CN106357700A - Cipher equipment virtualization method in cloud environment - Google Patents
Cipher equipment virtualization method in cloud environment Download PDFInfo
- Publication number
- CN106357700A CN106357700A CN201611044279.9A CN201611044279A CN106357700A CN 106357700 A CN106357700 A CN 106357700A CN 201611044279 A CN201611044279 A CN 201611044279A CN 106357700 A CN106357700 A CN 106357700A
- Authority
- CN
- China
- Prior art keywords
- key
- encryption device
- digital certificate
- cloud environment
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention particularly relates to a cipher equipment virtualization method in a cloud environment. In the cipher equipment virtualization method in the cloud environment, the secret key storage of cipher equipment is divided into multiple independent areas, and correspondence to multiple secret keys of the equipment is finished through once digital certificate storage; the identity validity of a visitor is verified through the digital certificate, and the visitor cannot use the secret key without passing the validity verification; the digital certificate in the cipher equipment and the corresponding secret key cannot be modified but erased at the same time; and the division of the secret key storage areas and once-writing and erasing functions of control information are both realized through a cipher equipment virtualization device in the cloud environment. The cipher equipment virtualization method in the cloud environment effectively protects the authority of a user accessing the secret key; and all security-related operations are finished in a hardware device, and the operation efficiency can be guaranteed.
Description
Technical field
The present invention relates to information security encryption authentication techniques and field of cloud computer technology, particularly to close under a kind of cloud environment
Decoding apparatus virtual method.
Background technology
In recent years, popularizing with cloud computing and virtual technology, emerges much outstanding cloud computing application service
Platform, it has been polymerized substantial amounts of physical hardware resources, and is carried out the hardware resource of physical hardware devices using Intel Virtualization Technology
Abstract, realize unified distribution, scheduling and the management of heterogeneous network computing resource, thus reach make full use of software and hardware resources,
The purpose increased operation rate.
While cloud computing brings the service of high-efficiency high-quality to user, cloud security authentication question becomes a focus,
Through attracting wide attention.Conventional security authentication solution, mainly completes encryption, the solution of correlation by using encryption device
Close, the password associative operation such as signature, sign test, to solve application system security authentication question.So, the safety master of application system
It is to rely on cryptographic hardware equipment, the key being stored in cryptographic hardware equipment cannot be exported, and password related operation
It is all to complete in a device.
However, under cloud environment, traditional encryption device and application model cannot meet existing demand, more fully effective
The existing secure resources of utilization.In this case, how encryption device is virtualized, and can guarantee that key uses and manages
The safety of reason becomes the problem that need solve.
Based on the problems referred to above, the present invention proposes encryption device virtual method under a kind of cloud environment.
Content of the invention
The present invention is in order to make up the defect of prior art, there is provided under the simply efficient cloud environment of one kind, encryption device is virtual
Change method.
The present invention is achieved through the following technical solutions:
Encryption device virtual method under a kind of cloud environment it is characterised in that: by the key storage of encryption device be divided into some solely
Vertical region, and completed corresponding with some device keyses by disposable digital certificate;By digital certificate authentication
Visitor's identity legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device and
Corresponding key can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information and
Erasing function is all realized by encryption device virtualization apparatus under cloud environment.
Under described cloud environment, by equipment Main Control Unit, encryption chip, master key stores encryption device virtualization apparatus
Area, key storage region, one-time write memory block, management services module, io control module, management port and application port group
Become;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption,
The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited
If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to
The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing
The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for
User's Access Management Access services;Described application port uses cipher key service for application system.
The establishment of virtual cryptographic equipment under cloud computing environment, comprises the following steps:
(1) encryption device is initialized, generated master key;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with
When key field number and customer digital certificate or public key are write disposable memory area;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates
Voucher Code;
(6) application system to access key by using Voucher Code and carries out password associative operation.
The destruction of virtual cryptographic equipment key under cloud computing environment, comprises the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block
Wipe in domain.
Encryption device virtual method under this cloud environment, what hinge structure obtained has the beneficial effect that:
(1) encryption device virtualization issues under cloud environment are effectively solved.User accesses encryption device management port, by number
Word certificate carries out authenticating user identification, is effectively controlled the access of device keyses;
(2) although user key region is to be distributed by the master key of hardware encryption equipment, the final key that accesses is
By the access credentials code of user setup, even if this ensures that thering the situation that the leakage of hardware device master key occurs, also will not
The key revealing user is it is therefore prevented that the problem of divulging a secret of cloud service network operator;
Encryption device virtualization apparatus under () 3 cloud environment, can split some key storage regions, solve key devices virtual
The problem changed;By the accesses control list of one-time write memory block, it is effectively protected the authority that user accesses key, and
And related to safe computing and all complete in hardware unit, can guarantee that its operation efficiency.
Brief description
Accompanying drawing 1 is terminal unit safe transmission authentication device hardware architecture diagram of the present invention.
Accompanying drawing 2 creates virtual cryptographic equipment schematic flow sheet for the present invention.
Accompanying drawing 3 destroys virtual cryptographic equipment schematic flow sheet for the present invention.
Specific embodiment
In order that the technical problem to be solved, technical scheme and beneficial effect become more apparent, below tie
Close drawings and Examples, the present invention will be described in detail.It should be noted that specific embodiment described herein is only used
To explain the present invention, it is not intended to limit the present invention.
In the present embodiment, the digital certificate issued adopts domestic algorithm sm2, and encryption device can be partitioned into 64 keys and deposit
Storage area domain, based on this, the user list data format definition of one-time write memory block is: 64 bytes are used for storing sm2 card
Book public key and 8 bytes are used for storing using region.8 byte 64 bit represent corresponding 64 key field respectively, if this position
Represent to have for 1 and access the authority changing cipher key number.
It should be noted that in addition to using data form described above, structure according to the embodiment of the present invention
Make and can also apply on other data protocols.
Encryption device virtual method under this cloud environment, the key storage of encryption device is divided into some isolated areas, and
And completed corresponding with some device keyses by disposable digital certificate;By digital certificate authentication visitor's identity
Legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device and corresponding key
Can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information and erasing function are equal
Realized by encryption device virtualization apparatus under cloud environment.
Under described cloud environment, by equipment Main Control Unit, encryption chip, master key stores encryption device virtualization apparatus
Area, key storage region, one-time write memory block, management services module, io control module, management port and application port group
Become;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption,
The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited
If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to
The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing
The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for
User's Access Management Access services;Described application port uses cipher key service for application system.
The establishment of virtual cryptographic equipment under cloud computing environment, comprises the following steps:
(1) encryption device is initialized, generated master key;For example master key uses sm4 algorithm;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;For example close
Key adopts state close algorithm sm2 to algorithm, and key strength is 256, compared with the rsa algorithm of equal security intensity, can accelerate
Speed, saving storage and minimizing transmission data size;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with
When key field number and customer digital certificate or public key are write disposable memory area;The key algorithm of generation here by with
Family is specified, and can be rsa or sm2, be to enter row write according to the form of aforesaid one-time write memory block here
Enter;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates
Voucher Code;Here Voucher Code is random number, and for the communication between encryption device and application system, user can pass through management port
Change at any time;
(6) application system to access key by using Voucher Code and carries out password associative operation.
The destruction of virtual cryptographic equipment key under cloud computing environment, comprises the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy, confirm certificate whether in effect duration, if be that the issuing organization of trust is issued
Send out, and whether have the authority accessing this key;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;Here be by with
Family key erasing, and corresponding for public key key field position is erased to 0;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block
Wipe in domain.
Encryption device virtual method under this cloud environment, what hinge structure obtained has the beneficial effect that:
(1) encryption device virtualization issues under cloud environment are effectively solved.User accesses encryption device management port, by number
Word certificate carries out authenticating user identification, is effectively controlled the access of device keyses;
(2) although user key region is to be distributed by the master key of hardware encryption equipment, the final key that accesses is
By the access credentials code of user setup, even if this ensures that thering the situation that the leakage of hardware device master key occurs, also will not
The key revealing user is it is therefore prevented that the problem of divulging a secret of cloud service network operator;
(3) encryption device virtualization apparatus under cloud environment, can split some key storage regions, solve key devices virtual
The problem changed;By the accesses control list of one-time write memory block, it is effectively protected the authority that user accesses key, and
And related to safe computing and all complete in hardware unit, can guarantee that its operation efficiency.
Claims (4)
1. under a kind of cloud environment encryption device virtual method it is characterised in that: the key storage of encryption device is divided into some
Isolated area, and completed corresponding with some device keyses by disposable digital certificate;Recognized by digital certificate
Card visitor's identity legitimacy, just can carry out the use of key after legitimate verification;Digital certificate in encryption device with
And corresponding key can only simultaneously erased it is impossible to modification;The segmentation in described key storage region, the one-time write of control information
And erasing function all realized by encryption device virtualization apparatus under cloud environment.
2. under cloud environment according to claim 1 encryption device virtual method it is characterised in that: close under described cloud environment
Decoding apparatus virtualization apparatus by equipment Main Control Unit, encryption chip, master key memory block, key storage region, disposably
Write memory block, management services module, io control module, management port and application port composition;
Described equipment Main Control Unit is the command and control center of encryption device;Described encryption chip be responsible for completing encryption and decryption,
The related operations such as digital signature, agreement package;Described master key memory block is used for depositing encryption device master key;Described key is deposited
If storage area regional partition becomes stem portion, for depositing key;Described one-time write memory block be one section can only write-once it is impossible to
The region of modification, for depositing the list of access rights of client public key and counterpart keys;Described management services module is used for providing
The management service of key;The input and output that described io control module is responsible for whole terminal unit control;Described management port is used for
User's Access Management Access services;Described application port uses cipher key service for application system.
3. under cloud environment according to claim 1 encryption device virtual method it is characterised in that cloud computing environment dificiency in lower-JIAO
Intend the establishment of encryption device, comprise the following steps:
(1) encryption device is initialized, generated master key;
(2) the key storage region segmentation of encryption device is become independent key storage region, and regional is numbered;
(3) it is that the user applying for virtual cryptographic equipment issues digital certificate, and be stored in external hardware key medium;
(4) obtain and license master key certification, according to the request of user, idle key field is distributed and produces key, with
When key field number and customer digital certificate or public key are write disposable memory area;
(5) user utilizes digital certificate to pass through encryption device management port is that its corresponding key arranges access rights, and generates
Voucher Code;
(6) application system to access key by using Voucher Code and carries out password associative operation.
4. under cloud environment according to claim 1 encryption device virtual method it is characterised in that cloud computing environment dificiency in lower-JIAO
Intend the destruction of encryption device key, comprise the following steps:
(1) user proposes cipher key destruction application;
(2) verify customer digital certificate legitimacy;
(3) obtain and license master key certification, erasing user specifies key field, and key field number;
(4) when user delete encryption device in all of key field, then simultaneously by customer digital certificate from disposable memory block
Wipe in domain.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611044279.9A CN106357700A (en) | 2016-11-24 | 2016-11-24 | Cipher equipment virtualization method in cloud environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611044279.9A CN106357700A (en) | 2016-11-24 | 2016-11-24 | Cipher equipment virtualization method in cloud environment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106357700A true CN106357700A (en) | 2017-01-25 |
Family
ID=57861791
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611044279.9A Pending CN106357700A (en) | 2016-11-24 | 2016-11-24 | Cipher equipment virtualization method in cloud environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106357700A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107147491A (en) * | 2017-06-01 | 2017-09-08 | 浙江九州量子信息技术股份有限公司 | A kind of cipher key service framework communicated based on multiple terminals and distribution method |
CN107994984A (en) * | 2017-12-01 | 2018-05-04 | 北京深思数盾科技股份有限公司 | A kind of cryptographic key protection method and device |
CN108566386A (en) * | 2018-03-26 | 2018-09-21 | 山东渔翁信息技术股份有限公司 | A kind of encryption device management method, device and storage medium based on cloud platform |
CN114238938A (en) * | 2021-12-15 | 2022-03-25 | 北京安盟信息技术股份有限公司 | PCIE password card virtualization configuration management method |
CN114338124A (en) * | 2021-12-23 | 2022-04-12 | 成都卫士通信息产业股份有限公司 | Management method and system of cloud password computing service, electronic device and storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262590A (en) * | 2015-09-07 | 2016-01-20 | 北京三未信安科技发展有限公司 | Method and system for safely insulating keys in virtual environment |
-
2016
- 2016-11-24 CN CN201611044279.9A patent/CN106357700A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105262590A (en) * | 2015-09-07 | 2016-01-20 | 北京三未信安科技发展有限公司 | Method and system for safely insulating keys in virtual environment |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107147491A (en) * | 2017-06-01 | 2017-09-08 | 浙江九州量子信息技术股份有限公司 | A kind of cipher key service framework communicated based on multiple terminals and distribution method |
CN107994984A (en) * | 2017-12-01 | 2018-05-04 | 北京深思数盾科技股份有限公司 | A kind of cryptographic key protection method and device |
CN108566386A (en) * | 2018-03-26 | 2018-09-21 | 山东渔翁信息技术股份有限公司 | A kind of encryption device management method, device and storage medium based on cloud platform |
CN114238938A (en) * | 2021-12-15 | 2022-03-25 | 北京安盟信息技术股份有限公司 | PCIE password card virtualization configuration management method |
CN114238938B (en) * | 2021-12-15 | 2022-10-21 | 北京安盟信息技术股份有限公司 | PCIE password card virtualization configuration management method |
CN114338124A (en) * | 2021-12-23 | 2022-04-12 | 成都卫士通信息产业股份有限公司 | Management method and system of cloud password computing service, electronic device and storage medium |
CN114338124B (en) * | 2021-12-23 | 2024-04-12 | 成都卫士通信息产业股份有限公司 | Management method and system of cloud password computing service, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11115418B2 (en) | Registration and authorization method device and system | |
TWI715537B (en) | Encryption machine key injection system, method and device based on cloud environment | |
US8997192B2 (en) | System and method for securely provisioning and generating one-time-passwords in a remote device | |
CN106357700A (en) | Cipher equipment virtualization method in cloud environment | |
KR101608510B1 (en) | System and method for key management for issuer security domain using global platform specifications | |
US8789195B2 (en) | Method and system for access control and data protection in digital memories, related digital memory and computer program product therefor | |
CN105099711B (en) | A kind of small cipher machine and data ciphering method based on ZYNQ | |
WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
CN105528239B (en) | The key management method of virtual credible platform module based on credible root server | |
CN110572258B (en) | Cloud password computing platform and computing service method | |
CN104090853A (en) | Solid-state disc encryption method and system | |
CN104184743A (en) | Three-layer authentication system and method oriented to cloud computing platform | |
CN112560058B (en) | SSD partition encryption storage system based on intelligent password key and implementation method thereof | |
CN103888429B (en) | Virtual machine starts method, relevant device and system | |
CN104021335B (en) | Password service method based on extensible password service framework | |
CN104123506A (en) | Data access method and device and data encryption storage and access method and device | |
WO2015117523A1 (en) | Access control method and device | |
CN105262590A (en) | Method and system for safely insulating keys in virtual environment | |
CN109460639A (en) | A kind of license authentication control method, device, terminal and storage medium | |
KR20090052321A (en) | Content control system and method using versatile control structure | |
CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
CN103516524A (en) | Security authentication method and system | |
CN106411941B (en) | Safety certification resource allocation and management method under a kind of cloud environment | |
US20190044721A1 (en) | Device authorization using symmetric key systems and methods | |
KR20090026357A (en) | Content control system and method using certificate chains |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170125 |