A kind of electronic invoice Security Middleware construction method based on cloud computing technology
Technical field
The present invention relates to finance tax-controlling field, in the middle of specifically a kind of electronic invoice safety based on cloud computing technology
Part construction method.
Background technology
At present, electronic invoice has become the certainty of national invoice reform with advantages such as its inexpensive, easy-to-use, easy cares
Trend, but its safety supports system based on conventional architectures, but constantly expose computing resource during system Construction
The problems such as distributing unbalance, overlapping investment construction, the high system degree of coupling, or even the big scattered, industry of small concentration of user can not be met
Business distributed model, for example:
A. because electronic invoice system belongs to trade type operation system, therefore there is peak traffic phase, low ebb phase and continue in it
The situation of change.In the peak traffic phase, its safety supports system service request is sharply increased, system pressure rise, can't bear the heavy load;
And in the business low ebb phase, because its safety supports system service request is drastically reduced, a large amount of computing resources of system are idle again, make
Into the wasting of resources;
B. for the service distribution model of electronic invoice user scattered, small concentration greatly, conventional security support system is due to lacking
Weary necessary flexibility, therefore can not effectively be supported:The taxpayer disperseed for most business, it is desirable that single line
On the line of journey/line under security service;Taxpayer for fraction service set, it is necessary to be then multithreading security service.
The medelling construction mode of conventional security structure system, it is impossible to meet this flexible and changeable business demand;
C. under conventional security structure system, the degree of coupling is very high between system, causes to implement, safeguards extremely complex, it is impossible to enters
Row heat is safeguarded.
The presence of these problems, causes sluggishness of the electronic invoice in extension process, and the system of having badly influenced is pushed away
Wide and CSAT, as the fast-developing bottleneck of restriction electronic invoice.
The invention proposes a kind of new, the method for using cloud computing technology to encapsulate Security Middleware.With it, making
Security Middleware system is built with cloud computing framework, its SAAS layers of dynamic adjustresources ability is utilized, it is ensured that safety is calculated
Service reasonable distribution computing resource;Using distributed computing technology, realize and the security service based on PKI is reconstructed, in terms of carrying out
Calculate scheduling and load balancing;Using cloud device, single thread is provided for the taxpayer of different business distributed model(Or it is multi-thread
Journey)Line on(Or under line)Security service;By SOA methods of service, Security Middleware service interface is externally issued(Sign, test
Label, encryption, decryption, safety certification, safety time etc.), reduce the system degree of coupling.To solve conventional security system in electronic invoice
Problem encountered in application process.
The content of the invention
The present invention relates to one kind in Tax, build what electronic invoice Security Middleware was serviced using cloud computing technology
Method, it is specifically a kind of to construct Security Middleware cloud security service, KEY equipment safe to high in the clouds, peace using cloud computing technology
Full server apparatus is issued and managed, while by the scheduling of resource service in cloud computing technology, to wherein there is business
Peak, the service module of low ebb carry out computing resource balance;Demonstrate,proved using private communication protocol to the safe KEY equipment in high in the clouds
Book, algorithm are filling, and externally issue api interface by equipment, and under line, removable, single thread is provided for electronic invoice user
Security service;Pass through standard directories service(LDAP), certificate retraction service(OCSP)To high in the clouds security server equipment
Cert sync is carried out, based on LAN, multithreading security service is provided for electronic invoice user;By cloud security service, high in the clouds
KEY equipment, high in the clouds security server collectively constitute a kind of method of cloud security middleware.
The purpose of the present invention is realized in the following manner, and the peace of cloud computing application platform is constructed using cloud computing technology
Full middleware cloud security service, service includes the service of cloud certificate database, the service of cloud directory service LDAP, cloud certificate retraction
OCSP, high in the clouds security server equipment control service, cloud signature and sign test service, cloud encryption and decryption service, cloud authentication
Service, by the scheduling of resource service in cloud computing technology, to wherein exist peak traffic, the signature of low ebb and sign test service,
Encryption and decryption service, identity authentication service carry out computing resource balance;Serviced by cloud security equipment control, to high in the clouds safety
KEY equipment, high in the clouds security server equipment are issued and managed, and the safe KEY equipment in high in the clouds uses private communication protocol, from cloud
It is filling that security service carries out certificate, algorithm;Inside there is security audit journal function, all calculating operations are recorded;To outgoing
Cloth api interface, under line, moveable security service is provided for electronic invoice user;
High in the clouds security server equipment can only single thread carry out single task role processing, it is adaptable to business scattered taxpayer use
Family, high in the clouds security server equipment is entered using standard directories service LDAP, certificate retraction service OCSP and cloud security service
Row Cert sync, the security service based on LAN is provided for electronic invoice user, can multithreading batch processing user safety
Service request, it is adaptable to the user of service set;Cloud security service, the safe KEY equipment in high in the clouds, common group of high in the clouds security server
Into cloud security middleware, the Security Middleware service based on cloud computing technology is completed.
Build cloud computing application platform, including cloud resource allocation server, cloud application server, cloud storage service device, cloud
Threshold cryptosystem server, cloud auditing and supervisory server, cloud computing application platform provide the service of IAAS, PAAS, SAAS stratus, support
Universal distributed calculating or computational language system operation.
On the basis of cloud computing application platform, cloud security service is built, the cloud security service takes including cloud certificate database
Business, cloud directory service LDAP, cloud certificate retraction service OCSP, cloud security equipment control service, cloud signature and sign test service,
Cloud is encrypted and decryption service, cloud identity authentication service;Cloud security service operates in SAAS layers of cloud platform.
Cloud security service uses Distributed Calculation language development, can be split as by the SAAS layer resource scheduling modules of cloud platform
Code segment or subprogram, Distributed Calculation or formation service load balancing are carried out to form boot image.
Cloud security service supports the security system based on PKI;Support PKCS#11 public key cryptography standards;Support X.509 form
Safety certificate management;Support that SM1, SM2, SM3, SM4, RSA, 3DES algorithm are filling;Signature is externally issued in SOA forms and is tested
Label, encryption and decryption, authentication interface service API.
The safe KEY equipment in high in the clouds, is made up of the filling area of certificate, the filling area of algorithm, security audit area and COS;Wherein certificate
By COS, by private communication protocol progress, X.509 form certificate is filling in filling area, can only be in safe KEY after the completion of certificate is filling
Practicality is carried out in equipment, can not be read outside equipment;The filling area of algorithm is identical with the algorithm that cloud security service is supported, support SM1,
SM2, SM3, SM4, RSA, 3DES algorithm are filling, are applied to signature and sign test, encryption and decryption, identity authentication service;Safety
Area audit for record security audit log.
The safe KEY equipment in high in the clouds can only single thread carry out single safe task processing, it is not possible to while to multiple safety clothes
Business request is responded.
High in the clouds security server equipment, by the service of high in the clouds certificate database, high in the clouds directory service LDAP, high in the clouds certificate status
Inquiry service OCSP, the service of high in the clouds security audit, signature and sign test, encryption and decryption, the high in the clouds algorithm service group of authentication
Into;Certificate and state synchronized are carried out by high in the clouds directory service LDAP, high in the clouds certificate retraction service OCSP and cloud security service;
Certificate is managed collectively by high in the clouds certificate database service, is only used in equipment, can not be read outside equipment;Calculate in high in the clouds
Method is serviced supports that algorithm is identical with cloud security service, supports that SM1, SM2, SM3, SM4, RSA, 3DES algorithm are filling, is applied to
Signature and sign test, encryption and decryption, identity authentication service;The operation of all security servers, is awarded by high in the clouds security audit service
Weigh and recorded.
The security service request of high in the clouds security server equipment multithreading batch processing user, while handling many safety clothes
Business business.
Taxpayer is before using security service, it is necessary into " cloud security equipment control service " module of cloud security service
Registered, and select used safety means and security service type, be managed collectively by cloud security service.
The beneficial effects of the invention are as follows:Solve calculating money of the conventional security system in the presence of electronic invoice application process
The problems such as source distributes unbalance, overlapping investment construction, system degree of coupling height, can not effectively meet service distribution model.
Brief description of the drawings
Fig. 1 is the electronic invoice Security Middleware configuration diagram based on cloud computing technology;
Fig. 2 is KEY device structure schematic diagrams in high in the clouds used in the present invention;
Fig. 3 is security server device structure schematic diagram in high in the clouds used in this religious name.
Embodiment
The method of the present invention is described in detail below with reference to Figure of description.
A kind of electronic invoice Security Middleware construction method based on cloud computing technology, is constructed using cloud computing technology
Security Middleware cloud security service, including the service of cloud certificate database, the service of cloud directory service LDAP, cloud certificate retraction
Service, cloud identity authentication service etc. are encrypted and decrypted to OCSP, cloud security equipment control service, cloud signature and sign test service, cloud;It is logical
The scheduling of resource service crossed in cloud computing technology, conciliates to wherein there is peak traffic, the signature of low ebb and sign test service, encryption
Close service, identity authentication service carry out computing resource balance;Serviced by cloud security equipment control, KEY equipment safe to high in the clouds,
Security server equipment is issued and managed.The safe KEY equipment in high in the clouds uses private communication protocol, is carried out from cloud security service
Certificate, algorithm are filling;It is interior to use security audit journal function, all calculating operations are noted down;Api interface is externally issued, is
Electronic invoice user provides under line, moveable security service;The equipment can only single thread carry out single task role processing, be applicable
The taxpayer user disperseed in business.High in the clouds security server equipment is using standard directories service LDAP, certificate retraction clothes
Business OCSP carries out Cert sync with cloud security service, and the security service based on LAN is provided for electronic invoice user, can be multi-thread
The security service request of journey batch processing user, it is adaptable to the user of service set.Set by cloud security service, the safe KEY in high in the clouds
Standby, high in the clouds security server collectively constitutes cloud security middleware, common to complete to build the Security Middleware based on cloud computing technology
The purpose of service, implementation step is as follows:
1) build cloud computing application platform, including cloud resource allocation server, cloud application server, cloud storage service device,
Yunmen limit encryption server, cloud auditing and supervisory server etc., the platform provides the service of IAAS, PAAS, SAAS stratus, supports general
Distributed Calculation or computational language system operation;
2) on the basis of cloud computing application platform, cloud security service is built, the cloud security service includes cloud certificate database
Service, cloud directory service(LDAP), cloud certificate retraction service(OCSP), cloud security equipment control service, cloud signature(Test
Label)Service, cloud encryption(Decryption)Service, cloud identity authentication service;Cloud security service operates in SAAS layers of cloud platform;
3) cloud security service uses Distributed Calculation language development, can be split by the SAAS layer resource schedulings module of cloud platform
For code segment or subprogram, Distributed Calculation or formation service load balancing are carried out to form boot image;
4) cloud security service supports the security system based on PKI;Support PKCS#11 public key cryptography standards;Support X.509 lattice
The safety certificate management of formula;Support that SM1, SM2, SM3, SM4, RSA, 3DES algorithm are filling;Signature is externally issued in SOA forms
(Sign test), encryption(Decryption), authentication interface service API;
5) the safe KEY equipment in high in the clouds, is made up of the filling area of certificate, the filling area of algorithm, security audit area and COS;Wherein demonstrate,prove
By COS, by private communication protocol progress, X.509 form certificate is filling in book filling area, can only be in safety after the completion of certificate is filling
Practicality is carried out in KEY equipment, can not be read outside equipment;The filling area of algorithm is identical with the algorithm that cloud security service is supported, supports
SM1, SM2, SM3, SM4, RSA, 3DES algorithm are filling, are applied to signature and sign test, encryption and decrypt), identity authentication service;
Security audit area is used to note down security audit daily record;
6) the safe KEY equipment in high in the clouds can only single thread carry out single safe task processing, it is not possible to while to multiple safety
Service request is responded;
7) high in the clouds security server equipment, by the service of high in the clouds certificate database, high in the clouds directory service LDAP, high in the clouds certificate shape
State inquiry service OCSP, the service of high in the clouds security audit, signature and sign test, encryption and decryption, the high in the clouds algorithm service of authentication
Composition;Certificate and state synchronized are carried out by high in the clouds directory service LDAP, high in the clouds certificate retraction service OCSP and security service;
Certificate is managed collectively by high in the clouds certificate database service, is only used in equipment, can not be read outside equipment;Calculate in high in the clouds
Method is serviced supports that algorithm is identical with cloud security service, supports that SM1, SM2, SM3, SM4, RSA, 3DES algorithm are filling, is applied to
Signature and sign test, encryption and decryption, identity authentication service;The operation of all security servers, is awarded by high in the clouds security audit service
Weigh and recorded;
8) security server equipment in high in the clouds can be asked with the security service of multithreading batch processing user, while many of processing
Security service business;
9) taxpayer using before security service, it is necessary to " cloud security equipment control service " module of cloud security service
It is middle to be registered, and used safety means and security service type are selected, it is managed collectively by cloud security service;
10) taxpayer, according to the security service type of selected middleware, directly invokes when carrying out electronic invoice business
Unified SOA API can complete the respective services including authentication, signature sign test, encrypting and decrypting, safety time etc..
In addition to the technical characteristic described in specification, the known technology of those skilled in the art is.