CN108737078A - A kind of data cryptogram operation method and data cryptogram server - Google Patents

A kind of data cryptogram operation method and data cryptogram server Download PDF

Info

Publication number
CN108737078A
CN108737078A CN201710243331.1A CN201710243331A CN108737078A CN 108737078 A CN108737078 A CN 108737078A CN 201710243331 A CN201710243331 A CN 201710243331A CN 108737078 A CN108737078 A CN 108737078A
Authority
CN
China
Prior art keywords
crypto
module
key
vpn
sent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710243331.1A
Other languages
Chinese (zh)
Inventor
万能
赵民正
刘斐斓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Lingxi Internet Of Things Technology Co Ltd
Original Assignee
Suzhou Lingxi Internet Of Things Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Lingxi Internet Of Things Technology Co Ltd filed Critical Suzhou Lingxi Internet Of Things Technology Co Ltd
Priority to CN201710243331.1A priority Critical patent/CN108737078A/en
Publication of CN108737078A publication Critical patent/CN108737078A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of data cryptogram operation method and data cryptogram servers, the data cryptogram server includes data service module, the crypto-operation request sent for receiving and responding user from VPN modules, crypto-operation request is sent to crypto-operation module, and the crypto-operation result received from crypto-operation module is sent to VPN modules;Crypto-operation module obtains crypto-operation as a result, and crypto-operation result is sent to cryptographic service module for asking complete independently crypto-operation according to the crypto-operation;VPN modules, for the crypto-operation result to be returned to user.The crypto-operation module and VPN modules of the present invention is based on proprietary hardware realization; it is not take up host calculating resource; double WNG serial physicals noise source chips are used to ensure the intensity of generation random number; and pass through three layers of cryptographic key protection structure; the safe and reliable storage of key is realized in the safety that can ensure user key and application system.

Description

A kind of data cryptogram operation method and data cryptogram server
Technical field
The present invention relates to technical field of network security, specifically relate generally to a kind of data cryptogram operation method and data cryptogram Server.
Background technology
In recent years, with the fast development of network and computer technology, network has become people and obtains, transmits information Important means, internet convenient and efficient so that e-commerce, E-Government, network office development it is like a raging fire.But due to The opening of internet is to hacking technique and illegal invasion etc. are more rampant so that Internet user faces wiretapping, distorts number According to, many security threats such as pretend to be validated user, effective encryption is carried out just at the most important thing, network security technology to data Also extensive attention and application have been obtained in industry-by-industry.And existing data encryption system that there are data safety guarantee degrees is low plus Close arithmetic speed is slow, random number intensity is low, cannot ensure key and the storage of application system is safe, universal and scalability compared with The problems such as poor, can not provide signature/verification, encryption/decryption service to the user safe and efficiently.
Invention content
In view of the deficiencies in the prior art, in order to improve encryption intensity and cryptographic calculation speed, ensure user The storage safety of key realizes that the crypto-operation service of more safe and efficient ground and higher scalability, the present invention provide a kind of Data cryptogram operation method and data cryptogram server.
To solve the above-mentioned problems, the invention discloses a kind of data cryptogram operation methods, including:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned Back to the user.
Further, it adopts encrypted card and carries out the crypto-operation, the encrypted card is using double WNG serial physical noise sources Core generates random number.
Further, the crypto-operation module uses three layers of cryptographic key protection structure, ensures family key and answers system Safety.
Further, this method further includes:Key is backed up, and cipher key backup file is protected by master key.
Further, this method further includes:The VPN modules are VPN interchangers or vpn routers, the VPN interchangers Or vpn routers are protected using transparent safety, integrated security agreement simultaneously has the anti-wall of hardware.
The invention also discloses a kind of data cryptogram servers, including data service module, crypto-operation module and VPN moulds Block;
Data service module, the crypto-operation request sent for receiving and responding user from the VPN modules, by the password Operation request is sent to the crypto-operation module, and the crypto-operation result received from the crypto-operation module is sent To the VPN modules;
Crypto-operation module obtains the crypto-operation knot for asking complete independently crypto-operation according to the crypto-operation Fruit, and the crypto-operation result is sent to the cryptographic service module;
VPN modules, for the crypto-operation result to be returned to the user.
Further, the crypto-operation module is encrypted card, and the encrypted card is using double WNG serial physical noise source cores Generate random number.
Further, the crypto-operation module further includes key generation and management module, and the key generates and management Module uses three layers of cryptographic key protection structure, ensures family key and answers the safety of system.
Further, the crypto-operation module further includes cipher key backup and recovery module, the cipher key backup with restore Module protects cipher key backup file for being backed up to key, and by master key.
Further, the VPN modules are VPN interchangers or vpn routers, and the VPN interchangers or vpn routers are adopted It is protected with transparent safety, integrated security agreement simultaneously has the anti-wall of hardware.
Compared with prior art, the beneficial effects of the invention are as follows:The present invention uses the crypto-operation module based on special hardware With VPN modules, be not take up host calculating resource, can be adapted to all kinds of cryptosecurities answer system into speed, multitask and locate The crypto-operation of reason can completely answer the signature/verification of system data, the requirement of encryption/decryption, ensure the secret of transmission information Property, completeness and efficiency.Meanwhile the present invention is capable of providing safety, perfect key management mechanism, by using double WNG systems Row physical noise source chip can ensure to generate the intensity of random number, and pass through " system protection key-Ka Nei RSA/ECC keys Three layers of cryptographic key protection structure of right/KEK- session keys ", can ensure family key and answer the safety of system, and pass through master Key-protection key backup file ensures that crucial key is appeared in the form of plaintext outside equipment in no instance, real The safe and reliable storage of existing key.In addition, the present invention api interface for meeting specification can also be provided, and provide it is greater number of not The coffret and expansion slot of same type greatly strengthen the universal and scalability of data cryptogram server, Neng Gouman Most of requirements for answering system, are widely used in the every field such as security, commerce and trade, post and telecommunications.
Description of the drawings
Fig. 1 is a kind of flow chart of data cryptogram operation method of one embodiment of the invention.
Fig. 2 is a kind of block diagram of data cryptogram server of one embodiment of the invention.
Fig. 3 is the crypto-operation module frame chart in a kind of data cryptogram server of one embodiment of the invention.
Specific implementation mode
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The every other embodiment that member is obtained without making creative work should all belong to the model that the present invention protects It encloses.
Term " first ", " second ", " third " " in description and claims of this specification and above-mentioned attached drawing The (if present)s such as four " are for distinguishing similar object, without being used to describe specific sequence or precedence.It should manage The data that solution uses in this way can be interchanged in the appropriate case, so that the embodiment of the present invention described herein for example can be to remove Sequence other than those of illustrating or describe herein is implemented.In addition, term " comprising " and " having " and theirs is any Deformation, it is intended that cover it is non-exclusive include, for example, containing the process of series of steps or unit, method, system, production Product or equipment those of are not necessarily limited to clearly to list step or unit, but may include not listing clearly or for this The intrinsic other steps of processes, method, product or equipment or unit a bit.
It is described in detail separately below.Referring firstly to attached drawing 1, Fig. 1 is one kind provided by one embodiment of the present invention The flow chart of data cryptogram operation method.As shown in Figure 1, a kind of data cryptogram operation method provided by one embodiment of the present invention It may include following steps:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned Back to the user.
In some possible embodiments of the present invention, the crypto-operation includes data encryption operation, data deciphering fortune One or more in calculation, data signature operation, data verification operation, above-mentioned crypto-operation is completed by specialized hardware, is not accounted for Use host calculating resource.
In some possible embodiments of the present invention, provided according to unified cryptographic service agreement by data service module Unified cryptographic service interface, is responsible for the acquisition of various data, and crypto-operation module, VPN modules are managed and are configured.Its Middle data service module can provide the gui management page, and be responsible for equipment management, certificate management and user authority management by administrator Deng operation, administrator in login system must by device keys by verification after could execute corresponding operating.The data Service module is also responsible for carrying out parsing and syntactic analysis to the crypto-operation request received, only asks legal crypto-operation It is sent to crypto-operation module, and the operation result that crypto-operation module returns is arranged, is finally returned via VPN modules To user.The present invention other possible embodiments in, the data service module can destiny according to acquisition, arrangements, clearly It the function module and system configuration management and control interactive software platform of multiple data predictions such as washes, and log management, state can be provided Monitoring, tactful configuration feature.In other possible embodiments, the other computer of server level is adopted to the data service Module is configured, and single processor, dual processor, multiprocessor cooperation completion various functions can be used, and hold more hard disks and expand Exhibition and hard disk array are set up, while also holding polylith PCI-E function card expansion slots, to put forward expanded function, are effectively carried and are The reliability that system is made, and the mean failure rate for extending whole system makees the time.In other possible embodiments of the present invention In, the data service module is equipped with multiple high speed SATA interfaces, multiple IED interfaces and one or more M.2 interfaces, to make Memory capacity and the additional OS storages of bigger can be extended to by obtaining the data cryptogram server.In other possible embodiment party In formula, the data service module is equipped with 3.0 expansion slot of multiple PCI expansion slots and PCI Express, such as can set Set 2 3.0 × 16 slots of PCI Express or 5 3.0 × 8 slots of PCI Express.
In some possible embodiments of the present invention, by crypto-operation module complete independently crypto-operation, and obtain Crypto-operation result.The crypto-operation module is to adopt the encrypted card of double WNG serial physical noise source cores, and the encrypted card is adopted Random number is generated with double WNG serial physicals noise source cores, the random number of generation meets the quality of random numbers monitoring mark of country's publication Standard, and ensure random number intensity.The crypto-operation module further includes algorithm special chip, the algorithm special chip, described Algorithm special chip is connect with FPGA module, for being embedded in corresponding Encryption Algorithm.In other possible embodiment party of the present invention In formula, the crypto-operation module can provide perfect key management system, realize public and private key at, note, export, forwarding, Verification, backup functionality, and realize informed source integrality, verification of correctness, ensure family key and answer the safety of system.
In some possible embodiments of the present invention, the crypto-operation module further comprises data encryption/decryption Module, digital signature/authentication module, Message Authentication Code generation/authentication module, digital envelope module, key generate and management mould Block, cipher key backup and recovery module, cipher key destruction module.Wherein, the data encryption/decryption module support SM1, SM4, The ecb mode of the international standards algorithm such as the domestic standards such as SSF33 algorithm and 3DES, AES, the data encryption/decryption fortune of CBC patterns It calculates.Digital signature/the authentication module is used to respond the signature request of user, can be needed to utilize storage inside according to user RSA/ECC key pairs or the external RSA/ECC private keys imported be digitally signed request data/verify operation.The message Authentication code generation/authentication module, generation and verification for carrying out MAC.The digital envelope module, for leading to symmetric key The result distribution symmetric key for crossing asymmetric encryption, to realize that information integrity is verified.The key generates and management module The random number that double WNG serial physical noise source cores generate may be used, using special RSA Algorithm chip and special ECC algorithm core Piece generates 1024/2048 RSA key pair and 256 ECC key pairs respectively.The key generates to use with management module Three layers of cryptographic key protection structure of blanket insurance shield key-Ka Nei RSA/ECC key pairs/KEK- session keys ", ensure family key and answer The safety of system.Wherein, system protection key according to job category can be divided into device keys, key-protection key, work it is close Key, backup keys, device keys are used to that identity, the permission of user to be authenticated and be known when activation system and system initialization Not, key-protection key is for protecting encryption key, safeguard protection when working key is transmitted for business.It is described close Key is backed up to be used to provide backup to the various keys in data cipher server and restores function with recovery module, and can be passed through Master key protects cipher key backup file, ensures that crucial key is appeared in the form of plaintext outside equipment in no instance, Realize the safe and reliable storage of key.The cipher key destruction module, for providing a user cryptogram destruction function, user is optional It selects and destruction operation is carried out to corresponding secret key in such a way that software is destroyed or hardware is destroyed.
In some possible embodiments of the present invention, the VPN modules of the invention are realized using specialized hardware, can Using VPN(Virtual Private Network)Technology builds Virtual Private Network, is not take up host calculating resource.Into one Step, the VPN modules are gigabit VPN interchangers or gigabit vpn routers.VPN interchangers or vpn routers use transparent peace Full protection, WAN external tappings connect external data, and data terminal set solely connects interchanger by encryption equipment terminal special line.? In other possible embodiments of the present invention, the VPN modules can be used the security protocols such as integrated IPSec, SSL and with hard VPN interchangers/vpn routers of the anti-wall of part support thousands of ipsec tunnels.In other possible embodiments of the present invention In, the anti-wall configuration of hardware, inside and outside configuration, routing policy, attack-defending, family and certification, safety can be used in the VPN modules Strategy and content safety, VLAN, NQA, the security strategies configuration such as vpn tunneling agreement, Bandwidth Management and monitoring system diagnosis.At this In other possible embodiments of invention, the VPN modules are built-in VPN interchangers/vpn routers, it is possible to provide 1 gigabit WAN mouthfuls and multiple gigabit LAN mouthfuls, using wildcard ipsec certification mode, support ARP double protections, the attack of inside/outside net Safeguard function, to ensure intranet and extranet safety.
Referring to attached drawing 2, the embodiment of the present invention also provides a kind of data cryptogram server 20 comprising data service module 21, crypto-operation module 22 and VPN modules 23.
Data service module 21, the crypto-operation request sent for receiving and responding user from the VPN modules 23, will The crypto-operation request is sent to the crypto-operation module 22, and the password that will be received from the crypto-operation module 22 Operation result is sent to the VPN modules 23;
Crypto-operation module 22 obtains the crypto-operation for asking complete independently crypto-operation according to the crypto-operation As a result, and the crypto-operation result is sent to the cryptographic service module 21;
VPN modules 23, for the crypto-operation result to be returned to the user.
In some possible embodiments of the present invention, the crypto-operation includes data encryption operation, data deciphering fortune One or more in calculation, data signature operation, data verification operation, above-mentioned crypto-operation is completed by specialized hardware, is not accounted for Use host calculating resource.
In some possible embodiments of the present invention, the data service module 21 can be assisted according to unified cryptographic service View provides unified cryptographic service interface, is responsible for the acquisition of various data, and carries out pipe to crypto-operation module 22, VPN modules 23 Reason and configuration.Wherein data service module 21 can provide the gui management page, and be responsible for equipment management, certificate management by administrator And the operations such as user authority management, administrator in login system must by device keys by verification after could execute it is corresponding Operation.The data service module 21 is also responsible for carrying out parsing and syntactic analysis to the crypto-operation request received, will only close The crypto-operation request of method is sent to crypto-operation module 22, and the operation result progress that crypto-operation module 22 is returned is whole Reason, finally returns to user via VPN modules 23.In other possible embodiments of the present invention, the data service mould Block 21 can destiny according to multiple data predictions such as acquisition, arrangement, cleaning function module and system configuration management and control interactive software Platform, and log management, status monitoring, tactful configuration feature can be provided.In other possible embodiments, server is adopted The computer of rank configures the data service module 21, and single processor, dual processor, multiprocessor can be used and match It closes and completes various functions, and hold more hard disk extensions and hard disk array establishment, while also holding the extension of polylith PCI-E function cards and inserting Slot effectively puies forward the reliability of system work, and the mean failure rate for extending whole system makees the time to put forward expanded function. In other possible embodiments of the present invention, the data service module 21 is equipped with multiple high speed SATA interfaces, multiple IED Interface and one or more M.2 interface so that the data cryptogram server can extend to bigger memory capacity and Additional OS storages.In other possible embodiments, the data service module 21 equipped with multiple PCI expansion slots, And 3.0 expansion slots of PCI Express, such as 2 3.0 × 16 slots of PCI Express or 5 PCI can be set 3.0 × 8 slots of Express.
In some possible embodiments of the present invention, the crypto-operation module 22 is to adopt double WNG serial physical noises The encrypted card of source core, the encrypted card generate random number using double WNG serial physical noise source cores, and the random number of generation meets The quality of random numbers monitoring standard of country's publication, and ensure random number intensity.The crypto-operation module 22 further includes that algorithm is special With chip, the algorithm special chip, the algorithm special chip is connect with FPGA module, is calculated for embedded corresponding encryption Method.In other possible embodiments of the present invention, the crypto-operation module 22 can provide perfect key management system, Realize that public and private key at, note, export, forwarding, verification, backup functionality, and realizes informed source integrality, verification of correctness, Ensure family key and answers the safety of system.
In some possible embodiments of the present invention, the crypto-operation module 22 further comprises data encryption/solution Close module 31, digital signature/authentication module 32, Message Authentication Code generation/authentication module 33, digital envelope module 34, key life At with management module 35, cipher key backup and recovery module 36, cipher key destruction module 37.Wherein, the data encryption/decryption module 31 support the ecb mode of the international standards algorithm such as domestic standards algorithm and 3DES, AES such as SM1, SM4, SSF33, CBC patterns Data encryption/decryption operation.Digital signature/the authentication module 32 is used to respond the signature request of user, can be according to user's need The RSA/ECC key pairs or the external RSA/ECC private keys imported that utilize storage inside are digitally signed/test to request data Demonstrate,prove operation.Message Authentication Code generation/the authentication module 33, generation and verification for carrying out MAC.The digital envelope module 34, for symmetric key to be distributed symmetric key by the result of asymmetric encryption, to realize that information integrity is verified.It is described Key is generated may be used the random number that double WNG serial physical noise source cores generate with management module, using special RSA Algorithm Chip and special ECC algorithm chip generate 1024/2048 RSA key pair and 256 ECC key pairs respectively.The key life At three layers of cryptographic key protection with management module 35 using " system protection key-Ka Nei RSA/ECC key pairs/KEK- session keys " Structure ensures family key and answers the safety of system.Wherein, it is close according to job category can be divided into equipment for system protection key Key, key-protection key, working key, backup keys, to user's when device keys are for activation system and system initialization Identity, permission are authenticated and identify that for being protected to encryption key, working key passes key-protection key for business Safeguard protection when defeated.The cipher key backup is used to provide the various keys in data cipher server standby with recovery module 36 Part and restore function, and cipher key backup file can be protected by master key, ensure crucial key in no instance with The form of plaintext appears in outside equipment, realizes the safe and reliable storage of key.The cipher key destruction module 37 is used for user Cryptogram destruction function is provided, user may be selected to carry out destruction behaviour to corresponding secret key in such a way that software is destroyed or hardware is destroyed Make.
In some possible embodiments of the present invention, the VPN modules 23 of the invention are realized using specialized hardware, energy Enough use VPN(Virtual Private Network)Technology builds Virtual Private Network, is not take up host calculating resource.Into One step, the VPN modules 23 are gigabit VPN interchangers or gigabit vpn routers.VPN interchangers or vpn routers are using saturating Bright security protection, WAN external tappings connect external data, and data terminal set solely connects exchange by encryption equipment terminal special line Machine.In other possible embodiments of the present invention, the security protocols such as integrated IPSec, SSL can be used in the VPN modules 23 And VPN interchangers/vpn routers with the anti-wall of hardware, support thousands of ipsec tunnels.Other in the present invention may In embodiment, the VPN modules 23 can be used the anti-wall configuration of hardware, inside and outside configuration, routing policy, attack-defending, family with Certification, security strategy and content safety, VLAN, NQA, the security strategies such as vpn tunneling agreement, Bandwidth Management and monitoring system diagnosis Configuration.In other possible embodiments of the present invention, the VPN modules 23 are built-in VPN interchangers/vpn routers, can WAN mouthful and multiple gigabit LAN mouthfuls of 1 gigabit is provided, using wildcard ipsec certification mode, support ARP double protections, Inside/outside net attacks safeguard function, to ensure intranet and extranet safety.
In some possible embodiments of the present invention, the data cryptogram server offer in the present invention meets《JAVA is close Code extension》With《Encryption device Application Interface Specification》Industry standard interface, to provide the API of secure subsystem, versatility It is good, it can smoothly access in various system platforms.
If the data cryptogram operation method and system are realized in the form of SFU software functional unit and as independent productions Product are sold or in use, can be stored in a computer read/write memory medium.Based on this understanding, skill of the invention Substantially all or part of the part that contributes to existing technology or the technical solution can be with soft in other words for art scheme The form of part product embodies, which is stored in a storage medium, including some instructions are making A computer equipment (can be personal computer, server or network equipment etc.) is obtained to execute described in each embodiment of the present invention The all or part of step of method.And storage medium above-mentioned includes:USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various The medium of program code can be stored.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before Stating embodiment, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to preceding The technical solution recorded in each embodiment is stated to modify or equivalent replacement of some of the technical features;And these Modification or replacement, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of data cryptogram operation method, it is characterised in that:Include the following steps:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned Back to the user.
2. according to the method described in claim 1, it is characterized in that:It adopts encrypted card and carries out the crypto-operation, the encrypted card Random number is generated using double WNG serial physicals noise source cores.
3. according to the method described in claim 1, it is characterized in that:The crypto-operation module uses three layers of cryptographic key protection knot Structure ensures family key and answers the safety of system.
4. method according to any one of claims 1 to 3, it is characterised in that:This method further includes:Key is carried out standby Part, and cipher key backup file is protected by master key.
5. method according to any one of claims 1 to 3, it is characterised in that:This method further includes:The VPN modules are VPN interchangers or vpn routers, the VPN interchangers or vpn routers are protected using transparent safety, and integrated security agreement is simultaneously With the anti-wall of hardware.
6. a kind of data cryptogram server, including data service module, crypto-operation module and VPN modules, it is characterised in that:
Data service module, the crypto-operation request sent for receiving and responding user from the VPN modules, by the password Operation request is sent to the crypto-operation module, and the crypto-operation result received from the crypto-operation module is sent To the VPN modules;
Crypto-operation module obtains the crypto-operation knot for asking complete independently crypto-operation according to the crypto-operation Fruit, and the crypto-operation result is sent to the cryptographic service module;
VPN modules, for the crypto-operation result to be returned to the user.
7. server according to claim 6, it is characterised in that:The crypto-operation module is encrypted card, the encryption Card generates random number using double WNG serial physical noise source cores.
8. server according to claim 6, it is characterised in that:The crypto-operation module further includes that key is generated and managed Module is managed, the key is generated uses three layers of cryptographic key protection structure with management module, ensures family key and answers the safety of system Property.
9. according to claim 6 to 8 any one of them server, it is characterised in that:The crypto-operation module further includes close Key backs up and recovery module, and the cipher key backup and recovery module are used to back up key, and is protected by master key close Key backup file.
10. according to claim 6 to 8 any one of them server, it is characterised in that:The VPN modules be VPN interchangers or Vpn routers, the VPN interchangers or vpn routers are protected using transparent safety, and integrated security agreement simultaneously has the anti-mouth of hardware Wall.
CN201710243331.1A 2017-04-14 2017-04-14 A kind of data cryptogram operation method and data cryptogram server Pending CN108737078A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710243331.1A CN108737078A (en) 2017-04-14 2017-04-14 A kind of data cryptogram operation method and data cryptogram server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710243331.1A CN108737078A (en) 2017-04-14 2017-04-14 A kind of data cryptogram operation method and data cryptogram server

Publications (1)

Publication Number Publication Date
CN108737078A true CN108737078A (en) 2018-11-02

Family

ID=63923844

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710243331.1A Pending CN108737078A (en) 2017-04-14 2017-04-14 A kind of data cryptogram operation method and data cryptogram server

Country Status (1)

Country Link
CN (1) CN108737078A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495266A (en) * 2018-12-25 2019-03-19 北京字节跳动网络技术有限公司 Data ciphering method and device based on random number
CN111245813A (en) * 2020-01-07 2020-06-05 北京数字认证股份有限公司 Cryptographic resource pool system, encryption method, electronic device, and storage medium
CN111770064A (en) * 2020-06-08 2020-10-13 珠海格力电器股份有限公司 Data communication method, device, storage medium and electronic equipment
CN111786872A (en) * 2020-06-29 2020-10-16 北京天融信网络安全技术有限公司 Data processing method and device for VPN (virtual private network) equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110265160A1 (en) * 2008-09-23 2011-10-27 Peer1 Network Enterprise, Inc. Password management systems and methods
CN106027235A (en) * 2016-05-13 2016-10-12 北京三未信安科技发展有限公司 PCI password card, and password operation method and system for massive keys

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110265160A1 (en) * 2008-09-23 2011-10-27 Peer1 Network Enterprise, Inc. Password management systems and methods
CN106027235A (en) * 2016-05-13 2016-10-12 北京三未信安科技发展有限公司 PCI password card, and password operation method and system for massive keys

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495266A (en) * 2018-12-25 2019-03-19 北京字节跳动网络技术有限公司 Data ciphering method and device based on random number
CN111245813A (en) * 2020-01-07 2020-06-05 北京数字认证股份有限公司 Cryptographic resource pool system, encryption method, electronic device, and storage medium
CN111245813B (en) * 2020-01-07 2022-04-29 北京数字认证股份有限公司 Cryptographic resource pool system, encryption method, electronic device, and storage medium
CN111770064A (en) * 2020-06-08 2020-10-13 珠海格力电器股份有限公司 Data communication method, device, storage medium and electronic equipment
CN111786872A (en) * 2020-06-29 2020-10-16 北京天融信网络安全技术有限公司 Data processing method and device for VPN (virtual private network) equipment

Similar Documents

Publication Publication Date Title
CN106330868B (en) A kind of high speed network encryption storage key management system and method
CN104639516B (en) Identity identifying method, equipment and system
CN102624699B (en) Method and system for protecting data
JP6382196B2 (en) System and method for providing a secure computing environment
WO2017097041A1 (en) Data transmission method and device
CN109361668A (en) A kind of data trusted transmission method
CN202795383U (en) Device and system for protecting data
CN108768978A (en) A kind of remote storage method of servicing and system based on SGX
CN105656864B (en) Key management system and management method based on TCM
CN108737078A (en) A kind of data cryptogram operation method and data cryptogram server
WO2020192285A1 (en) Key management method, security chip, service server and information system
CN101588245A (en) A kind of method of authentication, system and memory device
CN102567233A (en) Data protection method of USB storage device based on magnetic disc virtual technology
CN103973715B (en) Cloud computing security system and method
CN114584343B (en) Data protection method and system for cloud computing center and readable storage medium
CN113541935B (en) Encryption cloud storage method, system, equipment and terminal supporting key escrow
CN101420302A (en) Safe identification method and device
JP2022531497A (en) Transfer of digital asset ownership over a one-way connection
CN107359990A (en) A kind of secret information processing method, apparatus and system
KR20220074899A (en) Generate keys for use in secure communication
CN107911221B (en) Key management method for secure storage of solid-state disk data
CN113986470B (en) Batch remote proving method for virtual machines without perception of users
CN1848722B (en) Method and system for establishing credible virtual special network connection
CN110519222A (en) Outer net access identity authentication method and system based on disposable asymmetric key pair and key card
CN111371588A (en) SDN edge computing network system based on block chain encryption, encryption method and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181102

RJ01 Rejection of invention patent application after publication