CN106357700A - Cipher equipment virtualization method in cloud environment - Google Patents

Cipher equipment virtualization method in cloud environment Download PDF

Info

Publication number
CN106357700A
CN106357700A CN201611044279.9A CN201611044279A CN106357700A CN 106357700 A CN106357700 A CN 106357700A CN 201611044279 A CN201611044279 A CN 201611044279A CN 106357700 A CN106357700 A CN 106357700A
Authority
CN
China
Prior art keywords
key
encryption device
digital certificate
cloud environment
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611044279.9A
Other languages
Chinese (zh)
Inventor
孙善宝
于治楼
金长新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201611044279.9A priority Critical patent/CN106357700A/en
Publication of CN106357700A publication Critical patent/CN106357700A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention particularly relates to a cipher equipment virtualization method in a cloud environment. In the cipher equipment virtualization method in the cloud environment, the secret key storage of cipher equipment is divided into multiple independent areas, and correspondence to multiple secret keys of the equipment is finished through once digital certificate storage; the identity validity of a visitor is verified through the digital certificate, and the visitor cannot use the secret key without passing the validity verification; the digital certificate in the cipher equipment and the corresponding secret key cannot be modified but erased at the same time; and the division of the secret key storage areas and once-writing and erasing functions of control information are both realized through a cipher equipment virtualization device in the cloud environment. The cipher equipment virtualization method in the cloud environment effectively protects the authority of a user accessing the secret key; and all security-related operations are finished in a hardware device, and the operation efficiency can be guaranteed.

Description

Encryption device virtual method under a kind of cloud environment
Technical field
The present invention relates to information security encryption authentication techniques and field of cloud computer technology, particularly to close under a kind of cloud environment Decoding apparatus virtual method.
Background technology
In recent years, popularizing with cloud computing and virtual technology, emerges much outstanding cloud computing application service Platform, it has been polymerized substantial amounts of physical hardware resources, and is carried out the hardware resource of physical hardware devices using Intel Virtualization Technology Abstract, realize unified distribution, scheduling and the management of heterogeneous network computing resource, thus reach make full use of software and hardware resources, The purpose increased operation rate.
While cloud computing brings the service of high-efficiency high-quality to user, cloud security authentication question becomes a focus, Through attracting wide attention.Conventional security authentication solution, mainly completes encryption, the solution of correlation by using encryption device Close, the password associative operation such as signature, sign test, to solve application system security authentication question.So, the safety master of application system It is to rely on cryptographic hardware equipment, the key being stored in cryptographic hardware equipment cannot be exported, and password related operation It is all to complete in a device.
However, under cloud environment, traditional encryption device and application model cannot meet existing demand, more fully effective The existing secure resources of utilization.In this case, how encryption device is virtualized, and can guarantee that key uses and manages The safety of reason becomes the problem that need solve.
Based on the problems referred to above, the present invention proposes encryption device virtual method under a kind of cloud environment.
Content of the invention
The present invention is in order to make up the defect of prior art, there is provided under the simply efficient cloud environment of one kind, encryption device is virtual Change method.
The present invention is achieved through the following technical solutions:
Encryption device virtual method under a kind of cloud environment it is characterised in that: by the key storage of encryption device be divided into some solely Vertical region, and completed corresponding with some device keyses by disposable digital certificate;By digital certificate authentication Visitor's identity legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device and Corresponding key can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information and Erasing function is all realized by encryption device virtualization apparatus under cloud environment.
Under described cloud environment, by equipment Main Control Unit, encryption chip, master key stores encryption device virtualization apparatus Area, key storage region, one-time write memory block, management services module, io control module, management port and application port group Become;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption, The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for User's Access Management Access services;Described application port uses cipher key service for application system.
The establishment of virtual cryptographic equipment under cloud computing environment, comprises the following steps:
(1) encryption device is initialized, generated master key;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with When key field number and customer digital certificate or public key are write disposable memory area;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates Voucher Code;
(6) application system to access key by using Voucher Code and carries out password associative operation.
The destruction of virtual cryptographic equipment key under cloud computing environment, comprises the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block Wipe in domain.
Encryption device virtual method under this cloud environment, what hinge structure obtained has the beneficial effect that:
(1) encryption device virtualization issues under cloud environment are effectively solved.User accesses encryption device management port, by number Word certificate carries out authenticating user identification, is effectively controlled the access of device keyses;
(2) although user key region is to be distributed by the master key of hardware encryption equipment, the final key that accesses is By the access credentials code of user setup, even if this ensures that thering the situation that the leakage of hardware device master key occurs, also will not The key revealing user is it is therefore prevented that the problem of divulging a secret of cloud service network operator;
Encryption device virtualization apparatus under () 3 cloud environment, can split some key storage regions, solve key devices virtual The problem changed;By the accesses control list of one-time write memory block, it is effectively protected the authority that user accesses key, and And related to safe computing and all complete in hardware unit, can guarantee that its operation efficiency.
Brief description
Accompanying drawing 1 is terminal unit safe transmission authentication device hardware architecture diagram of the present invention.
Accompanying drawing 2 creates virtual cryptographic equipment schematic flow sheet for the present invention.
Accompanying drawing 3 destroys virtual cryptographic equipment schematic flow sheet for the present invention.
Specific embodiment
In order that the technical problem to be solved, technical scheme and beneficial effect become more apparent, below tie Close drawings and Examples, the present invention will be described in detail.It should be noted that specific embodiment described herein is only used To explain the present invention, it is not intended to limit the present invention.
In the present embodiment, the digital certificate issued adopts domestic algorithm sm2, and encryption device can be partitioned into 64 keys and deposit Storage area domain, based on this, the user list data format definition of one-time write memory block is: 64 bytes are used for storing sm2 card Book public key and 8 bytes are used for storing using region.8 byte 64 bit represent corresponding 64 key field respectively, if this position Represent to have for 1 and access the authority changing cipher key number.
It should be noted that in addition to using data form described above, structure according to the embodiment of the present invention Make and can also apply on other data protocols.
Encryption device virtual method under this cloud environment, the key storage of encryption device is divided into some isolated areas, and And completed corresponding with some device keyses by disposable digital certificate;By digital certificate authentication visitor's identity Legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device and corresponding key Can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information and erasing function are equal Realized by encryption device virtualization apparatus under cloud environment.
Under described cloud environment, by equipment Main Control Unit, encryption chip, master key stores encryption device virtualization apparatus Area, key storage region, one-time write memory block, management services module, io control module, management port and application port group Become;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption, The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for User's Access Management Access services;Described application port uses cipher key service for application system.
The establishment of virtual cryptographic equipment under cloud computing environment, comprises the following steps:
(1) encryption device is initialized, generated master key;For example master key uses sm4 algorithm;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;For example close Key adopts state close algorithm sm2 to algorithm, and key strength is 256, compared with the rsa algorithm of equal security intensity, can accelerate Speed, saving storage and minimizing transmission data size;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with When key field number and customer digital certificate or public key are write disposable memory area;The key algorithm of generation here by with Family is specified, and can be rsa or sm2, be to enter row write according to the form of aforesaid one-time write memory block here Enter;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates Voucher Code;Here Voucher Code is random number, and for the communication between encryption device and application system, user can pass through management port Change at any time;
(6) application system to access key by using Voucher Code and carries out password associative operation.
The destruction of virtual cryptographic equipment key under cloud computing environment, comprises the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy, confirm certificate whether in effect duration, if be that the issuing organization of trust is issued Send out, and whether have the authority accessing this key;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;Here be by with Family key erasing, and corresponding for public key key field position is erased to 0;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block Wipe in domain.
Encryption device virtual method under this cloud environment, what hinge structure obtained has the beneficial effect that:
(1) encryption device virtualization issues under cloud environment are effectively solved.User accesses encryption device management port, by number Word certificate carries out authenticating user identification, is effectively controlled the access of device keyses;
(2) although user key region is to be distributed by the master key of hardware encryption equipment, the final key that accesses is By the access credentials code of user setup, even if this ensures that thering the situation that the leakage of hardware device master key occurs, also will not The key revealing user is it is therefore prevented that the problem of divulging a secret of cloud service network operator;
(3) encryption device virtualization apparatus under cloud environment, can split some key storage regions, solve key devices virtual The problem changed;By the accesses control list of one-time write memory block, it is effectively protected the authority that user accesses key, and And related to safe computing and all complete in hardware unit, can guarantee that its operation efficiency.

Claims (4)

1. under a kind of cloud environment encryption device virtual method it is characterised in that: the key storage of encryption device is divided into some Isolated area, and completed corresponding with some device keyses by disposable digital certificate;Recognized by digital certificate Card visitor's identity legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device with And corresponding key can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information And erasing function all realized by encryption device virtualization apparatus under cloud environment.
2. under cloud environment according to claim 1 encryption device virtual method it is characterised in that: close under described cloud environment Decoding apparatus virtualization apparatus by equipment Main Control Unit, encryption chip, master key memory block, key storage region, disposably Write memory block, management services module, io control module, management port and application port composition;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption, The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for User's Access Management Access services;Described application port uses cipher key service for application system.
3. under cloud environment according to claim 1 encryption device virtual method it is characterised in that cloud computing environment dificiency in lower-JIAO Intend the establishment of encryption device, comprise the following steps:
(1) encryption device is initialized, generated master key;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with When key field number and customer digital certificate or public key are write disposable memory area;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates Voucher Code;
(6) application system to access key by using Voucher Code and carries out password associative operation.
4. under cloud environment according to claim 1 encryption device virtual method it is characterised in that cloud computing environment dificiency in lower-JIAO Intend the destruction of encryption device key, comprise the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block Wipe in domain.
CN201611044279.9A 2016-11-24 2016-11-24 Cipher equipment virtualization method in cloud environment Pending CN106357700A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611044279.9A CN106357700A (en) 2016-11-24 2016-11-24 Cipher equipment virtualization method in cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611044279.9A CN106357700A (en) 2016-11-24 2016-11-24 Cipher equipment virtualization method in cloud environment

Publications (1)

Publication Number Publication Date
CN106357700A true CN106357700A (en) 2017-01-25

Family

ID=57861791

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611044279.9A Pending CN106357700A (en) 2016-11-24 2016-11-24 Cipher equipment virtualization method in cloud environment

Country Status (1)

Country Link
CN (1) CN106357700A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147491A (en) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 A kind of cipher key service framework communicated based on multiple terminals and distribution method
CN107994984A (en) * 2017-12-01 2018-05-04 北京深思数盾科技股份有限公司 A kind of cryptographic key protection method and device
CN108566386A (en) * 2018-03-26 2018-09-21 山东渔翁信息技术股份有限公司 A kind of encryption device management method, device and storage medium based on cloud platform
CN114238938A (en) * 2021-12-15 2022-03-25 北京安盟信息技术股份有限公司 PCIE password card virtualization configuration management method
CN114338124A (en) * 2021-12-23 2022-04-12 成都卫士通信息产业股份有限公司 Management method and system of cloud password computing service, electronic device and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262590A (en) * 2015-09-07 2016-01-20 北京三未信安科技发展有限公司 Method and system for safely insulating keys in virtual environment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105262590A (en) * 2015-09-07 2016-01-20 北京三未信安科技发展有限公司 Method and system for safely insulating keys in virtual environment

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107147491A (en) * 2017-06-01 2017-09-08 浙江九州量子信息技术股份有限公司 A kind of cipher key service framework communicated based on multiple terminals and distribution method
CN107994984A (en) * 2017-12-01 2018-05-04 北京深思数盾科技股份有限公司 A kind of cryptographic key protection method and device
CN108566386A (en) * 2018-03-26 2018-09-21 山东渔翁信息技术股份有限公司 A kind of encryption device management method, device and storage medium based on cloud platform
CN114238938A (en) * 2021-12-15 2022-03-25 北京安盟信息技术股份有限公司 PCIE password card virtualization configuration management method
CN114238938B (en) * 2021-12-15 2022-10-21 北京安盟信息技术股份有限公司 PCIE password card virtualization configuration management method
CN114338124A (en) * 2021-12-23 2022-04-12 成都卫士通信息产业股份有限公司 Management method and system of cloud password computing service, electronic device and storage medium
CN114338124B (en) * 2021-12-23 2024-04-12 成都卫士通信息产业股份有限公司 Management method and system of cloud password computing service, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US11115418B2 (en) Registration and authorization method device and system
TWI715537B (en) Encryption machine key injection system, method and device based on cloud environment
US8997192B2 (en) System and method for securely provisioning and generating one-time-passwords in a remote device
CN106357700A (en) Cipher equipment virtualization method in cloud environment
KR101608510B1 (en) System and method for key management for issuer security domain using global platform specifications
US8789195B2 (en) Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor
CN105099711B (en) A kind of small cipher machine and data ciphering method based on ZYNQ
WO2020192406A1 (en) Method and apparatus for data storage and verification
CN105528239B (en) The key management method of virtual credible platform module based on credible root server
CN110572258B (en) Cloud password computing platform and computing service method
CN104090853A (en) Solid-state disc encryption method and system
CN104184743A (en) Three-layer authentication system and method oriented to cloud computing platform
CN112560058B (en) SSD partition encryption storage system based on intelligent password key and implementation method thereof
CN103888429B (en) Virtual machine starts method, relevant device and system
CN104021335B (en) Password service method based on extensible password service framework
CN104123506A (en) Data access method and device and data encryption storage and access method and device
WO2015117523A1 (en) Access control method and device
CN105262590A (en) Method and system for safely insulating keys in virtual environment
CN109460639A (en) A kind of license authentication control method, device, terminal and storage medium
KR20090052321A (en) Content control system and method using versatile control structure
CN107911221B (en) Key management method for secure storage of solid-state disk data
CN103516524A (en) Security authentication method and system
CN106411941B (en) Safety certification resource allocation and management method under a kind of cloud environment
US20190044721A1 (en) Device authorization using symmetric key systems and methods
KR20090026357A (en) Content control system and method using certificate chains

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170125