的目标密钥数据完成对目标业务数据的加解密操作之后,释放所述用户态内存。The releasing unit is configured to release the user state memory after the encryption and decryption operation of the target service data is completed by using the target key data after the format conversion.
  14. 根据权利要求9所述的装置,其特征在于,还包括验证单元;The device according to claim 9, further comprising a verification unit;
    所述验证单元,用于按照设定的验证规则,对所述密钥获取请求进行合法性验证;当验证通过之后,则触发所述获取单元执行所述从内核内存中获取相对应的目标密钥数据的步骤。The verification unit is configured to verify the validity of the key acquisition request according to the set verification rules; when the verification is passed, trigger the acquisition unit to execute the acquisition of the corresponding target secret from the kernel memory Key data steps.
  15. 根据权利要求9所述的装置,其特征在于,所述转换单元具体用于将所述密钥数据与预先设定的参数进行异或处理,并将处理结果作为格式转换后的密钥数据。The device according to claim 9, wherein the conversion unit is specifically configured to perform exclusive OR processing on the key data and preset parameters, and use the processing result as the key data after format conversion.
  16. 根据权利要求9-15任意一项所述的装置,其特征在于,所述密钥生成规则采用代码混淆的方式保存。The device according to any one of claims 9-15, wherein the key generation rule is stored in a code obfuscation manner.
  17. 一种密钥存取系统,其特征在于,包括业务应用模块和过滤驱动模块;A key access system, characterized in that it includes a business application module and a filter drive module;
    所述业务应用模块,用于当接收到业务数据时,按照预先设定的密钥生成规则,生成与所述业务数据相对应的应用标识和密钥数据;按照设定的算法对所述密钥数据进行格式转换;利用预先设定的安全通信验证机制,建立与所述过滤驱动模块的通信连接,并将所述应用标识和格式转换后的 密钥数据传输至所述过滤驱动模块;当获取到密钥获取指令时,向所述过滤驱动模块发送携带有目标应用标识的密钥获取请求;The service application module is configured to generate application identification and key data corresponding to the service data according to a preset key generation rule when the service data is received; Format conversion of the key data; use a preset secure communication verification mechanism to establish a communication connection with the filter drive module, and transmit the application identifier and the key data after format conversion to the filter drive module; When obtaining the key acquisition instruction, send a key acquisition request carrying the target application identifier to the filter driver module;
    所述过滤驱动模块,用于将所述应用标识和格式转换后的密钥数据保存至内核内存以及设定的物理硬盘中;当获取到业务应用程序发送的携带有目标应用标识的密钥获取请求时,从内核内存中获取相对应的目标密钥数据。The filter driving module is used to save the application identifier and the key data after format conversion to the kernel memory and the set physical hard disk; when the key carrying the target application identifier sent by the business application is obtained, the key data is obtained Upon request, obtain the corresponding target key data from the kernel memory.
  18. 一种密钥存取设备,其特征在于,包括:A key access device, characterized in that it comprises:
    存储器,用于存储计算机程序;Memory, used to store computer programs;
    处理器,用于执行所述计算机程序以实现如权利要求1至8任意一项所述密钥存取方法的步骤。The processor is configured to execute the computer program to implement the steps of the key access method according to any one of claims 1 to 8.
  19. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至8任意一项所述密钥存取方法的步骤。A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the key access according to any one of claims 1 to 8 is realized Method steps.
PCT/CN2020/098033 2020-02-21 2020-06-24 Key access method, apparatus, system and device, and storage medium WO2021164167A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010108469.2A CN111339578A (en) 2020-02-21 2020-02-21 A key access method, apparatus, system, device and storage medium
CN202010108469.2 2020-02-21

Publications (1)

Publication Number Publication Date
WO2021164167A1 true WO2021164167A1 (en) 2021-08-26

Family

ID=71184227

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/098033 WO2021164167A1 (en) 2020-02-21 2020-06-24 Key access method, apparatus, system and device, and storage medium

Country Status (2)

Country Link
CN (1) CN111339578A (en)
WO (1) WO2021164167A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113849238A (en) * 2021-09-29 2021-12-28 浪潮电子信息产业股份有限公司 Data communication method, device, electronic equipment and readable storage medium
CN116701365A (en) * 2023-04-27 2023-09-05 联桥科技有限公司 A power data storage management method, system, terminal equipment and storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114329568A (en) * 2021-12-31 2022-04-12 山石网科通信技术股份有限公司 File encryption method, device, system platform and file decryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101132275A (en) * 2006-08-23 2008-02-27 中国科学院计算技术研究所 A Security Protection System for Realizing the Right to Use Digital Content
CN106789052A (en) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 A kind of remote cipher key based on quantum communication network issues system and its application method
CN108959978A (en) * 2018-06-28 2018-12-07 北京海泰方圆科技股份有限公司 The generation of key and acquisition methods and device in equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101132275A (en) * 2006-08-23 2008-02-27 中国科学院计算技术研究所 A Security Protection System for Realizing the Right to Use Digital Content
CN106789052A (en) * 2017-03-28 2017-05-31 浙江神州量子网络科技有限公司 A kind of remote cipher key based on quantum communication network issues system and its application method
CN108959978A (en) * 2018-06-28 2018-12-07 北京海泰方圆科技股份有限公司 The generation of key and acquisition methods and device in equipment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113849238A (en) * 2021-09-29 2021-12-28 浪潮电子信息产业股份有限公司 Data communication method, device, electronic equipment and readable storage medium
CN113849238B (en) * 2021-09-29 2024-02-09 浪潮电子信息产业股份有限公司 Data communication method, device, electronic equipment and readable storage medium
CN116701365A (en) * 2023-04-27 2023-09-05 联桥科技有限公司 A power data storage management method, system, terminal equipment and storage medium

Also Published As

Publication number Publication date
CN111339578A (en) 2020-06-26

Similar Documents

Publication Publication Date Title
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
US9735962B1 (en) Three layer key wrapping for securing encryption keys in a data storage system
CN100487715C (en) Date safety storing system, device and method
JP5611768B2 (en) Inclusive verification of platform to data center
CN104769606B (en) Systems and methods for providing a secure computer environment
US8204233B2 (en) Administration of data encryption in enterprise computer systems
WO2021114891A1 (en) Key encryption method and decryption method, and, data encryption method and decryption method
US20240061790A1 (en) Locally-stored remote block data integrity
WO2022028289A1 (en) Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium
US9288054B2 (en) Method and apparatus for authenticating and managing application using trusted platform module
CN105577379A (en) An information processing method and device
CN110958255B (en) Data transmission method and device, electronic equipment and storage medium
US8607071B2 (en) Preventing replay attacks in encrypted file systems
US10635826B2 (en) System and method for securing data in a storage medium
WO2021164167A1 (en) Key access method, apparatus, system and device, and storage medium
CN114244508A (en) Data encryption method, device, equipment and storage medium
CN102726028A (en) Encryption method, decryption method, and corresponding device and system
KR101534566B1 (en) Apparatus and method for security control of cloud virtual desktop
CN112363800A (en) Network card memory access method, security processor, network card and electronic equipment
EP3720042B1 (en) Method and device for determining trust state of tpm, and storage medium
KR101107056B1 (en) How to process security information for virtual machines in a cloud computing environment
KR101711024B1 (en) Method for accessing temper-proof device and apparatus enabling of the method
CN118606925A (en) Host, password service management method, storage medium and program
US11281786B2 (en) Mechanism to secure side band communication between service processor and an end point
CN118740825A (en) Method, device, storage medium and vehicle for transmitting vehicle configuration file

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20919433

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20919433

Country of ref document: EP

Kind code of ref document: A1