CN114244503A - Performance test method for password equipment - Google Patents
Performance test method for password equipment Download PDFInfo
- Publication number
- CN114244503A CN114244503A CN202111450069.0A CN202111450069A CN114244503A CN 114244503 A CN114244503 A CN 114244503A CN 202111450069 A CN202111450069 A CN 202111450069A CN 114244503 A CN114244503 A CN 114244503A
- Authority
- CN
- China
- Prior art keywords
- server
- machine
- key
- cipher machine
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000011056 performance test Methods 0.000 title claims abstract description 18
- 238000012360 testing method Methods 0.000 claims abstract description 106
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 69
- 230000006855 networking Effects 0.000 claims abstract description 14
- 238000012795 verification Methods 0.000 claims description 30
- 230000008569 process Effects 0.000 claims description 27
- 238000007726 management method Methods 0.000 claims description 26
- 230000003321 amplification Effects 0.000 claims description 13
- 238000003199 nucleic acid amplification method Methods 0.000 claims description 13
- 239000003795 chemical substances by application Substances 0.000 claims description 8
- 238000005516 engineering process Methods 0.000 claims description 4
- 238000001583 randomness test Methods 0.000 claims description 4
- 238000005070 sampling Methods 0.000 claims description 3
- 238000013497 data interchange Methods 0.000 claims description 2
- 239000000835 fiber Substances 0.000 claims description 2
- 239000013307 optical fiber Substances 0.000 claims description 2
- 230000006870 function Effects 0.000 abstract description 32
- 238000001514 detection method Methods 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 4
- 238000010998 test method Methods 0.000 description 3
- 238000005259 measurement Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000013100 final test Methods 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 210000002464 muscle smooth vascular Anatomy 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000035484 reaction time Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000001418 vibrating-sample magnetometry Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2294—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing by remote test
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
- G06F11/3433—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment for load management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/26—Testing cryptographic entity, e.g. testing integrity of encryption key or encryption algorithm
Abstract
The invention provides a performance test method of password equipment, which comprises the following steps: step S1, firstly, testing networking, and testing the function and performance of the server cipher machine after networking is completed; step S2, the function test of the server cipher machine is realized by verifying the random number generation and randomness, the key generation, the backup and restoration, the symmetric algorithm and the asymmetric algorithm, the signature algorithm and the HMAC-SM3 algorithm of the server cipher machine; step S3, obtaining round-trip data by testing each interface of the server cipher machine, and quantitatively evaluating the overall performance of the tested server cipher machine through statistics; step S4, testing the key access control management of the server cipher machine, thereby completing the test of the whole server cipher machine; the invention can test the functions and the equipment performance of the server cipher machine.
Description
Technical Field
The invention relates to the technical field of cloud password service, in particular to a password device performance testing method.
Background
The cipher machine server (including cloud cipher machine server, collectively called "cipher machine server") is one of the most important basic hardware devices of the cloud cipher service, and the cipher application management service platform is an important platform of the cloud cipher service, and the difference of the functions and the performance of the cipher application management service platform affects the capability and the quality of the cloud cipher service to a certain extent.
In the prior art, the performance of the cipher machine matched with software is mostly tested by adopting single software, the compatibility is poor, the detection result is single, and the detection efficiency is not high.
Disclosure of Invention
In view of the above, the present invention provides a method for testing the functions and device performance of a server cryptographic machine.
The invention is realized by adopting the following method: a performance test method for cryptographic equipment comprises the following steps:
step S1, firstly, testing networking, and testing the function and performance of the server cipher machine after networking is completed;
step S2, the function test of the server cipher machine is realized by verifying the random number generation and randomness, the key generation, the backup and restoration, the symmetric algorithm and the asymmetric algorithm, the signature algorithm and the HMAC-SM3 algorithm of the server cipher machine;
step S3, obtaining round-trip data by testing each interface of the server cipher machine, and quantitatively evaluating the overall performance of the tested server cipher machine through statistics;
and step S4, testing the key access control management of the server cipher machine, thereby completely testing the whole server cipher machine.
Further, the test networking in step S1 specifically includes the following two modes:
the method comprises the following steps that a switchboard-free networking connection mode is adopted, a proxy server is connected with a cloud server encryption machine through optical fibers, other equipment is connected through a network cable, a LoadRunner notebook is a gigabit network port, and during performance test, the proxy server and the cloud server encryption machine are remotely managed by using two notebooks respectively, so that the CPU utilization rate of the proxy server and the cloud server encryption machine is monitored;
the networking connected mode, the proxy server, the cloud server encryption machine through the switch use optic fibre to be connected with the switch, and all the other equipment use net twine and switch to be connected, and all equipment carry out data interchange through the switch, and wherein the switch is the ten thousand million switch, and LoadRunner notebook net gape is the giga net gape, and during the performance test, use notebook remote connection proxy server and cloud server encryption machine to monitor the CPU utilization ratio.
Further, the random number generation and randomness verification in step S2 specifically include the following steps: step S21, extracting random number samples through a random number generating interface of the server encryption machine, wherein the length of the samples selects 10^6 bits, and the number of the samples is 1000; step S22, in the process of sampling the random number, converting the sample data generated by the random number generator into an equivalent binary sequence, storing the collected sample as a binary file according to the length requirement, and putting the binary file into a unified folder; step S23, comparing GM/T0005 and 2012 randomness test standard, and performing randomness test on the random number.
Further, the generating, backing up and restoring of the key in step S2 specifically includes the following steps: step S24, generating a key in the server cipher machine by using the key generation function of the server cipher machine, and checking the generation condition of the key through the management interface of the server cipher machine; step S25, the generated key is backed up to the intelligent cipher key inside the cipher machine or the intelligent IC card outside the cipher machine of the server by using the key backup function of the cipher machine of the server; and step S26, restoring the key to the inside of the cryptographic machine through the restoration function of the server cryptographic machine and checking the generation condition of the key through the management interface of the server cryptographic machine.
Further, the verification of the symmetric and asymmetric algorithms in step S2 specifically includes: demonstrating the encryption and decryption processes of the server cipher machine, checking whether an encrypted and decrypted log exists in the running log of the server cipher machine, if so, passing the verification, otherwise, acquiring the key data, and verifying the correctness of the encryption and decryption processes by contrasting GB/T32907 and 2016 (information security technology SM4 block cipher algorithm).
Further, the signature algorithm verification in step S2 further specifically includes: demonstrating the signature verification function and the signature verification process of the server cipher machine, checking whether the running log of the server cipher machine has a signature and a verified log, if so, passing the verification, otherwise, randomly obtaining a corresponding public key, a random number and a signature result, and verifying the correctness of the signature data by comparing with a part 2 of a GMT 0003.2-2012SM2 elliptic curve public key cryptographic algorithm, namely a digital signature algorithm.
Further, the HMAC-SM3 algorithm verification in step S2 further specifically includes: and demonstrating the HMAC generation process of the HMAC-SM3 algorithm generation function of the server cipher machine, checking the running log of the server cipher machine to check whether the log of the HMAC generation process exists, if so, passing the verification, otherwise, acquiring the key data and the MAC value, and verifying the correctness of the MAC value by comparing with a GM/T0004 and 2012SM 3 password hash algorithm.
Further, the step S3 further specifically includes the following steps: step S31, checking the consistency of the product authentication certificate, the equipment identification, the equipment name and the equipment model in the equipment interface of the server cipher machine; step S32, checking the consistency of configuration table and actual configuration parameter of device in device specification, whether right control is right, and whether main key, user key, digital certificate, public and private key pair are configured correctly in management interface; step S33, checking the codes of the proxy server, checking whether the compiling of java codes in the proxy server is standard, whether an interface of an encryption machine is correctly called, whether the operation result of the encryption machine is correctly returned to the test machine, whether the pressure amplification parameters are adjustable and ensuring that the program returns the result to the test machine after the specified number of requests is executed; in principle, multiple requests for amplifying parameters should be executed in a single-thread mode, which is also the main mode of testing requirements, but a standby multi-thread scheme is proposed, so that when the performance of the encryption machine exceeds the measuring range of a testing machine, reference data is obtained through multi-thread testing; step S34, test script checking, which mainly checks whether the interface between the script of the tester and the proxy server is corresponding; step S35, running test, starting a test machine, calling an interface of a proxy server, and simultaneously calling a corresponding interface of an encryptor (SM2 public key encryption algorithm interface, SM2 private key decryption algorithm interface, SM2 private key signature algorithm interface, SM2 public key verification signature interface, SM3 abstract hash algorithm interface, SM4 symmetric encryption algorithm interface, SM4 symmetric decryption algorithm interface, random number generation interface, HMAC-SM3 interface) correspondingly by the proxy server, executing operation, and returning a result correctly; and step S36, recording results, automatically recording requests and returning results through Load Runner software, and converting the results by combining pressure amplification parameters in the agent.
Further, the step S4 is further specifically: for the private key stored in the server cipher machine, the private key access control code which is correct is held for use; the calling of cipher machine function and the remote management of cipher machine in server require only authorized IP address host computer to call equipment function normally or to manage equipment remotely, and can set access password for different cipher keys separately.
The invention has the beneficial effects that: the invention can realize the test of the functions and the equipment performance of the server cipher machine, can better solve the safety and the function condition of the cipher application management service platform so as to guide the use and the popularization of the cipher application of our province, accelerate the application process of our commercial cipher and protect the drive for the development of digital economy.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings.
Referring to fig. 1, the present invention provides a performance testing method for a cryptographic device, including the following steps:
step S1, firstly, testing networking, and testing the function and performance of the server cipher machine after networking is completed;
step S2, the function test of the server cipher machine is realized by verifying the random number generation and randomness, the key generation, the backup and restoration, the symmetric algorithm and the asymmetric algorithm, the signature algorithm and the HMAC-SM3 algorithm of the server cipher machine;
step S3, obtaining round-trip data by testing each interface of the server cipher machine, and quantitatively evaluating the overall performance of the tested server cipher machine through statistics; performing 5-round test on the tested interface, calculating the standard deviation of the obtained result, and if the standard deviation is larger than the arithmetic mean value, the test is invalid, and the parameters need to be adjusted again for retesting; if the standard deviation is smaller than the arithmetic mean, the test is effective, on the basis, the highest score and the lowest score are deleted, and finally the arithmetic mean is calculated by using the three result data to serve as the final test result of the interface.
And step S4, testing the key access control management of the server cipher machine, thereby completely testing the whole server cipher machine.
The invention is further illustrated by the following specific examples:
the functional test of the server cipher machine comprises the following steps:
1. random number generation and randomness verification
The specific process comprises the following steps:
1) and extracting random number samples through a random number generation interface of the encryption machine, wherein the length of the samples is 10^6 bits, and the number of the samples is 1000.
2) During sampling, sample data generated by the random number generator should be converted into an equivalent binary sequence. And storing the collected samples as binary files one by one according to the length requirement, and putting the binary files into a unified folder.
3) And detected using a random number detection tool. The detection procedure followed GM/T0005 + 2012 "random number detection Specification".
2. Key generation, backup, recovery
The specific process comprises the following steps:
1) and generating a key in the server cipher machine by using a key generation function of the server cipher machine, and checking the key generation condition through a management interface of the server cipher machine.
2) The generated key is backed up to the inside of the cipher machine, an external smart cipher key or an external smart IC card by using a key backup function of the server cipher machine.
3) And restoring the key to the inside of the cipher machine through the restoration function of the server cipher machine and checking the key generation condition through a management interface of the server cipher machine.
3. Symmetric algorithm validation
The specific process comprises the following steps:
1) and (3) performing an encryption and decryption process of the encryption and decryption functions of the server cipher machine on site.
2) And checking the running log of the server cipher machine to check whether an encryption/decryption log exists.
3) And if necessary, obtaining the key data, and verifying the consistency of the algorithm result by a national cryptographic algorithm verification tool.
4. Asymmetric algorithm validation
The specific process comprises the following steps:
1) and (3) performing an encryption and decryption process of the encryption and decryption functions of the server cipher machine on site.
2) And checking the running log of the server cipher machine to check whether an encryption/decryption log exists.
3) And if necessary, obtaining the key data, and verifying the consistency of the algorithm result by a national cryptographic algorithm verification tool.
5. Signature algorithm verification
The specific process comprises the following steps:
1) and (3) demonstrating the signature and verification process of the signature verification function of the server cipher machine on site.
2) And checking the running log of the server cipher machine to check whether the signature exists and to check the verification log.
3) And randomly obtaining a corresponding public key, a random number and a signature result, and verifying through an algorithm verification tool.
6. HMAC-SM3 algorithm verification
The specific process comprises the following steps:
1) HMAC generation process of the field presentation server cryptographic engine to generate HMAC-SM3 functionality.
2) Checking running logs of server cipher machine to check whether logs of HMAC generation processes exist
And obtaining the key data and the MAC value, and verifying the consistency of the algorithm result through an algorithm verification tool.
The method also comprises two conditions, wherein one condition is the direct connection test of the cipher machine service; another situation is that the crypto engine server is tested under the management of the crypto application management service platform.
Testing the encryption and decryption performance of a symmetric cryptographic algorithm:
and sending a fixed-length data message to the virtual cipher machine for encryption/decryption operation, repeating the operation for N times, and measuring the completion time T. The data for testing is selected by the detection mechanism, the test should be performed multiple times, and the results are averaged.
If the virtual cryptographic machine supports a plurality of symmetric algorithms, all the supported symmetric cryptographic algorithms and various working modes and using modes (such as encryption, decryption, MAC and the like) thereof must be tested.
The unit of encryption and decryption performance of the symmetric cryptographic algorithm is unified to Mbps (megabits per second).
② test of encryption and decryption performance of asymmetric cryptographic algorithm
And sending a fixed-length data message to the virtual cipher machine for encryption/decryption operation, repeating the operation for N times, and measuring the completion time T. The data for the test is selected by the detection mechanism. The test should be performed several times and the results averaged.
If the virtual cryptographic machine supports multiple asymmetric algorithms, all the supported asymmetric cryptographic algorithms and various application modes thereof must be tested.
The encryption and decryption performance units of the asymmetric cryptographic algorithm are unified to tps (times/second).
Performance test of data hash algorithm
And sending a fixed-length data message to the virtual cipher machine for abstract operation, repeating the operation for N times, and measuring the completion time T. The data for the test is selected by the detection mechanism. The test should be performed several times and the results averaged.
The unit of performance of the data hashing algorithm is unified to Mbps (megabits per second).
Performance test of random number generator
And (3) enabling the virtual cipher machine to generate and output a random sequence N group with the length of L and according with the random characteristic, and measuring the completion time T of the random sequence N group. The test should be performed several times and the results averaged.
The random number generator performance units are unified to Mbps (megabits per second).
Fifthly, asymmetric key generation performance test
Let the virtual crypto-machine generate and output a specified number of key pairs, whose completion time T is measured. The test should be performed several times and the results averaged.
The asymmetric key generation performance units are unified as tps (pairs/second).
The equipment performance test on the server cipher machine comprises the following steps:
1. and testing each interface to obtain round-trip data, and quantitatively evaluating the overall performance of the tested equipment by using a statistical method.
2. The specific process comprises the following steps: device validation-device configuration check-proxy code check-test script check-run test-result logging-result evaluation.
1) And equipment confirmation, which is mainly used for checking the consistency of the product authentication certificate, the equipment identification and the equipment name and model in an equipment interface.
2) And checking the equipment configuration, namely checking the consistency of the configuration table in the equipment specification and the actual configuration parameters of the equipment, checking whether the authority control is correct, and checking whether the relevant operation parameters are correctly configured in the management interface.
3) And checking the codes of the proxy server, namely checking whether the compiling of java codes in the proxy server is standard, whether an interface of the encryption machine is correctly called, whether an operation result of the encryption machine is correctly returned to the test machine, and whether the pressure amplification parameter is adjustable, and ensuring that the program returns a result to the test machine after the specified number of requests is executed. In principle, multiple requests for the amplification parameter should be executed in a single thread mode, which is also the main mode of testing requirements, but an alternative multi-thread scheme is proposed, so that when the performance of the encryption machine exceeds the range of a testing machine, the reference data is obtained through multi-thread testing.
4) And testing script checking, namely mainly checking whether an interface between a script of the tester and the proxy server corresponds to each other.
5) Running test, starting the tester, calling the interface of the proxy server, and simultaneously calling the corresponding interface of the encryption machine correspondingly by the proxy server, executing operation and correctly returning the result.
6) And (4) result recording, namely automatically recording the request and the return result through Load Runner software, and converting the result by combining pressure amplification parameters in the agent. The conversion method comprises the following steps:
the formula I is as follows: when the agent amplifies the value <100, the result adjustment value is the tester observation value and the agent amplifies the value;
the formula II is as follows: when agent amplification > is 100, the result adjustment value is tester observation value agent amplification value (0.95+ (1/2/√ agent amplification value));
wherein (0.95+ (1/2/√ proxy amplification value)), considering the time error of the return value processing, the value range for adjusting the error is between 0.95 and 1, and the larger the proxy amplification value is, the closer to 0.95 is, and the smaller the proxy amplification value is, the closer to 1 is.
7) And (3) result evaluation, namely, three evaluation modes, wherein different evaluation modes are applicable to different test indexes:
the first is reaction time, the return time is request times/request time (second), and the times are preset to be 100000 times;
second, workload, i.e., the number of successful returns within a fixed time (predetermined 100 seconds);
third, the throughput, i.e., the total amount of operational data returned in a fixed time (predetermined 100 seconds);
3. the consistency of the results is guaranteed: two groups of different testers execute the same test task, and the two test results are consistent.
4. Spot check for data verification: in the test operation process, the interactive data in the operation process is randomly spot-checked to perform function check, so that the normal function is ensured, and the operation result is correct. Reference may be made specifically to the previous section "functional testing".
The target is to test the speed index of each cryptographic operation of the cipher machine server. (test tool: management and control call and callback storage service, tool function: implementation of cloud cipher machine resource allocation and management, test method: implementation of the above interfaces according to specifications and certification through URL service provided by each manufacturer)
The test quantity in the following speed performance tests is determined by the length of the data message and the test times. The number of tests can be selected according to the specific time-consuming situation of each test item and the geometric sequence, for example: the test times N can be selected from 1 time, 10 times, 100 times, 1000 times … and the like, and performance sequences of different test times are obtained after respective tests. The selection of the data message length is defined in each speed performance test item.
The velocity performance of each test item for the generated random number, the hash algorithm test and the symmetric algorithm test is calculated as follows: s8 LN/(1024T 1024)
Where S is the speed in Mbps (megabits per second); l is the length of the data message and the unit is byte; n is the test frequency; t is the time taken for the measurement in seconds.
The velocity performance for each test item of the asymmetric cryptographic algorithm is calculated as follows:
S=N/T
wherein S is velocity in tps (times per second); n is the test frequency; t is the time taken for the measurement in seconds.
The performance tests comprise two conditions: single load and full load. The single load means that when only one cipher machine server is started and the virtual cipher machine allocates all computing resources to the virtual cipher machine, all performance test data of the virtual cipher machine are obtained; the full load refers to the sum, average data, maximum and minimum data of all performance test data of all virtual cryptographic machines when the maximum number of virtual cryptographic machines supported by the cryptographic machine server are created and started and all the virtual cryptographic machines are tested in parallel.
Interface description: please refer to the attachment "encryptor restful service interface description document".
The testing of key access control management includes: for the private key stored in the cipher machine, the correct private key access control code should be held for use; the calling of the function of the cipher machine and the remote management of the cipher machine are realized by that only a host with an authorized IP address can normally call the function of the equipment or remotely manage the equipment;
the access passwords can be respectively set for different keys, and when different keys are used for operation, the access passwords are required to be used firstly to obtain the authority. (test tool: key access control test tool; test tool function: access acquisition private key authority interface; test method: 1, set access password for key with assigned index; 2, call acquisition private key authority interface with corresponding index value and correct key respectively, return right; 3, call acquisition private key authority interface with corresponding index value and incorrect key respectively, return error; 4, call acquisition private key authority interface with index without access password set, return error)
An IP white list allowing access to the cipher machine can be configured, and the host in the IP white list can normally call the function of the equipment or remotely manage the equipment, otherwise, the host cannot. (test tool: key access control test tool; test tool function: access cipher machine interface client; test method: 1, set IP white list for cipher machine (example: 192.168.19.0); use C to write test code: 2, call cipher machine interface on 192.168.19.0 to create connection, should pass right; 3, change IP to 192.168.19.1, call cipher machine interface to create connection, should return error)
The cloud server crypto machine group-host hardware security module (CHSM)/group cryptographical server adopts virtualization technology and network form to provide cryptographical equipment of cryptographical service for application systems of a plurality of tenants in a cloud computing environment.
Virtual Security Module (VSM)/virtual cryptographic server of virtual crypto engine
And on the cloud server cipher machine, a cipher service example which is created by adopting a virtualization technology and provides services similar to the entity cipher machine is provided.
CHSM data image
Abbreviated as CHSM image. Including user-related configuration, keys, sensitive information, etc. in all VSMs within the CHSM, and using encryption and signature mechanisms to protect the security of the image. Drift procedure for CHSM.
The VSM data image is referred to as VSM image for short. Including user-related configuration, keys, sensitive information, etc. within the VSM, and using encryption and signature mechanisms to protect the security of the image. Drift procedure for VSM.
When one VSM fails, the cloud platform management system automatically guides the data image of the VSM to another idle normal VSM and quickly switches the user network. The availability of the VSM is restored without the user's perception.
The cloud platform public key authentication public key is used for identifying the identity of the cloud platform management system and verifying the validity of the management message.
The public key fingerprint public key finger print performs a hash operation (SM3 algorithm) on the public key as a result of the public key fingerprint.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.
Claims (9)
1. A performance test method for cryptographic equipment is characterized by comprising the following steps:
step S1, firstly, testing networking, and testing the function and performance of the server cipher machine after networking is completed;
step S2, the function test of the server cipher machine is realized by verifying the random number generation and randomness, the key generation, the backup and restoration, the symmetric algorithm and the asymmetric algorithm, the signature algorithm and the HMAC-SM3 algorithm of the server cipher machine;
step S3, obtaining round-trip data by testing each interface of the server cipher machine, and quantitatively evaluating the overall performance of the tested server cipher machine through statistics;
and step S4, testing the key access control management of the server cipher machine, thereby completely testing the whole server cipher machine.
2. The cryptographic device performance testing method of claim 1, wherein: the test networking in step S1 specifically includes the following two modes:
the method comprises the following steps that a switchboard-free networking connection mode is adopted, a proxy server is connected with a cloud server encryption machine through optical fibers, other equipment is connected through a network cable, a LoadRunner notebook is a gigabit network port, and during performance test, the proxy server and the cloud server encryption machine are remotely managed by using two notebooks respectively, so that the CPU utilization rate of the proxy server and the cloud server encryption machine is monitored;
the networking connected mode, the proxy server, the cloud server encryption machine through the switch use optic fibre to be connected with the switch, and all the other equipment use net twine and switch to be connected, and all equipment carry out data interchange through the switch, and wherein the switch is the ten thousand million switch, and LoadRunner notebook net gape is the giga net gape, and during the performance test, use notebook remote connection proxy server and cloud server encryption machine to monitor the CPU utilization ratio.
3. The cryptographic device performance testing method of claim 1, wherein: the random number generation and randomness verification in step S2 specifically include the following steps: step S21, extracting random number samples through a random number generating interface of the server encryption machine, wherein the length of the samples selects 10^6 bits, and the number of the samples is 1000; step S22, in the process of sampling the random number, converting the sample data generated by the random number generator into an equivalent binary sequence, storing the collected sample as a binary file according to the length requirement, and putting the binary file into a unified folder; step S23, comparing GM/T0005 and 2012 randomness test standard, and performing randomness test on the random number.
4. The cryptographic device performance testing method of claim 1, wherein: the generation, backup and restoration of the key in step S2 specifically include the following steps: step S24, generating a key in the server cipher machine by using the key generation function of the server cipher machine, and checking the generation condition of the key through the management interface of the server cipher machine; step S25, the generated key is backed up to the intelligent cipher key inside the cipher machine or the intelligent IC card outside the cipher machine of the server by using the key backup function of the cipher machine of the server; and step S26, restoring the key to the inside of the cryptographic machine through the restoration function of the server cryptographic machine and checking the generation condition of the key through the management interface of the server cryptographic machine.
5. The cryptographic device performance testing method of claim 1, wherein: the verification of the symmetric and asymmetric algorithms in step S2 specifically includes: demonstrating the encryption and decryption processes of the server cipher machine, checking whether an encrypted and decrypted log exists in the running log of the server cipher machine, if so, passing the verification, otherwise, acquiring the key data, and verifying the correctness of the encryption and decryption processes by contrasting GB/T32907 and 2016 (information security technology SM4 block cipher algorithm).
6. The cryptographic device performance testing method of claim 1, wherein: the signature algorithm verification in step S2 further specifically includes: demonstrating the signature verification function and the signature verification process of the server cipher machine, checking whether the running log of the server cipher machine has a signature and a verified log, if so, passing the verification, otherwise, randomly obtaining a corresponding public key, a random number and a signature result, and verifying the correctness of the signature data by comparing with a part 2 of a GMT 0003.2-2012SM2 elliptic curve public key cryptographic algorithm, namely a digital signature algorithm.
7. The cryptographic device performance testing method of claim 1, wherein: the HMAC-SM3 algorithm verification in step S2 further specifically includes: and demonstrating the HMAC generation process of the HMAC-SM3 algorithm generation function of the server cipher machine, checking the running log of the server cipher machine to check whether the log of the HMAC generation process exists, if so, passing the verification, otherwise, acquiring the key data and the MAC value, and verifying the correctness of the MAC value by comparing with a GM/T0004 and 2012SM 3 password hash algorithm.
8. The cryptographic device performance testing method of claim 1, wherein: the step S3 further includes the following steps: step S31, checking the consistency of the product authentication certificate, the equipment identification, the equipment name and the equipment model in the equipment interface of the server cipher machine; step S32, checking the consistency of configuration table and actual configuration parameter of device in device specification, whether right control is right, and whether main key, user key, digital certificate, public and private key pair are configured correctly in management interface; step S33, checking the codes of the proxy server, checking whether the compiling of java codes in the proxy server is standard, whether an interface of an encryption machine is correctly called, whether the operation result of the encryption machine is correctly returned to the test machine, whether the pressure amplification parameters are adjustable and ensuring that the program returns the result to the test machine after the specified number of requests is executed; in principle, multiple requests for amplifying parameters should be executed in a single-thread mode, which is also the main mode of testing requirements, but a standby multi-thread scheme is proposed, so that when the performance of the encryption machine exceeds the measuring range of a testing machine, reference data is obtained through multi-thread testing; step S34, test script checking, which mainly checks whether the interface between the script of the tester and the proxy server is corresponding; step S35, running test, starting a test machine, calling an interface of a proxy server, and simultaneously calling a corresponding interface of an encryptor (SM2 public key encryption algorithm interface, SM2 private key decryption algorithm interface, SM2 private key signature algorithm interface, SM2 public key verification signature interface, SM3 abstract hash algorithm interface, SM4 symmetric encryption algorithm interface, SM4 symmetric decryption algorithm interface, random number generation interface, HMAC-SM3 interface) correspondingly by the proxy server, executing operation, and returning a result correctly; and step S36, recording results, automatically recording requests and returning results through Load Runner software, and converting the results by combining pressure amplification parameters in the agent.
9. The cryptographic device performance testing method of claim 1, wherein: the step S4 further includes: for the private key stored in the server cipher machine, the private key access control code which is correct is held for use; the calling of cipher machine function and the remote management of cipher machine in server require only authorized IP address host computer to call equipment function normally or to manage equipment remotely, and can set access password for different cipher keys separately.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450069.0A CN114244503B (en) | 2021-12-01 | Password equipment performance test method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111450069.0A CN114244503B (en) | 2021-12-01 | Password equipment performance test method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114244503A true CN114244503A (en) | 2022-03-25 |
| CN114244503B CN114244503B (en) | 2024-05-10 |
Family
ID=
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115544491A (en) * | 2022-10-10 | 2022-12-30 | 北京神州安付科技股份有限公司 | Cipher machine with self-checking function |
| CN116594965B (en) * | 2023-05-16 | 2024-05-07 | 矩阵时光数字科技有限公司 | System and method for detecting random number supporting multithreading |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516511A (en) * | 2013-09-11 | 2014-01-15 | 国家电网公司 | Method and device for detecting encryption algorithm and secret key |
| CN110768973A (en) * | 2019-10-17 | 2020-02-07 | 公安部第一研究所 | Signaling safety evaluation system and method based on GB35114 standard |
| CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
| CN111382050A (en) * | 2018-12-29 | 2020-07-07 | 航天信息股份有限公司 | Method and device for testing network service interface |
| CN113285850A (en) * | 2021-04-23 | 2021-08-20 | 国网上海能源互联网研究院有限公司 | Method and system suitable for testing password performance of power distribution safety equipment |
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516511A (en) * | 2013-09-11 | 2014-01-15 | 国家电网公司 | Method and device for detecting encryption algorithm and secret key |
| CN111382050A (en) * | 2018-12-29 | 2020-07-07 | 航天信息股份有限公司 | Method and device for testing network service interface |
| CN110768973A (en) * | 2019-10-17 | 2020-02-07 | 公安部第一研究所 | Signaling safety evaluation system and method based on GB35114 standard |
| CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
| CN113285850A (en) * | 2021-04-23 | 2021-08-20 | 国网上海能源互联网研究院有限公司 | Method and system suitable for testing password performance of power distribution safety equipment |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115544491A (en) * | 2022-10-10 | 2022-12-30 | 北京神州安付科技股份有限公司 | Cipher machine with self-checking function |
| CN115544491B (en) * | 2022-10-10 | 2023-12-26 | 北京神州安付科技股份有限公司 | Cipher machine with self-checking function |
| CN116594965B (en) * | 2023-05-16 | 2024-05-07 | 矩阵时光数字科技有限公司 | System and method for detecting random number supporting multithreading |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210084075A1 (en) | System and Method for Security Health Monitoring And Attestation Of Virtual Machines In Cloud Computing Systems | |
| CN106330850B (en) | Security verification method based on biological characteristics, client and server | |
| CN101523401B (en) | Secure use of user secrets on a computing platform | |
| CN108347361B (en) | Application program testing method and device, computer equipment and storage medium | |
| CN111708991A (en) | Service authorization method, service authorization device, computer equipment and storage medium | |
| CN110770729B (en) | Method and apparatus for proving integrity of virtual machine | |
| US10073980B1 (en) | System for assuring security of sensitive data on a host | |
| Afrose et al. | Evaluation of static vulnerability detection tools with Java cryptographic API benchmarks | |
| CN115630355B (en) | Security evaluation method, security evaluation device and storage medium for cryptographic module | |
| US20170004026A1 (en) | Monitoring method | |
| CN113986470A (en) | User-unaware batch remote attestation method for virtual machines | |
| CN116260595B (en) | Cloud password detection method and system | |
| CN114244503B (en) | Password equipment performance test method | |
| CN114244503A (en) | Performance test method for password equipment | |
| CN111475813A (en) | Trusted virtualization platform management system and method | |
| Saxena et al. | Collaborative approach for data integrity verification in cloud computing | |
| Grammatopoulos et al. | Blind software-assisted conformance and security assessment of FIDO2/WebAuthn implementations. | |
| CN112926101B (en) | Disk partition encryption method, system, device and computer readable medium | |
| CN110601846B (en) | System and method for verifying virtual trusted root | |
| CN114567469A (en) | Application password type detection method and platform based on B/S mode | |
| CN113992353A (en) | Login certificate processing method and device, electronic equipment and storage medium | |
| CN109040062A (en) | A kind of the safe condition management method and system of network transmission | |
| CN117499163B (en) | WebRTC-based server remote maintenance method, system and equipment | |
| CN115442256B (en) | Method for monitoring stability test of user online and offline and related equipment | |
| CN112685293A (en) | Testing method of encryption interface and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 350003 3rd floor, building 5, zone F, software park, No. 89, software Avenue, Gulou District, Fuzhou City, Fujian Province Applicant after: Fujian Jinmi Network Security Evaluation Technology Co.,Ltd. Address before: 350015, No. 83 Jun Zhu Road, Mawei District, Fujian, Fuzhou Applicant before: Fujian Jinmi Network Security Evaluation Technology Co.,Ltd. |
|
| GR01 | Patent grant |