Embodiment
With reference to the accompanying drawings embodiments of the invention are described in detail.
Fig. 1 is the structural representation of an embodiment of extendible information safety service system of the present invention.As shown in the figure, network information safety service system of the present invention comprises network interface, processing module, administration module and multiple information safety devices.Wherein administration module manages multiple information safety devices, can know operating state or the progress of work of each information safety devices.This information safety service system is undertaken by the Internet (such as by HTTP/HTTPS) and service request terminal alternately.
This request to the information security services request from service request terminal, and is sent to processing module by network reception by network interface.Network interface can be realized by such as Nginx.
Processing module is resolved the information security services request that network interface receives, obtain pending data wherein and corresponding service request type, according to the instruction of service request type generating process, pending data and processing instruction are repackaged into binary data packets or are treated to dataframe to administration module.Service request type can be CIPHERING REQUEST or decoding request, and processing instruction is correspondingly then encrypted instruction or decryption instructions.Processing instruction can be such as be arranged on the identifier in the predetermined field in the Frame of this transmission.
Administration module is selected one of them equipment as target device according to the operating state of each information safety devices, the data received is issued this target device after receiving the packet or Frame that processing module sends.Selected equipment can be the equipment of the current idle in multiple information safety devices, if or the current equipment not having the free time, then can select likely idle equipment, such as, judge that an idle in the given time information safety devices is described target device by it according to its current progress of work.
After receiving as the information safety devices of this target device the data that processing module sends, according to processing instruction wherein, corresponding information security process is carried out to pending data wherein, and treated data are returned to administration module, these treated data are sent to processing module by administration module again.Can prestore the key for carrying out information security process and algorithm in information safety devices, keeper can carry out the setting of key, algorithm and/or parameter to each information safety devices by administration module.
After processing module receives treated data, be send to service request terminal by network interface after the data of scheduled communication form by this treated data recombination, complete this service.
By the information safety service system of the present embodiment, service request terminal does not need the specific implementation process being concerned about encryption and decryption, do not need managing encrypted lock voluntarily to wait information safety devices, but only need directly to complete required information security process by network service yet.Encryption and decryption is served the key used and can be carried out beyond the clouds unifying updating and management, has very strong operability and convenience.In addition, quantity and the service capacity of device node are in linear relationship substantially, can improve service capacity, having good extensibility when required encryption and decryption volume of services improves by increasing device node.And the function provided for information safety devices is also easily expanded, the design Storage that data volume is less such as can be considered.
In one embodiment of the invention, keeper, when being arranged each information safety devices by administration module, is arranged by sending management request to information safety devices.The authentication information of keeper can be comprised in management request, the identity of each information safety devices first authentic administrator when receiving management request, by accepting afterwards the checking of this authentication information to manage the setting data in request, to strengthen the fail safe of key data in information safety devices etc.
Another embodiment about keeper's authentication is provided referring to Fig. 2.
Fig. 2 is the structural representation of another embodiment of extendible information safety service system of the present invention.
As shown in Figure 2, information safety service system of the present invention also comprises Authentication devices, and it can be arranged on information safety devices group side and be connected to administration module.Authentication devices can be used as special equipment keeper being carried out to authentication.Administration module will be distinguished Authentication devices and information safety devices when carrying out initialization.The management request of the authentication information of all keepers of comprising that administration module sends first can be sent to Authentication devices, to be verified pass through after, by such as making information safety devices accept setting by management request to each information safety devices management request forward, the operations such as follow-up key is arranged can be carried out.
By the present embodiment, utilize Authentication devices unification to carry out authentication, eliminate configuration authentication function in each information safety devices, saved system resource.
Mode such as shown in Fig. 3 design can also be optimized for equipment state in information safety service system of the present invention.
Fig. 3 is the structural representation of another embodiment of extendible information safety service system of the present invention.
As shown in the figure, be provided with fault logging module in the information safety service system of the present embodiment, it is connected to administration module.When there is the fault of unrepairable in the equipment component in multiple information safety devices, when occurring gross error as certain or some equipment in information safety devices group and should not continue participation work, by fault logging module, record is carried out to this equipment broken down.
Fault logging module can accept the recorded information of manually input, or automatic checkout equipment state is gone forward side by side line item, also can judge the working condition of each equipment by administration module and is recorded in fault logging module by faulty equipment number.
After this, administration module, can according to the recorded information of fault logging module when carrying out initialization to each information safety devices, by equipment filtering from the initialized object-based device of needs of breaking down, in order to avoid there is the reduction in operational mistake and efficiency.
In one embodiment of the invention, the service request type of data to be processed for multiple need and correspondence can be packaged in the information security services request that will send by service request terminal.Processing module, receiving after this information security services request resolves, obtains the service request type of multiple pending data and correspondence.For each pending data, these pending data and this processing instruction, according to its service request type generating process instruction, are packaged into binary data packets or are treated to Frame, each packet or Frame are sent to administration module respectively by processing module.Equipment that is that administration module selects one or more free time according to the operating state of each information safety devices or that be about to the free time sends each packet or Frame, and the treated data returned successively by selected information safety devices send to processing module, send to service request terminal by network interface after the multiple treated data that the same service request of response returns being reassembled as the data of predetermined format together by processing module, complete this secondary response.
By the present embodiment, service request terminal, when there being multiple data to need to carry out information security process, can being packed and send multiple need data to be processed in a service request, eliminates send request several times loaded down with trivial details.
In an embodiment of the present invention, information safety service system can towards multiple service request terminal, that is, network interface can through the information security services request of network reception from multiple service request terminal.All service request terminal share consolidated network interface, facilitate high in the clouds deployment scheme.
Fig. 4 is the schematic flow sheet of an embodiment of extendible information safety service method of the present invention.
First, can by network interface by network reception to the information security services request from service request terminal, and this request is sent to processing module.Network interface can be realized by such as Nginx.
Then, by processing module, the information security services request that network interface receives is resolved, obtain pending data wherein and corresponding service request type, according to the instruction of service request type generating process, pending data and processing instruction are repackaged into binary data packets or are treated to dataframe to administration module.Service request type can be CIPHERING REQUEST or decoding request, and processing instruction is correspondingly then encrypted instruction or decryption instructions.Processing instruction can be such as be arranged on the identifier in the predetermined field in the Frame of this transmission.
Administration module is selected one of them equipment as target device according to the operating state of each information safety devices, the data received is issued this target device after receiving the packet or Frame that processing module sends.Selected equipment can be the equipment of the current idle in multiple information safety devices, if or the current equipment not having the free time, then can select likely idle equipment, such as, judge that an idle in the given time information safety devices is described target device by it according to its current progress of work.
After receiving as the information safety devices of this target device the data that processing module sends, according to processing instruction wherein, corresponding information security process is carried out to pending data wherein, and treated data are returned to administration module, these treated data are sent to processing module by administration module again.Can prestore the key for carrying out information security process and algorithm in information safety devices, keeper can carry out the setting of key, algorithm and/or parameter to each information safety devices by administration module.
After processing module receives treated data, be send to service request terminal by network interface after the data of scheduled communication form by this treated data recombination, complete this service.
By the information safety service method of the present embodiment, service request terminal does not need the specific implementation process being concerned about encryption and decryption, do not need managing encrypted lock voluntarily to wait information safety devices, but only need directly to complete required information security process by network service yet.Encryption and decryption is served the key used and can be carried out beyond the clouds unifying updating and management, has very strong operability and convenience.In addition, quantity and the service capacity of device node are in linear relationship substantially, can improve service capacity, having good extensibility when required encryption and decryption volume of services improves by increasing device node.And the function provided for information safety devices is also easily expanded, the design Storage that data volume is less such as can be considered.
In one embodiment of the invention, keeper, when being arranged each information safety devices by administration module, is arranged by sending management request.Can comprise the authentication information of keeper in management request, after authentication information is by checking, information safety devices accepts setting.
Management request can directly send to each information safety devices, is verified authentication information by each information safety devices.Or management request can send to the special Authentication devices arranged, after carrying out authentication by Authentication devices is unified, setting data is transmitted to each information safety devices and carries out the operations such as follow-up key is arranged.Utilize that Authentication devices is unified to carry out authentication and can to remove in each information safety devices configuration authentication function to save system resource.
In another embodiment of the present invention, design can also be optimized for equipment state.The fault logging module being connected to administration module is such as set.When there is the fault of unrepairable in the equipment component in multiple information safety devices, when occurring gross error as certain or some equipment in information safety devices group and should not continue participation work, by fault logging module, record is carried out to this equipment broken down.Fault logging module can accept the recorded information of manually input, or automatic checkout equipment state is gone forward side by side line item, also can judge the working condition of each equipment by administration module and is recorded in fault logging module by faulty equipment number.
After this, administration module, can according to the recorded information of fault logging module when carrying out initialization to each information safety devices, by equipment filtering from the initialized object-based device of needs of breaking down, in order to avoid there is the reduction in operational mistake and efficiency.
In one embodiment of the invention, the service request type of data to be processed for multiple need and correspondence can be packaged in the information security services request that will send by service request terminal.Processing module, receiving after this information security services request resolves, obtains the service request type of multiple pending data and correspondence.For each pending data, these pending data and this processing instruction, according to its service request type generating process instruction, are packaged into binary data packets or are treated to Frame, each packet or Frame are sent to administration module respectively by processing module.Equipment that is that administration module selects one or more free time according to the operating state of each information safety devices or that be about to the free time sends each packet or Frame, and the treated data returned successively by selected information safety devices send to processing module, send to service request terminal by network interface after the multiple treated data that the same service request of response returns being reassembled as the data of predetermined format together by processing module, complete this secondary response.
By the present embodiment, service request terminal, when there being multiple data to need to carry out information security process, can being packed and send multiple need data to be processed in a service request, eliminates send request several times loaded down with trivial details.
In an embodiment of the present invention, consolidated network interface can towards multiple service request terminal, that is, network interface can through the information security services request of network reception from multiple service request terminal.All service request terminal share consolidated network interface, facilitate high in the clouds deployment scheme.
The foregoing is only preferred embodiment of the present invention, be not intended to limit protection scope of the present invention.Within the spirit and principles in the present invention all, any amendment done, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.