CN108737078A - A kind of data cryptogram operation method and data cryptogram server - Google Patents
A kind of data cryptogram operation method and data cryptogram server Download PDFInfo
- Publication number
- CN108737078A CN108737078A CN201710243331.1A CN201710243331A CN108737078A CN 108737078 A CN108737078 A CN 108737078A CN 201710243331 A CN201710243331 A CN 201710243331A CN 108737078 A CN108737078 A CN 108737078A
- Authority
- CN
- China
- Prior art keywords
- crypto
- module
- key
- vpn
- sent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of data cryptogram operation method and data cryptogram servers, the data cryptogram server includes data service module, the crypto-operation request sent for receiving and responding user from VPN modules, crypto-operation request is sent to crypto-operation module, and the crypto-operation result received from crypto-operation module is sent to VPN modules;Crypto-operation module obtains crypto-operation as a result, and crypto-operation result is sent to cryptographic service module for asking complete independently crypto-operation according to the crypto-operation;VPN modules, for the crypto-operation result to be returned to user.The crypto-operation module and VPN modules of the present invention is based on proprietary hardware realization; it is not take up host calculating resource; double WNG serial physicals noise source chips are used to ensure the intensity of generation random number; and pass through three layers of cryptographic key protection structure; the safe and reliable storage of key is realized in the safety that can ensure user key and application system.
Description
Technical field
The present invention relates to technical field of network security, specifically relate generally to a kind of data cryptogram operation method and data cryptogram
Server.
Background technology
In recent years, with the fast development of network and computer technology, network has become people and obtains, transmits information
Important means, internet convenient and efficient so that e-commerce, E-Government, network office development it is like a raging fire.But due to
The opening of internet is to hacking technique and illegal invasion etc. are more rampant so that Internet user faces wiretapping, distorts number
According to, many security threats such as pretend to be validated user, effective encryption is carried out just at the most important thing, network security technology to data
Also extensive attention and application have been obtained in industry-by-industry.And existing data encryption system that there are data safety guarantee degrees is low plus
Close arithmetic speed is slow, random number intensity is low, cannot ensure key and the storage of application system is safe, universal and scalability compared with
The problems such as poor, can not provide signature/verification, encryption/decryption service to the user safe and efficiently.
Invention content
In view of the deficiencies in the prior art, in order to improve encryption intensity and cryptographic calculation speed, ensure user
The storage safety of key realizes that the crypto-operation service of more safe and efficient ground and higher scalability, the present invention provide a kind of
Data cryptogram operation method and data cryptogram server.
To solve the above-mentioned problems, the invention discloses a kind of data cryptogram operation methods, including:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune
Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously
The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned
Back to the user.
Further, it adopts encrypted card and carries out the crypto-operation, the encrypted card is using double WNG serial physical noise sources
Core generates random number.
Further, the crypto-operation module uses three layers of cryptographic key protection structure, ensures family key and answers system
Safety.
Further, this method further includes:Key is backed up, and cipher key backup file is protected by master key.
Further, this method further includes:The VPN modules are VPN interchangers or vpn routers, the VPN interchangers
Or vpn routers are protected using transparent safety, integrated security agreement simultaneously has the anti-wall of hardware.
The invention also discloses a kind of data cryptogram servers, including data service module, crypto-operation module and VPN moulds
Block;
Data service module, the crypto-operation request sent for receiving and responding user from the VPN modules, by the password
Operation request is sent to the crypto-operation module, and the crypto-operation result received from the crypto-operation module is sent
To the VPN modules;
Crypto-operation module obtains the crypto-operation knot for asking complete independently crypto-operation according to the crypto-operation
Fruit, and the crypto-operation result is sent to the cryptographic service module;
VPN modules, for the crypto-operation result to be returned to the user.
Further, the crypto-operation module is encrypted card, and the encrypted card is using double WNG serial physical noise source cores
Generate random number.
Further, the crypto-operation module further includes key generation and management module, and the key generates and management
Module uses three layers of cryptographic key protection structure, ensures family key and answers the safety of system.
Further, the crypto-operation module further includes cipher key backup and recovery module, the cipher key backup with restore
Module protects cipher key backup file for being backed up to key, and by master key.
Further, the VPN modules are VPN interchangers or vpn routers, and the VPN interchangers or vpn routers are adopted
It is protected with transparent safety, integrated security agreement simultaneously has the anti-wall of hardware.
Compared with prior art, the beneficial effects of the invention are as follows:The present invention uses the crypto-operation module based on special hardware
With VPN modules, be not take up host calculating resource, can be adapted to all kinds of cryptosecurities answer system into speed, multitask and locate
The crypto-operation of reason can completely answer the signature/verification of system data, the requirement of encryption/decryption, ensure the secret of transmission information
Property, completeness and efficiency.Meanwhile the present invention is capable of providing safety, perfect key management mechanism, by using double WNG systems
Row physical noise source chip can ensure to generate the intensity of random number, and pass through " system protection key-Ka Nei RSA/ECC keys
Three layers of cryptographic key protection structure of right/KEK- session keys ", can ensure family key and answer the safety of system, and pass through master
Key-protection key backup file ensures that crucial key is appeared in the form of plaintext outside equipment in no instance, real
The safe and reliable storage of existing key.In addition, the present invention api interface for meeting specification can also be provided, and provide it is greater number of not
The coffret and expansion slot of same type greatly strengthen the universal and scalability of data cryptogram server, Neng Gouman
Most of requirements for answering system, are widely used in the every field such as security, commerce and trade, post and telecommunications.
Description of the drawings
Fig. 1 is a kind of flow chart of data cryptogram operation method of one embodiment of the invention.
Fig. 2 is a kind of block diagram of data cryptogram server of one embodiment of the invention.
Fig. 3 is the crypto-operation module frame chart in a kind of data cryptogram server of one embodiment of the invention.
Specific implementation mode
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention
Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
The every other embodiment that member is obtained without making creative work should all belong to the model that the present invention protects
It encloses.
Term " first ", " second ", " third " " in description and claims of this specification and above-mentioned attached drawing
The (if present)s such as four " are for distinguishing similar object, without being used to describe specific sequence or precedence.It should manage
The data that solution uses in this way can be interchanged in the appropriate case, so that the embodiment of the present invention described herein for example can be to remove
Sequence other than those of illustrating or describe herein is implemented.In addition, term " comprising " and " having " and theirs is any
Deformation, it is intended that cover it is non-exclusive include, for example, containing the process of series of steps or unit, method, system, production
Product or equipment those of are not necessarily limited to clearly to list step or unit, but may include not listing clearly or for this
The intrinsic other steps of processes, method, product or equipment or unit a bit.
It is described in detail separately below.Referring firstly to attached drawing 1, Fig. 1 is one kind provided by one embodiment of the present invention
The flow chart of data cryptogram operation method.As shown in Figure 1, a kind of data cryptogram operation method provided by one embodiment of the present invention
It may include following steps:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune
Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously
The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned
Back to the user.
In some possible embodiments of the present invention, the crypto-operation includes data encryption operation, data deciphering fortune
One or more in calculation, data signature operation, data verification operation, above-mentioned crypto-operation is completed by specialized hardware, is not accounted for
Use host calculating resource.
In some possible embodiments of the present invention, provided according to unified cryptographic service agreement by data service module
Unified cryptographic service interface, is responsible for the acquisition of various data, and crypto-operation module, VPN modules are managed and are configured.Its
Middle data service module can provide the gui management page, and be responsible for equipment management, certificate management and user authority management by administrator
Deng operation, administrator in login system must by device keys by verification after could execute corresponding operating.The data
Service module is also responsible for carrying out parsing and syntactic analysis to the crypto-operation request received, only asks legal crypto-operation
It is sent to crypto-operation module, and the operation result that crypto-operation module returns is arranged, is finally returned via VPN modules
To user.The present invention other possible embodiments in, the data service module can destiny according to acquisition, arrangements, clearly
It the function module and system configuration management and control interactive software platform of multiple data predictions such as washes, and log management, state can be provided
Monitoring, tactful configuration feature.In other possible embodiments, the other computer of server level is adopted to the data service
Module is configured, and single processor, dual processor, multiprocessor cooperation completion various functions can be used, and hold more hard disks and expand
Exhibition and hard disk array are set up, while also holding polylith PCI-E function card expansion slots, to put forward expanded function, are effectively carried and are
The reliability that system is made, and the mean failure rate for extending whole system makees the time.In other possible embodiments of the present invention
In, the data service module is equipped with multiple high speed SATA interfaces, multiple IED interfaces and one or more M.2 interfaces, to make
Memory capacity and the additional OS storages of bigger can be extended to by obtaining the data cryptogram server.In other possible embodiment party
In formula, the data service module is equipped with 3.0 expansion slot of multiple PCI expansion slots and PCI Express, such as can set
Set 2 3.0 × 16 slots of PCI Express or 5 3.0 × 8 slots of PCI Express.
In some possible embodiments of the present invention, by crypto-operation module complete independently crypto-operation, and obtain
Crypto-operation result.The crypto-operation module is to adopt the encrypted card of double WNG serial physical noise source cores, and the encrypted card is adopted
Random number is generated with double WNG serial physicals noise source cores, the random number of generation meets the quality of random numbers monitoring mark of country's publication
Standard, and ensure random number intensity.The crypto-operation module further includes algorithm special chip, the algorithm special chip, described
Algorithm special chip is connect with FPGA module, for being embedded in corresponding Encryption Algorithm.In other possible embodiment party of the present invention
In formula, the crypto-operation module can provide perfect key management system, realize public and private key at, note, export, forwarding,
Verification, backup functionality, and realize informed source integrality, verification of correctness, ensure family key and answer the safety of system.
In some possible embodiments of the present invention, the crypto-operation module further comprises data encryption/decryption
Module, digital signature/authentication module, Message Authentication Code generation/authentication module, digital envelope module, key generate and management mould
Block, cipher key backup and recovery module, cipher key destruction module.Wherein, the data encryption/decryption module support SM1, SM4,
The ecb mode of the international standards algorithm such as the domestic standards such as SSF33 algorithm and 3DES, AES, the data encryption/decryption fortune of CBC patterns
It calculates.Digital signature/the authentication module is used to respond the signature request of user, can be needed to utilize storage inside according to user
RSA/ECC key pairs or the external RSA/ECC private keys imported be digitally signed request data/verify operation.The message
Authentication code generation/authentication module, generation and verification for carrying out MAC.The digital envelope module, for leading to symmetric key
The result distribution symmetric key for crossing asymmetric encryption, to realize that information integrity is verified.The key generates and management module
The random number that double WNG serial physical noise source cores generate may be used, using special RSA Algorithm chip and special ECC algorithm core
Piece generates 1024/2048 RSA key pair and 256 ECC key pairs respectively.The key generates to use with management module
Three layers of cryptographic key protection structure of blanket insurance shield key-Ka Nei RSA/ECC key pairs/KEK- session keys ", ensure family key and answer
The safety of system.Wherein, system protection key according to job category can be divided into device keys, key-protection key, work it is close
Key, backup keys, device keys are used to that identity, the permission of user to be authenticated and be known when activation system and system initialization
Not, key-protection key is for protecting encryption key, safeguard protection when working key is transmitted for business.It is described close
Key is backed up to be used to provide backup to the various keys in data cipher server and restores function with recovery module, and can be passed through
Master key protects cipher key backup file, ensures that crucial key is appeared in the form of plaintext outside equipment in no instance,
Realize the safe and reliable storage of key.The cipher key destruction module, for providing a user cryptogram destruction function, user is optional
It selects and destruction operation is carried out to corresponding secret key in such a way that software is destroyed or hardware is destroyed.
In some possible embodiments of the present invention, the VPN modules of the invention are realized using specialized hardware, can
Using VPN(Virtual Private Network)Technology builds Virtual Private Network, is not take up host calculating resource.Into one
Step, the VPN modules are gigabit VPN interchangers or gigabit vpn routers.VPN interchangers or vpn routers use transparent peace
Full protection, WAN external tappings connect external data, and data terminal set solely connects interchanger by encryption equipment terminal special line.?
In other possible embodiments of the present invention, the VPN modules can be used the security protocols such as integrated IPSec, SSL and with hard
VPN interchangers/vpn routers of the anti-wall of part support thousands of ipsec tunnels.In other possible embodiments of the present invention
In, the anti-wall configuration of hardware, inside and outside configuration, routing policy, attack-defending, family and certification, safety can be used in the VPN modules
Strategy and content safety, VLAN, NQA, the security strategies configuration such as vpn tunneling agreement, Bandwidth Management and monitoring system diagnosis.At this
In other possible embodiments of invention, the VPN modules are built-in VPN interchangers/vpn routers, it is possible to provide 1 gigabit
WAN mouthfuls and multiple gigabit LAN mouthfuls, using wildcard ipsec certification mode, support ARP double protections, the attack of inside/outside net
Safeguard function, to ensure intranet and extranet safety.
Referring to attached drawing 2, the embodiment of the present invention also provides a kind of data cryptogram server 20 comprising data service module
21, crypto-operation module 22 and VPN modules 23.
Data service module 21, the crypto-operation request sent for receiving and responding user from the VPN modules 23, will
The crypto-operation request is sent to the crypto-operation module 22, and the password that will be received from the crypto-operation module 22
Operation result is sent to the VPN modules 23;
Crypto-operation module 22 obtains the crypto-operation for asking complete independently crypto-operation according to the crypto-operation
As a result, and the crypto-operation result is sent to the cryptographic service module 21;
VPN modules 23, for the crypto-operation result to be returned to the user.
In some possible embodiments of the present invention, the crypto-operation includes data encryption operation, data deciphering fortune
One or more in calculation, data signature operation, data verification operation, above-mentioned crypto-operation is completed by specialized hardware, is not accounted for
Use host calculating resource.
In some possible embodiments of the present invention, the data service module 21 can be assisted according to unified cryptographic service
View provides unified cryptographic service interface, is responsible for the acquisition of various data, and carries out pipe to crypto-operation module 22, VPN modules 23
Reason and configuration.Wherein data service module 21 can provide the gui management page, and be responsible for equipment management, certificate management by administrator
And the operations such as user authority management, administrator in login system must by device keys by verification after could execute it is corresponding
Operation.The data service module 21 is also responsible for carrying out parsing and syntactic analysis to the crypto-operation request received, will only close
The crypto-operation request of method is sent to crypto-operation module 22, and the operation result progress that crypto-operation module 22 is returned is whole
Reason, finally returns to user via VPN modules 23.In other possible embodiments of the present invention, the data service mould
Block 21 can destiny according to multiple data predictions such as acquisition, arrangement, cleaning function module and system configuration management and control interactive software
Platform, and log management, status monitoring, tactful configuration feature can be provided.In other possible embodiments, server is adopted
The computer of rank configures the data service module 21, and single processor, dual processor, multiprocessor can be used and match
It closes and completes various functions, and hold more hard disk extensions and hard disk array establishment, while also holding the extension of polylith PCI-E function cards and inserting
Slot effectively puies forward the reliability of system work, and the mean failure rate for extending whole system makees the time to put forward expanded function.
In other possible embodiments of the present invention, the data service module 21 is equipped with multiple high speed SATA interfaces, multiple IED
Interface and one or more M.2 interface so that the data cryptogram server can extend to bigger memory capacity and
Additional OS storages.In other possible embodiments, the data service module 21 equipped with multiple PCI expansion slots,
And 3.0 expansion slots of PCI Express, such as 2 3.0 × 16 slots of PCI Express or 5 PCI can be set
3.0 × 8 slots of Express.
In some possible embodiments of the present invention, the crypto-operation module 22 is to adopt double WNG serial physical noises
The encrypted card of source core, the encrypted card generate random number using double WNG serial physical noise source cores, and the random number of generation meets
The quality of random numbers monitoring standard of country's publication, and ensure random number intensity.The crypto-operation module 22 further includes that algorithm is special
With chip, the algorithm special chip, the algorithm special chip is connect with FPGA module, is calculated for embedded corresponding encryption
Method.In other possible embodiments of the present invention, the crypto-operation module 22 can provide perfect key management system,
Realize that public and private key at, note, export, forwarding, verification, backup functionality, and realizes informed source integrality, verification of correctness,
Ensure family key and answers the safety of system.
In some possible embodiments of the present invention, the crypto-operation module 22 further comprises data encryption/solution
Close module 31, digital signature/authentication module 32, Message Authentication Code generation/authentication module 33, digital envelope module 34, key life
At with management module 35, cipher key backup and recovery module 36, cipher key destruction module 37.Wherein, the data encryption/decryption module
31 support the ecb mode of the international standards algorithm such as domestic standards algorithm and 3DES, AES such as SM1, SM4, SSF33, CBC patterns
Data encryption/decryption operation.Digital signature/the authentication module 32 is used to respond the signature request of user, can be according to user's need
The RSA/ECC key pairs or the external RSA/ECC private keys imported that utilize storage inside are digitally signed/test to request data
Demonstrate,prove operation.Message Authentication Code generation/the authentication module 33, generation and verification for carrying out MAC.The digital envelope module
34, for symmetric key to be distributed symmetric key by the result of asymmetric encryption, to realize that information integrity is verified.It is described
Key is generated may be used the random number that double WNG serial physical noise source cores generate with management module, using special RSA Algorithm
Chip and special ECC algorithm chip generate 1024/2048 RSA key pair and 256 ECC key pairs respectively.The key life
At three layers of cryptographic key protection with management module 35 using " system protection key-Ka Nei RSA/ECC key pairs/KEK- session keys "
Structure ensures family key and answers the safety of system.Wherein, it is close according to job category can be divided into equipment for system protection key
Key, key-protection key, working key, backup keys, to user's when device keys are for activation system and system initialization
Identity, permission are authenticated and identify that for being protected to encryption key, working key passes key-protection key for business
Safeguard protection when defeated.The cipher key backup is used to provide the various keys in data cipher server standby with recovery module 36
Part and restore function, and cipher key backup file can be protected by master key, ensure crucial key in no instance with
The form of plaintext appears in outside equipment, realizes the safe and reliable storage of key.The cipher key destruction module 37 is used for user
Cryptogram destruction function is provided, user may be selected to carry out destruction behaviour to corresponding secret key in such a way that software is destroyed or hardware is destroyed
Make.
In some possible embodiments of the present invention, the VPN modules 23 of the invention are realized using specialized hardware, energy
Enough use VPN(Virtual Private Network)Technology builds Virtual Private Network, is not take up host calculating resource.Into
One step, the VPN modules 23 are gigabit VPN interchangers or gigabit vpn routers.VPN interchangers or vpn routers are using saturating
Bright security protection, WAN external tappings connect external data, and data terminal set solely connects exchange by encryption equipment terminal special line
Machine.In other possible embodiments of the present invention, the security protocols such as integrated IPSec, SSL can be used in the VPN modules 23
And VPN interchangers/vpn routers with the anti-wall of hardware, support thousands of ipsec tunnels.Other in the present invention may
In embodiment, the VPN modules 23 can be used the anti-wall configuration of hardware, inside and outside configuration, routing policy, attack-defending, family with
Certification, security strategy and content safety, VLAN, NQA, the security strategies such as vpn tunneling agreement, Bandwidth Management and monitoring system diagnosis
Configuration.In other possible embodiments of the present invention, the VPN modules 23 are built-in VPN interchangers/vpn routers, can
WAN mouthful and multiple gigabit LAN mouthfuls of 1 gigabit is provided, using wildcard ipsec certification mode, support ARP double protections,
Inside/outside net attacks safeguard function, to ensure intranet and extranet safety.
In some possible embodiments of the present invention, the data cryptogram server offer in the present invention meets《JAVA is close
Code extension》With《Encryption device Application Interface Specification》Industry standard interface, to provide the API of secure subsystem, versatility
It is good, it can smoothly access in various system platforms.
If the data cryptogram operation method and system are realized in the form of SFU software functional unit and as independent productions
Product are sold or in use, can be stored in a computer read/write memory medium.Based on this understanding, skill of the invention
Substantially all or part of the part that contributes to existing technology or the technical solution can be with soft in other words for art scheme
The form of part product embodies, which is stored in a storage medium, including some instructions are making
A computer equipment (can be personal computer, server or network equipment etc.) is obtained to execute described in each embodiment of the present invention
The all or part of step of method.And storage medium above-mentioned includes:USB flash disk, read-only memory (ROM, Read-Only
Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various
The medium of program code can be stored.
The above, the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although with reference to before
Stating embodiment, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to preceding
The technical solution recorded in each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
Modification or replacement, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of data cryptogram operation method, it is characterised in that:Include the following steps:
The crypto-operation request that user sends is received and responded from VPN modules, and crypto-operation request is sent to password fortune
Calculate module;
The crypto-operation module asks complete independently crypto-operation according to the crypto-operation, obtains crypto-operation as a result, simultaneously
The crypto-operation result is sent to cryptographic service module;
The crypto-operation result is sent to the VPN modules by the cryptographic service module, and the crypto-operation result is returned
Back to the user.
2. according to the method described in claim 1, it is characterized in that:It adopts encrypted card and carries out the crypto-operation, the encrypted card
Random number is generated using double WNG serial physicals noise source cores.
3. according to the method described in claim 1, it is characterized in that:The crypto-operation module uses three layers of cryptographic key protection knot
Structure ensures family key and answers the safety of system.
4. method according to any one of claims 1 to 3, it is characterised in that:This method further includes:Key is carried out standby
Part, and cipher key backup file is protected by master key.
5. method according to any one of claims 1 to 3, it is characterised in that:This method further includes:The VPN modules are
VPN interchangers or vpn routers, the VPN interchangers or vpn routers are protected using transparent safety, and integrated security agreement is simultaneously
With the anti-wall of hardware.
6. a kind of data cryptogram server, including data service module, crypto-operation module and VPN modules, it is characterised in that:
Data service module, the crypto-operation request sent for receiving and responding user from the VPN modules, by the password
Operation request is sent to the crypto-operation module, and the crypto-operation result received from the crypto-operation module is sent
To the VPN modules;
Crypto-operation module obtains the crypto-operation knot for asking complete independently crypto-operation according to the crypto-operation
Fruit, and the crypto-operation result is sent to the cryptographic service module;
VPN modules, for the crypto-operation result to be returned to the user.
7. server according to claim 6, it is characterised in that:The crypto-operation module is encrypted card, the encryption
Card generates random number using double WNG serial physical noise source cores.
8. server according to claim 6, it is characterised in that:The crypto-operation module further includes that key is generated and managed
Module is managed, the key is generated uses three layers of cryptographic key protection structure with management module, ensures family key and answers the safety of system
Property.
9. according to claim 6 to 8 any one of them server, it is characterised in that:The crypto-operation module further includes close
Key backs up and recovery module, and the cipher key backup and recovery module are used to back up key, and is protected by master key close
Key backup file.
10. according to claim 6 to 8 any one of them server, it is characterised in that:The VPN modules be VPN interchangers or
Vpn routers, the VPN interchangers or vpn routers are protected using transparent safety, and integrated security agreement simultaneously has the anti-mouth of hardware
Wall.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243331.1A CN108737078A (en) | 2017-04-14 | 2017-04-14 | A kind of data cryptogram operation method and data cryptogram server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710243331.1A CN108737078A (en) | 2017-04-14 | 2017-04-14 | A kind of data cryptogram operation method and data cryptogram server |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108737078A true CN108737078A (en) | 2018-11-02 |
Family
ID=63923844
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710243331.1A Pending CN108737078A (en) | 2017-04-14 | 2017-04-14 | A kind of data cryptogram operation method and data cryptogram server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108737078A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109495266A (en) * | 2018-12-25 | 2019-03-19 | 北京字节跳动网络技术有限公司 | Data ciphering method and device based on random number |
CN111245813A (en) * | 2020-01-07 | 2020-06-05 | 北京数字认证股份有限公司 | Cryptographic resource pool system, encryption method, electronic device, and storage medium |
CN111770064A (en) * | 2020-06-08 | 2020-10-13 | 珠海格力电器股份有限公司 | Data communication method, device, storage medium and electronic equipment |
CN111786872A (en) * | 2020-06-29 | 2020-10-16 | 北京天融信网络安全技术有限公司 | Data processing method and device for VPN (virtual private network) equipment |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110265160A1 (en) * | 2008-09-23 | 2011-10-27 | Peer1 Network Enterprise, Inc. | Password management systems and methods |
CN106027235A (en) * | 2016-05-13 | 2016-10-12 | 北京三未信安科技发展有限公司 | PCI password card, and password operation method and system for massive keys |
-
2017
- 2017-04-14 CN CN201710243331.1A patent/CN108737078A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110265160A1 (en) * | 2008-09-23 | 2011-10-27 | Peer1 Network Enterprise, Inc. | Password management systems and methods |
CN106027235A (en) * | 2016-05-13 | 2016-10-12 | 北京三未信安科技发展有限公司 | PCI password card, and password operation method and system for massive keys |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109495266A (en) * | 2018-12-25 | 2019-03-19 | 北京字节跳动网络技术有限公司 | Data ciphering method and device based on random number |
CN111245813A (en) * | 2020-01-07 | 2020-06-05 | 北京数字认证股份有限公司 | Cryptographic resource pool system, encryption method, electronic device, and storage medium |
CN111245813B (en) * | 2020-01-07 | 2022-04-29 | 北京数字认证股份有限公司 | Cryptographic resource pool system, encryption method, electronic device, and storage medium |
CN111770064A (en) * | 2020-06-08 | 2020-10-13 | 珠海格力电器股份有限公司 | Data communication method, device, storage medium and electronic equipment |
CN111786872A (en) * | 2020-06-29 | 2020-10-16 | 北京天融信网络安全技术有限公司 | Data processing method and device for VPN (virtual private network) equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106330868B (en) | A kind of high speed network encryption storage key management system and method | |
CN104639516B (en) | Identity identifying method, equipment and system | |
CN102624699B (en) | Method and system for protecting data | |
JP6382196B2 (en) | System and method for providing a secure computing environment | |
WO2017097041A1 (en) | Data transmission method and device | |
CN109361668A (en) | A kind of data trusted transmission method | |
CN202795383U (en) | Device and system for protecting data | |
CN108768978A (en) | A kind of remote storage method of servicing and system based on SGX | |
CN105656864B (en) | Key management system and management method based on TCM | |
CN108737078A (en) | A kind of data cryptogram operation method and data cryptogram server | |
WO2020192285A1 (en) | Key management method, security chip, service server and information system | |
CN101588245A (en) | A kind of method of authentication, system and memory device | |
CN102567233A (en) | Data protection method of USB storage device based on magnetic disc virtual technology | |
CN103973715B (en) | Cloud computing security system and method | |
CN114584343B (en) | Data protection method and system for cloud computing center and readable storage medium | |
CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
CN101420302A (en) | Safe identification method and device | |
JP2022531497A (en) | Transfer of digital asset ownership over a one-way connection | |
CN107359990A (en) | A kind of secret information processing method, apparatus and system | |
KR20220074899A (en) | Generate keys for use in secure communication | |
CN107911221B (en) | Key management method for secure storage of solid-state disk data | |
CN113986470B (en) | Batch remote proving method for virtual machines without perception of users | |
CN1848722B (en) | Method and system for establishing credible virtual special network connection | |
CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
CN111371588A (en) | SDN edge computing network system based on block chain encryption, encryption method and medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181102 |
|
RJ01 | Rejection of invention patent application after publication |