Summary of the invention
The invention provides a kind of method and system of obtaining the far-end encryption instruction based on CSP, can realize remote secure access U shield, to address the above problem.
A kind of method of obtaining the far-end encryption instruction based on CSP that the embodiment of the present invention provides comprises step:
A: set up respectively a local CSP module and the CSP calling module of setting up remote equipment;
B: a CSP module is obtained the encrypted instruction request of being sent by application program by local CryptoAPI, and this encrypted instruction request is encoded and generated request for data bag, the CSP calling module by this application Packet Generation to remote equipment;
The C:CSP calling module is translated into this application packet the 2nd CSP module of the encrypted smart card equipment connected on the CSP function call corresponding with the CryptoAPI of remote equipment the CryptoAPI access remote equipment by remote equipment, reads the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
The D:CSP calling module converts encrypted instruction to the result data bag, and this result data bag is beamed back to a described CSP module, the one CSP module is translated as encrypted instruction by the result data bag, and by local CryptoAPI, encrypted instruction is sent to this application program.
Preferably, the step e that also comprises associated registration after described steps A: insert in operating system registration table after the configuration information of the 2nd CSP module being replaced with to the configuration information of a local CSP module.
Preferably, the step of described associated registration comprises:
E1: call a CSP module by local CryptoAPI, sent the request of obtaining the 2nd CSP module configuration information by a CSP module to described CSP calling module;
The E2:CSP calling module is sent to described request of obtaining the 2nd CSP module configuration information the 2nd CSP module and obtains the 2nd CSP module configuration information by the CryptoAPI of remote equipment, then the 2nd CSP module configuration information is beamed back to a CSP module;
E3: the configuration information of the 2nd CSP module that a CSP module is obtained is inserted in operating system registration table after replacing with the configuration information of a local CSP module.
Preferably, transmit data by the socket network bi-directional between a CSP module and CSP module.
Preferably, described encrypted smart card equipment is the U shield.
Based in above-described embodiment, based on CSP, obtaining the method for far-end encryption instruction, the embodiment of the present invention also provides a kind of system of obtaining the far-end encryption instruction based on CSP, comprising:
CSP analogue unit and process simulation unit, for setting up respectively a local CSP module and the CSP calling module of setting up remote equipment;
The encrypted instruction request unit, obtain the encrypted instruction request of being sent by application program by local CryptoAPI for a CSP module, and this encrypted instruction request is encoded and generated request for data bag, the CSP calling module by this application Packet Generation to remote equipment;
The encrypted instruction acquiring unit, for the CSP calling module, this application packet is translated into to the 2nd CSP module of the encrypted smart card equipment connected on the CSP function call corresponding with the CryptoAPI of remote equipment the CryptoAPI access remote equipment by remote equipment, read the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
The encrypted instruction feedback unit, convert encrypted instruction to the result data bag for the CSP calling module, and this result data bag is beamed back to a described CSP module, the one CSP module is translated as encrypted instruction by the result data bag, and by local CryptoAPI, encrypted instruction is sent to this application program.
Preferably, also comprise associated registering unit, insert operating system registration table replace with the configuration information of a local CSP module for the configuration information by the 2nd CSP module after.
Preferably, described associated registering unit comprises:
Far-end CSP module configuration information request unit, call a CSP module for the CryptoAPI by local, sent the request of obtaining the 2nd CSP module configuration information to described CSP calling module by a CSP module;
Far-end CSP module configuration information acquiring unit, CryptoAPI for the CSP calling module by remote equipment is sent to described request of obtaining the 2nd CSP module configuration information the 2nd CSP module and obtains the 2nd CSP module configuration information, then the 2nd CSP module configuration information is beamed back to a CSP module;
The configuration information replacement unit, insert operating system registration table replace with the configuration information of a local CSP module for the configuration information of the 2nd CSP module that a CSP module is obtained after.
Technique scheme can be found out, a CSP module that has created a standard in this locality based on the CSP framework due to the embodiment of the present invention is simulated the CSP module of producer, created at remote equipment the application program that the CSP calling module carrys out the simulation application layer, the access of the 2nd CSP module in the encrypted smart card equipment that the communication docking by a CSP module and CSP calling module has realized on local device, remote equipment being connected, thus make the application program of local runtime can obtain the encrypted instruction of the encrypted smart card equipment connected on this remote equipment.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making all other embodiment that obtain under the creative work prerequisite, belong to the scope of protection of the invention.
Embodiment 1:
The embodiment of the present invention provides a kind of method of obtaining the far-end encryption instruction based on CSP, as shown in Figure 2, comprises the steps.
Step 101: set up respectively a local CSP module and the CSP calling module of setting up remote equipment.
The establishment of the establishment of a CSP module and CSP calling module can be carried out also can separately carrying out simultaneously in this step, its fundamental purpose is to set up CSP expansion framework, this CSP expansion framework as shown in Figure 3, the CSP module that the one CSP module is standard, therefore can simulate the CSP module in the actual encrypted smart card device, the device that cryptographic algorithm can be provided that encrypted smart card equipment is the built-in miniature smartcard processor, particularly, encrypted smart card equipment adopts the U shield in embodiments of the present invention, the U shield is the instrument for Web bank's electronic signature and digital authenticating, its built-in miniature smartcard processor, adopt 1024 asymmetric key algorithms to be encrypted online data, deciphering and digital signature, guarantee the confidentiality of online transaction, authenticity, integrality and non-repudiation.
The CSP calling module is for simulating the application program of application layer on remote equipment, it can go to access the CSP module by CryptoAPI as application program, the application programming interface (API) that CryptoAPI provides as the part of Microsoft Windows.CryptoAPI provides one group of function, and these functions allow application programs in mode flexibly, data to be encrypted or digital signature when the responsive private key data to the user provides protection.Actual cryptographic operation is to be carried out by the standalone module that is called CSP (CSP).Therefore, in the embodiment of the present invention, the CSP calling module is be positioned at application layer operation the same as application program.
After setting up a CSP module and CSP calling module in this step, the configuration information of the one CSP module has been recorded in system registry, the CSP module configuration information has comprised program point, program name, concrete producer's encrypted smart card unit type (for example U shield model), make system accurately to call this CSP module according to this configuration information, but the CSP module configuration information (i.e. the 2nd CSP module configuration information) that the CSP module configuration information of identifying due to system default is concrete producer, therefore, need to carry out the step to a CSP module and the registration of the 2nd CSP module relation on local device, the configuration information that is about to the 2nd CSP module is inserted in operating system registration table after replacing with the configuration information of a local CSP module.The step of this associated registration can be carried out association by the mode of artificial modification system registry, but because system registry should not arbitrarily be revised by the user as common profiles, therefore the embodiment of the present invention provides the step of the associated registration of a kind of automatic realization, as shown in Figure 4.
Step 1011: call a CSP module by local CryptoAPI, sent the request of obtaining the 2nd CSP module configuration information by a CSP module to described CSP calling module.Realize the socket network transmission function between a CSP module and CSP calling module in the embodiment of the present invention, between a CSP module and CSP module, by the socket network bi-directional, transmit data.In this step, a CSP module can be encoded described request of obtaining the 2nd CSP module configuration information to process and generate a request data package, so that the safe and reliable transmission of data, the request of this being obtained to the 2nd CSP module configuration information by the form of packet sends to the CSP calling module.
Step 1012:CSP calling module is sent to described request of obtaining the 2nd CSP module configuration information the 2nd CSP module and obtains the 2nd CSP module configuration information by the CryptoAPI of remote equipment, then the 2nd CSP module configuration information is beamed back to a CSP module.After in this step, the CSP calling module receives the request data package in previous step 1011, can be translated request data package, generate the CSP function call, so that this request of obtaining the 2nd CSP module configuration information can have access to by the CryptoAPI of remote equipment on the 2nd CSP module, thereby obtain the 2nd CSP module configuration information, then the 2nd CSP module configuration information is beamed back to a CSP module, being appreciated that this is in before beaming back still can be encoded to the 2nd CSP module configuration information, generate a result data bag, then this result data bag is sent back to a CSP module, and a CSP module still can be translated this result data bag, restore the 2nd CSP module configuration information.
Step 1013: the configuration information of the 2nd CSP module that a CSP module is obtained is inserted in operating system registration table after replacing with the configuration information of a local CSP module.So far step has completed associated registration, as can be seen here, when in system, corresponding application program need to be called the CSP module, because the 2nd CPS module configuration information is replaced by a CSP module configuration information, therefore application program can start a CSP module and carry out remote access the 2nd CSP module according to the CSP module configuration information after replacing, and next can be described further remote access step.
Step 102: a CSP module is obtained the encrypted instruction request of being sent by application program by local CryptoAPI, and this encrypted instruction request is encoded and generated request for data bag, the CSP calling module by this application Packet Generation to remote equipment.
When the application program of moving in system needs cryptographic services, for example industrial and commercial bank's Net silver program need to be accessed the U shield and be obtained key, this application program can send an encrypted instruction request to the CSP module by CryptoAPI, owing in the embodiment of the present invention, with a CSP module, simulating existing local CSP module, therefore a CSP module can be obtained by local CryptoAPI the encrypted instruction request of being sent by this application program, and to encrypted instruction, request is encoded and is generated a request for data bag as in above-mentioned step 1011, then the CSP calling module to remote equipment by this application Packet Generation, thereby realized the effect of a kind of " pipeline transfer ".
Step 103:CSP calling module is translated into this application packet the 2nd CSP module of the encrypted smart card equipment connected on the CSP function call corresponding with the CryptoAPI of remote equipment the CryptoAPI access remote equipment by remote equipment, reads the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module.
In the embodiment of the present invention, the CSP function call corresponding with CryptoAPI relates to 25 altogether, in the background technology of this paper, these 25 function calls made to introduction, repeats no more herein.
Be appreciated that, after the request data package of CSP calling module in receiving previous step 102, still can be translated in the mode in above-mentioned steps 1012, generating function is called, thereby the CryptoAPI by remote equipment has access to the 2nd CSP module, gets encrypted instruction.So far, whole long-range CSP access path is successfully established.
Step 104:CSP calling module converts encrypted instruction to the result data bag, and this result data bag is beamed back to a described CSP module, the one CSP module is translated as encrypted instruction by the result data bag, and by local CryptoAPI, encrypted instruction is sent to this application program.
Mode in this step in the same above-mentioned steps 1012 of CSP calling module is changed the encrypted instruction in previous step 103 (i.e. coding) and is generated a result data bag, then this result data bag is beamed back to a CSP module, the one CSP module is translated the result data bag to be reduced into encrypted instruction, the CSP module that a CSP module now is equivalent in local U shield has encrypted instruction, and can by local CryptoAPI, provide encrypted instruction to the application program of sending before request.
Be understandable that, the embodiment of the present invention is on the not impact of existing encryption flow, just with virtual CSP module (a CSP module), replaced original CSP module (the CSP module that producer is concrete), allow what obtain while obtaining the CSP handle is the CSP module on remote equipment, thereby reach the purpose of carrying out encryption and decryption with the U shield on remote equipment.Therefore, for concrete encryption flow, will not specifically introduce in embodiments of the present invention.
As can be seen from the above technical solutions, technological thought of the present invention is: based on the CSP framework, expanded U shield technology, make computing machine not only can access the smart card device of the machine, can also access the smart card device that is inserted in remote computer, by this equipment, use the safety applications based on smart card.Smart card device based on the CSP framework, all support general CSP interface, and provide a CSP module (being the CSP of producer), the embodiment of the present invention has realized a virtual CSP module (hereinafter referred to as virtual CSP), be arranged on local computer, and the CSP of producer is arranged on remote computer, encrypted smart card equipment (hereinafter referred to as the U shield) is inserted on remote computer too, virtual CSP supports general CSP interface (25 system API), replace the CSP of producer to receive the access from computer security applications, be forwarded on the CSP of producer of remote computer, and reception is from the return message of the CSP of producer, be forwarded back to computer security applications, thereby realized being redirected of the CSP of producer secure access, also just realized being redirected of U shield secure access.While allowing the U shield of user on using remote computer, use impression with consistent at the machine use U shield.The present invention can be applied in the application scenarioss such as desktop and applying virtual, will expand to the smart card device field to the virtual use of application.
Embodiment 2:
The method of the embodiment of the present invention based in above-described embodiment 1 provides a kind of system of obtaining the far-end encryption instruction based on CSP, comprising:
CSP analogue unit and process simulation unit, for setting up respectively a local CSP module and the CSP calling module of setting up remote equipment;
The encrypted instruction request unit, obtain the encrypted instruction request of being sent by application program by local CryptoAPI for a CSP module, and this encrypted instruction request is encoded and generated request for data bag, the CSP calling module by this application Packet Generation to remote equipment;
The encrypted instruction acquiring unit, for the CSP calling module, this application packet is translated into to the 2nd CSP module of the encrypted smart card equipment connected on the CSP function call corresponding with the CryptoAPI of remote equipment the CryptoAPI access remote equipment by remote equipment, read the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
The encrypted instruction feedback unit, convert encrypted instruction to the result data bag for the CSP calling module, and this result data bag is beamed back to a described CSP module, the one CSP module is translated as encrypted instruction by the result data bag, and by local CryptoAPI, encrypted instruction is sent to this application program.
In order to realize the associated registration of a CSP module and the 2nd CSP module, also comprise associated registering unit in native system, insert operating system registration table replace with the configuration information of a local CSP module for the configuration information by the 2nd CSP module after.
Particularly, described associated registering unit comprises:
Far-end CSP module configuration information request unit, call a CSP module for the CryptoAPI by local, sent the request of obtaining the 2nd CSP module configuration information to described CSP calling module by a CSP module;
Far-end CSP module configuration information acquiring unit, CryptoAPI for the CSP calling module by remote equipment is sent to described request of obtaining the 2nd CSP module configuration information the 2nd CSP module and obtains the 2nd CSP module configuration information, then the 2nd CSP module configuration information is beamed back to a CSP module;
The configuration information replacement unit, insert operating system registration table replace with the configuration information of a local CSP module for the configuration information of the 2nd CSP module that a CSP module is obtained after.
During use, only need the associated registering unit of operation can complete the auto-associating registration of a CSP module and the 2nd CSP module.
It should be noted that, the contents such as the information interaction between said system and intrasystem each unit, implementation, due to the inventive method embodiment based on same design, particular content can, referring to the narration in the inventive method embodiment, repeat no more herein.
One of ordinary skill in the art will appreciate that all or part of step in the whole bag of tricks of above-described embodiment is to come the hardware that instruction is relevant to complete by program, this program can be stored in a computer-readable recording medium, storage medium can comprise: ROM (read-only memory) (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc.
Above a kind of method and system of obtaining the far-end encryption instruction based on CSP that the embodiment of the present invention is provided are described in detail, applied specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention simultaneously.