CN109525396B - Method and device for processing identity key and server - Google Patents

Method and device for processing identity key and server Download PDF

Info

Publication number
CN109525396B
CN109525396B CN201811163445.6A CN201811163445A CN109525396B CN 109525396 B CN109525396 B CN 109525396B CN 201811163445 A CN201811163445 A CN 201811163445A CN 109525396 B CN109525396 B CN 109525396B
Authority
CN
China
Prior art keywords
key
identity
identity key
server
storage area
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811163445.6A
Other languages
Chinese (zh)
Other versions
CN109525396A (en
Inventor
殷鑫
蔡恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201811163445.6A priority Critical patent/CN109525396B/en
Publication of CN109525396A publication Critical patent/CN109525396A/en
Application granted granted Critical
Publication of CN109525396B publication Critical patent/CN109525396B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Abstract

A processing method, a device and a server of an identity key comprise the following steps: the method comprises the steps that a processing device of an identity secret key obtains a first identity secret key of a virtual machine, the first identity secret key is used for carrying out identity authentication on the virtual machine, the processing device is accessed into a server through a high-speed serial computer expansion bus standard PCIe, and the virtual machine is deployed in the server; encrypting the first identity key by using the equipment key to obtain a second identity key, wherein the equipment key is a globally unique key generated according to the identifier of the processing device and is stored in a storage area of the processing device; the processing device stores the second identity key in a first storage area; the processing device signs the access request of the virtual machine according to the second identity key, so that the problem of low security of the identity key can be solved.

Description

Method and device for processing identity key and server
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for processing an identity key, and a server.
Background
With the development of cloud computing technology, especially the rapid development of public clouds, operators provide various types of cloud services for enterprises to meet the requirements of enterprise users. For a server with multiple Virtual Machines (VMs), when a VM accesses a cloud service, the server needs to sign an access request with an identity key of the VM to determine the validity of the access request. Therefore, the security of the identity keys of the VMs is crucial.
In the conventional technology, when a server deployed with multiple VMs acquires an identity key of each VM, the server directly stores the identity key of the VM in its memory. When a certain VM accesses the cloud service, the server acquires the identity key of the VM from the memory, and signs an access request by using the identity key of the VM. However, since the public cloud system is complex and has many objects to be attacked, once the server is attacked maliciously by an attacker, the identity key stored in the memory of the server can be acquired, and then the user impersonating the server through any device reads data, so that the security of the identity key cannot be ensured, and a security problem exists.
Disclosure of Invention
The application provides a processing method, a processing device and a server of an identity key, which can solve the safety problem in the traditional technology.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, a method for processing an identity key is provided. Specifically, after acquiring a first identity key for performing identity authentication on the virtual machine, the first device encrypts the first identity key by using the device key to obtain a second identity key, and stores the second identity key in the first storage area. The device key is a globally unique key generated according to the identifier of the first device, and the device key is stored in a storage area of the first device, so that, in a scenario where the virtual machine sends an access request, the first device can sign the access request of the virtual machine according to the second identity key. The first device of the application is accessed to a server through a peripheral component interconnect express (PCIe) bus, where the virtual machine is any one of virtual machines in the server.
The first device is accessed to the server through the PCIe bus, and internal hardware resources and storage addresses of the first device are invisible to other components in the server, that is, the other components in the server are isolated from the first device, the other components cannot directly access the first device, and the first device provides a safe environment.
Because the device key is a globally unique key generated according to the identifier of the first device, the device key is stored in the storage space of the first device, and the storage address of the first device is invisible to other components, only the first device can acquire the device key, that is, the security of the device key is high. The first device stores the second identity key, and the second identity key is the identity key encrypted by the first device by using the device key, so that even if an attacker maliciously attacks the server, the attacker can only obtain the second identity key at most and cannot obtain the device key, and further, the attacker cannot obtain the first identity key, the security of the first identity key is effectively ensured, that is, the security of the identity key can be effectively improved by the identity key processing method provided by the application.
In a possible implementation manner, the first storage area is a storage area in a memory of the server, or is a storage area in the first device. Since the second identity key is encrypted according to the device key, the security of the identity key of the virtual machine can be effectively improved no matter the first device stores the second identity key in the memory of the server or stores the second identity key in the storage area of the first device.
In another possible implementation manner, when the first storage area is a storage area in a memory of the server, the method for the first device to store the second identity key in the first storage area includes: the first device writes the second identity key into the memory via a processor in the server for managing the identity key. Correspondingly, the "the first device signs the access request of the virtual machine according to the second identity key" specifically includes: after the first device obtains the access request sent by the virtual machine, the processor obtains the second identity key from the memory, decrypts the second identity key by using the device key to obtain the first identity key, and further signs the access request according to the decrypted first identity key.
Because the device key is stored in the first device and only the first device can acquire the device key, in the processing method provided by the application, only the first device can decrypt the second identity key. In a scenario where the second identity key is stored in the memory of the server, the first device needs to read the second identity key from the memory, decrypt the second identity key, and further sign the access request. In a scenario that the second identity key is stored in the memory of the server, even if an attacker maliciously attacks the server, the attacker can only obtain the second identity key and cannot obtain the device key, and further, the attacker cannot obtain the first identity key, so that the security of the first identity key is effectively ensured.
In another possible implementation manner, when the first storage area is a storage area in the first device, the method of "the first device signs an access request of the virtual machine according to the second identity key" includes: the first device obtains the second identity key after obtaining the access request sent by the virtual machine, decrypts the second identity key by using the device key to obtain the first identity key, and further signs the access request according to the first identity key.
Because the device key is stored in the first device and only the first device can acquire the device key, in the method provided by the application, only the first device can decrypt the second identity key. In a scenario where the second identity key is stored in the storage space of the first device, the first device may directly read the second identity key, decrypt the second identity key, and further sign the access request. In a scenario that the second identity key is stored in the storage space of the first device, even if an attacker maliciously attacks the server, the attacker cannot acquire the second identity key and the device key, and further, the attacker cannot acquire the first identity key, so that the security of the first identity key is effectively ensured.
In another possible implementation manner, in the present application, the first device calculates, in advance, a device key by using a preset algorithm according to the identifier of the first device.
The predetermined algorithm may be a hash-based message authentication code (HMAC) algorithm.
In a second aspect, a method for processing an identity key is provided. The first device is independently deployed in the server, the first device is accessed into the server through a PCIe bus, internal hardware resources and storage addresses of the first device are invisible to other components in the server, namely the other components in the server are isolated from the first device, the other components cannot directly access the first device, and the first device provides a safe environment. After acquiring a first identity key for performing identity authentication on a virtual machine, the first device stores the first identity key in a storage area of the first device.
Because other components in the server are isolated from the first device, and other components cannot directly access the first device, even if an attacker maliciously attacks the server, the attacker cannot acquire the first identity key stored in the first device, so that the security of the first identity key is effectively ensured, that is, the security of the identity key can be effectively improved by the processing method of the identity key provided by the application.
In a third aspect, a processing apparatus for identity keys is provided, where the processing apparatus includes various modules configured to execute the processing method according to the first aspect, the second aspect, or any possible implementation manner of the first aspect.
In one possible implementation manner, the processing apparatus may be divided into functional modules according to the processing method provided in any one of the possible implementation manners of the first aspect, the second aspect, or the first aspect, for example, each functional module may be divided according to each function, or two or more functions may be integrated into one processing module.
In a fourth aspect, a server is provided, where the server includes a first device, a processor, a memory, a communication interface, and a bus, where the processor, the memory, and the communication interface are connected by the bus and complete communication therebetween, the first device stores computer execution instructions, and when the server runs, the first device executes the computer execution instructions stored in the first device to perform, by using hardware resources in the server, the operation steps of the processing method according to any one of the possible implementations of the first aspect, the second aspect, or the first aspect.
In a fifth aspect, the present application provides a computer-readable storage medium having stored therein instructions, which, when executed on a computer, cause the computer to perform the method of the above aspects.
In a sixth aspect, the present application provides a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the above aspects.
The present application can further combine to provide more implementations on the basis of the implementations provided by the above aspects.
Drawings
Fig. 1 is a schematic structural diagram of a communication system in an embodiment of the present application;
FIG. 2 is a diagram of a hardware structure of a server in an embodiment of the present application;
fig. 3 is a schematic hardware structure diagram of a first device in an embodiment of the present application;
fig. 4 is a first flowchart illustrating a method for processing an identity key according to an embodiment of the present application;
fig. 5 is a second flowchart illustrating a processing method of an identity key according to an embodiment of the present application;
fig. 6 is a first schematic structural diagram of a device for processing an identity key according to an embodiment of the present application.
Detailed Description
The following describes a method for processing an identity key according to an embodiment of the present application in detail with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a communication system to which the method for processing an identity key provided in the embodiment of the present application is applied. As shown, the communication system includes a server 20, an identity management server 21, and a terminal 22. The combination of the server 20 and the identity management server 21 may also be referred to as a cloud platform. The user remotely logs in the cloud platform through the terminal 22, and after the identity of the user is authenticated, the function of the virtual machine on the server 20 can be used.
The terminal 22 may be a computer, such as a desktop computer, a notebook computer, a tablet computer, or a device that does not include a Central Processing Unit (CPU), a memory, and a hard disk but only includes a user interaction and operation interface (such as a keyboard, a mouse, a display, an audio device, and the like), a Universal Serial Bus (USB) flash memory interface, and a communication interface.
The server 20 may provide a storage space, software, and other computer functions for the terminal 22 on the network side, where a plurality of virtual machines may be deployed on the server 20, and may also be configured to sign an access request sent by each virtual machine, and also may obtain an identity key of each virtual machine, and encrypt the obtained identity key with the device key.
The identity management server 21 is configured to provide services such as user management and key management, and is capable of configuring an identity key for each virtual machine in the server 20. The method for generating the identity key of the virtual machine is not limited in this application, and for example, the identity key may be generated according to a preset rule based on an identifier of the virtual machine.
It should be noted that the communication system shown in fig. 1 is only an example, and does not limit the system architecture to which the method for processing the identity key provided in the embodiment of the present application is applied. For example, the communication system may comprise a plurality of servers 20, each connected to an identity management server 21. As another example, the communication system may include a plurality of terminals 22. For another example, the server 20 and the identity management server 21 may be the same server or may be separate servers. Hereinafter, the server 20 and the identity management server 21 are provided separately as an example.
Fig. 2 is a schematic structural diagram of the server 20 in fig. 1. As shown in fig. 2, the server 20 includes a processor 201, a DDR controller 202, a memory 203, and a first device 204. It should be noted that the server 20 may include at least one first device 204, and each first device is connected to the processor 201. The first device 204 may be a chip with a processor, which may be a multi-core or single-core processor, and the application is not limited thereto.
The processor 201 may be any computing device, and may be a general purpose CPU, a microprocessor, a programmable controller, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of programs according to the above schemes. Processor 201 is the control center for server 20. The processor 201 is connected to various parts of the server 20 using various interfaces and lines, and performs various functions of the server 20 and processes data by running or executing software programs and/or application modules, thereby performing overall monitoring of the server 20. For example, the processor 201 may have a Unified Identity Management (UIM) function, and the processor 201 may also run a virtual machine.
The DDR controller 202 is connected to the memory 203 and can read and write data from and into the memory 203.
The first device 204 is accessed to the server 20 through the PCIe bus, and configured to encrypt the identity key acquired from the identity management server 21 with the device key, store the encrypted identity key in the first storage area, and further sign an access request sent by the virtual machine. The device key is a globally unique key generated according to the identifier of the first device, and the device key is stored in a storage area of the first device. The identifier of the first device may be a number or a name of the first device, or other content that can uniquely identify the first device, or may be other identifiers that can be uniquely used to identify the first device, which is not specifically limited in this embodiment of the present application.
Hardware resources and memory addresses internal to the first device 204 are invisible to other components (e.g., the processor 201 and the DDR controller 202) in the server 20, that is, other components in the server 20 are isolated from the first device 204.
The first storage area may be a storage area in the memory of the server 20, or may be a storage area in the first device 204. That is, the first storage area may be a partial storage area of the memory of the server 20, or may be a partial storage area of the first device.
Illustratively, the first device 204 is configured to: acquiring a first identity key; encrypting the first identity key by using the equipment key to obtain a second identity key; storing the second identity key in a first storage area; the access request of the first virtual machine is signed according to the second identity key.
Optionally, the first device 204 may further directly store the identity key in a storage area of the first device after obtaining the identity key, and subsequently sign the access request of the first virtual machine by using the identity key stored in the first device.
Illustratively, the first device 204 is configured to: acquiring a first identity key; storing the first identity key in a storage area of the first device; an access request of the first virtual machine is signed according to a first identity key in a storage area of the first device.
Fig. 3 is a schematic structural diagram of the first device 204 in the server 20 shown in fig. 2. As shown in fig. 3, the first device 204 in the embodiment of the present application includes: a communication interface 30, a processor 31, a memory 32 and a non-volatile memory 33. The communication interface 30, processor 31 memory 32 and non-volatile storage 33 may be connected by a system bus 34.
The communication interface 30 is used to support the first device 204 in communication with other devices, such as the processor 201.
The processor 31 is configured to encrypt an identity key of a virtual machine (e.g., a first virtual machine) by using the device key, and may also be configured to sign an access request of the virtual machine according to the encrypted identity key.
The processor 31 may be a CPU, or an ASIC, or one or more integrated circuits configured to implement embodiments of the present application. In this embodiment, the processor 31 may be configured to encrypt an identity key of a virtual machine (e.g., a first virtual machine) by using the device key, and may also be configured to sign an access request of the virtual machine according to the encrypted identity key.
The processor 31 may also include a cache (not shown in FIG. 3), which may be embodied as a cache memory for storing various program instructions.
The memory 32 is used to buffer data received from external devices or data read from the non-volatile storage 33. Various non-transitory (non-transitory) machine-readable media such as a read-only memory (ROM) or a Flash memory (Flash) that can store data are not limited herein.
Optionally, the cache and the memory 32 in the processor 31 may be integrally configured or independently configured, which is not limited in this embodiment of the application.
The non-volatile memory 33 is used for storing software programs and application modules, such as firmware executed by the first device, a boot program (e.g., bootrom code), and the like, and may also be used for storing an encrypted identity key, or directly storing the identity key. . The nonvolatile memory 33 may be a Static Random Access Memory (SRAM).
When the first storage area of the embodiment of the present application is a storage area of the first device, the first storage area may be a storage area of an SRAM.
The system bus 34 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like.
The system bus 33 may be divided into an address bus, a data bus, a control bus, and the like. For clarity of illustration in the embodiments of the present application, the various buses are illustrated in FIG. 3 as system bus 33.
Next, a method for processing an identity key provided in an embodiment of the present application is described with reference to fig. 1 to fig. 3.
For convenience of understanding, in the embodiment of the present application, a starting process of one virtual machine in a server is described as an example, and the virtual machine is simply referred to as a first virtual machine, and a first device acquires a first identity key of the first virtual machine, and encrypts the first identity key by using a device key to obtain a second identity key for example. Correspondingly, the first device stores the second identity key in the first storage space, and subsequently, signs the access request of the first virtual machine by using the second identity key. That is, the second identity key in the embodiment of the present application is the encrypted first identity key.
Specifically, when the first device is started, the first device needs to generate a device key and communicate with the processor of the server to negotiate a first communication key, so that when data is subsequently transmitted between the first device and the processor of the server, the transmitted data is encrypted by using the first communication key, so as to ensure the security of the data. For example: the first device encrypts the second identity key using the first communication key and sends the encrypted second identity key to the processor of the server. The process is as follows: when the first device is started, initialization processing is performed on the first device.
When the first virtual machine is started, the first device communicates with the identity management server to obtain a first identity key. In order to ensure the security of the first identity key, the first device and the identity management server need to communicate and negotiate a second communication key, so that the second communication key is used to encrypt the first identity key when the first identity key is transmitted between the identity management server and the first device.
Fig. 4 shows a flow of a processing method of an identity key provided in an embodiment of the present application. In the embodiment of the present application, a security verification process implemented by a first device in any one of servers 20 in fig. 1 is described as an example, and as shown in fig. 4, a method for processing an identity key provided in the embodiment of the present application includes:
s400, the first device performs initialization processing when being started.
The initialization process of the first device includes determination of a device key and determination of a first communication key. As can be seen from the above description, the first communication key is used to encrypt data transmitted between the first device and the processor of the server, so as to ensure the security of the data.
Specifically, at startup, the processor of the first device starts execution from the boot program, and then obtains the firmware of the first device and the identifier of the first device (such as the number or name of the first device, or other content that can uniquely identify the first device) from the non-volatile memory, and verifies the firmware of the first device. And executing the firmware of the first device after the verification of the firmware of the first device is determined to be successful.
Further, the first device calculates, according to the identifier and the preset value of the first device, a device key and a signature key by using a first preset algorithm (e.g., an HMAC algorithm), and generates, according to the signature key, a signature public key by using a second preset algorithm (e.g., an Error Correction Code (ECC) algorithm). And the subsequent content adopts a PRI _ KEY to identify the equipment secret KEY, adopts a UDI _ PRI to identify the signature secret KEY and adopts a UDI _ PUB to identify the signature public KEY. The device key in the embodiment of the application is used for encrypting the first identity key acquired by the first device, and the signature key is used for signing the transmission data in the process of negotiating the first communication key and the second communication key. The public signature key is used to verify the signature.
After determining the PRI _ KEY, the first device communicates with a processor of the server to negotiate a first communication KEY. Optionally, the first device and the processor of the server may determine the first communication key by using an elliptic curve Diffie-Hellman key exchange (ECDHE) algorithm, may also determine the first communication key by using an RSA algorithm (RSA algorithm), and may also determine the first communication key by using an elliptic curve Diffie-Hellman (ECDH) algorithm, which is not limited in this embodiment of the present invention.
The first communication KEY is represented by UIM _ KST _ KEY, and the UIM _ KST _ KEY is determined by using ECDHE algorithm between the first device and the processor of the server.
Firstly, the first device and a processor of the server agree on a base point G value on an elliptic curve, wherein G (x, y) is a base point of a certain elliptic curve algorithm which is generally accepted; then, a processor of the server generates a random number a and a nonce _ a, and calculates a public key a according to the ECC elliptic curve, where a is aG, and sends a and nonce _ a to the first device; correspondingly, the first device generates a random number B and a nonce _ B, calculates B according to an ECC elliptic curve, wherein B is bG, calculates P1 by adopting an ECC algorithm according to A and B, calculates P1 by adopting an HMAC algorithm to obtain UIM _ KST _ KEY, and performs AES encryption on (nonce _ a, nonce _ B) according to UIM _ KST _ KEY; thereafter, the first device signs (B, nonce _ a, nonce _ B, Enc (nonce _ a, nonce _ B)) with UDI _ PRI and transmits signed (B, nonce _ a, nonce _ B, Enc (nonce _ a, nonce _ B)) to the processor of the server; correspondingly, the processor of the server checks the signature of the signed (B, nonce _ a, nonce _ B, Enc (nonce _ a, nonce _ B)) "and calculates P2 by adopting an ECC algorithm according to a and B, calculates P2 by adopting an HMAC algorithm to obtain UIM _ KST _ KEY, and then decrypts the Enc (nonce _ a, nonce _ B) according to UIM _ KST _ KEY. At this time, the negotiation between the first device and the processor of the server determines that the link establishment between the UIM _ KST _ KEY is successful.
S401, when a first virtual machine in the server is started, a processor of the server sends an identity key request including an identifier of the first virtual machine to an identity management server.
As can be seen from the above description, since the processor of the server may be configured to uniformly manage the identity keys of the virtual machines in the server, and the identity management server is configured to manage the identity keys of each virtual machine in the network, when the first virtual machine is started, the processor sends an identity key request including an identifier of the first virtual machine to the identity management server, so as to request to obtain the identity key of the first virtual machine.
S402, after receiving the identity key request, the identity management server negotiates with the first device to determine a second communication key.
As can be seen from the above description, the second communication key is used to encrypt data transmitted between the first device and the identity management server to ensure the security of the data.
Specifically, the identity management server communicates with the first device through the processor to negotiate to determine the second communication key.
Optionally, an ECDHE algorithm may be used between the identity management server and the first device to determine the second communication key, an RSA algorithm may also be used to determine the second communication key, and an ECDH algorithm may also be used to determine the second communication key, which is not specifically limited in this embodiment of the present application.
Now, the description will be given by taking an example that the second communication KEY is represented by IAM _ KST _ KEY, and the first device and the identity management server determine IAM _ KST _ KEY by using an ECDHE algorithm.
Firstly, the identity management server and a processor of the server agree on a base point G value on an elliptic curve, wherein G (x, y) is a base point of a certain elliptic curve algorithm which is generally accepted; then, the identity management server generates a random number C and a nonce _ C, and calculates a public KEY C according to the ECC elliptic curve, where C is cgs, and sends a negotiation request of C, nonce _ C and IAM _ KST _ KEY to the processor of the server; secondly, the processor of the server encrypts the C and the nonce _ C based on the first communication KEY UIM _ KST _ KEY, and sends a negotiation request of the IAM _ KST _ KEY, the encrypted C and the nonce _ C to the first device; after receiving a negotiation request of the IAM _ KST _ KEY, the first device generates a random number D and a nonce _ D, and calculates D according to an ECC elliptic curve, where D is dG, and at the same time, the first device calculates P3 by using an ECC algorithm according to C and a, calculates P3 by using an HMAC algorithm to obtain IAM _ KST _ KEY, performs AES encryption on (nonce _ C, nonce _ D) by using the IAM _ KST _ KEY, and then the first device signs (D, nonce _ C, nonce _ D, and Enc (nonce _ C, nonce _ D)) by using the UDI _ PRI, and sends signed (D, nonce _ C, nonce _ D), nonce _ C (nonce _ C, nonce _ D)); then, the processor of the server sends the signed (D, nonce _ c, nonce _ D, Enc (nonce _ c, nonce _ D)), UDI _ PRI, and UDI _ PUB certificate (generated by the first device from the UDI _ PUB) to the identity management server; subsequently, the identity management server verifies the UDI _ PUB certificate, then checks and signs according to the UDI _ PUB pair (D, nonce _ c, nonce _ D, Enc (nonce _ c, nonce _ D)) in the UDI _ PUB certificate, if the verification is passed, calculates according to c and D by adopting an ECC algorithm to obtain P4, calculates according to P4 by adopting an HMAC algorithm to obtain IAM _ KST _ KEY, and then decrypts the Enc (nonce _ c, nonce _ D) according to the IAM _ KST _ KEY. At this time, the first device and the identity management server negotiate to determine IAM _ KST _ KEY.
S403, after determining the second communication key, the identity management server sends an identity key 1 to the first device.
Specifically, the identity management server encrypts the first identity key with the second communication key to obtain the identity key 1. After obtaining the identity key 1, the identity management server sends the identity key 1 to the first device.
S404, the first device decrypts the identity key 1 by using the second communication key to obtain the first identity key.
S405, the first device encrypts the first identity key by using the device key to obtain a second identity key.
Optionally, the first device uses the device key as a key (key) value of the HMAC algorithm, and performs an HMAC signature on the first identity key.
S406, the first device stores the second identity key in the first storage area.
Optionally, the first storage area is a storage area in the first device, or a storage area in a memory of the server.
In the case where the first storage area is a storage area in the first device, that is, in the case where the first storage area is a storage area in the nonvolatile memory 33 in fig. 3, the first device may obtain the second identity key and then directly store the second identity key in the nonvolatile memory 33. Since the first device does not support access to other components in the server 20, the other components in the server 20 cannot acquire the second identity key and thus cannot acquire the first identity key. Even if an attacker maliciously attacks the server, the attacker cannot acquire the second identity key and the equipment key, and further cannot acquire the first identity key, so that the security of the first identity key is effectively guaranteed.
And under the condition that the first storage area is a storage area in the memory of the server, the first device encrypts the second identity key by using the first communication key and sends the encrypted second identity key to the processor of the server. Correspondingly, the processor of the server decrypts the encrypted second identity key by using the first communication key to obtain the second identity key, and then stores the second identity key in the memory. Subsequently, the processor of the server can directly obtain the second identity key in the memory, but the second identity key is the first identity key encrypted by the device key, the device key is the globally unique key, and the device key is stored in the first device, and the processor of the server and the first device are isolated from each other, and the processor of the server cannot access the first device, so the processor of the server cannot obtain the device key. Therefore, even if an attacker maliciously attacks the server, the attacker can only acquire the second identity key and cannot acquire the device key, and further, the attacker cannot acquire the first identity key, so that the security of the first identity key is effectively guaranteed.
After storing the second identity key in the first storage area, the first virtual machine may access the cloud service. At this point, the first virtual machine issues an access request. When the first virtual machine issues an access request, the processor needs to sign the access request.
In the case where the first storage area is a storage area in the memory of the server, the processor of the server cannot sign the access request because the processor of the server can only obtain the second identity key, the second identity key is the first identity key encrypted by the device key, and the processor of the server cannot obtain the device key. Thus, the processor of the server needs to send a signed request including the access request to the first device.
When the first storage area is a storage area in the first device, the processor of the server cannot access the first device, and therefore cannot acquire the identity key, and accordingly cannot sign the access request. Thus, the processor of the server needs to send a signed request including the access request to the first device.
It can be seen that, whether the first storage area is a storage area in the memory of the computer or a storage area in the first device, when the first virtual machine sends an access request, the processor of the server needs to send a signature request to the first device, i.e., S407 is executed.
S407, when the first virtual machine sends the access request, the processor of the server sends a signature request including the access request to the first device.
S408, the first device decrypts the second identity key to obtain the first identity key, and signs the access request according to the first identity key.
Specifically, the first device obtains the second identity key after receiving the signature request, and decrypts the second identity key by using the device key to obtain the first identity key. Further, the first device signs the access request according to the first identity key to verify the validity of the access request.
When the first storage area is a storage area in the memory of the server, the method for the first device to obtain the second identity key includes: after receiving the signature request, the first device sends an acquisition request to a server processor, wherein the acquisition request is used for requesting to acquire a second identity key; correspondingly, the server processor sends the second identity key encrypted by the first communication key to the first device, and after receiving the second identity key encrypted by the first communication key, the first device decrypts the encrypted second identity key by using the first communication key to obtain the second identity key.
As a possible implementation manner, after obtaining the first identity key, the first device may also directly store the first identity key in a storage area of the first device. As can be seen from the above description, since the hardware resources and the storage address inside the first device are invisible to other components in the server, that is, the first device and other components in the server are isolated from each other, after the first device stores the first identity key in the storage area of the first device, the other components cannot acquire the first identity key, and the security of the first identity key is effectively guaranteed.
Specifically, with reference to fig. 4, as shown in fig. 5, in the method for processing an identity key according to the embodiment of the present application, S405 to S406 may be replaced with S500, and S408 may be replaced with S501. S500 and S501 are:
s500, the first device stores the first identity key in a storage area of the first device.
S501, the first device signs the access request with the first identity key.
In summary, the hardware resources and the storage address inside the first device are invisible to other components in the server, that is, the other components in the server are isolated from the first device, and the other components cannot directly access the first device, so that the first device provides a secure environment, and even if an attacker maliciously attacks the server, the attacker cannot acquire the data stored in the first device.
Because the device key is a globally unique key generated according to the identifier of the first device, the device key is stored in the storage space of the first device, and the storage address of the first device is invisible to other components, only the first device can acquire the device key, that is, the security of the device key is high. The first device stores the second identity key, and the second identity key is the identity key encrypted by the first device by using the device key, so that even if an attacker maliciously attacks the server, the attacker can only obtain the second identity key at most and cannot obtain the device key, and further, the attacker cannot obtain the first identity key, the security of the first identity key is effectively ensured, that is, the security of the identity key can be effectively improved by the identity key processing method provided by the application.
The scheme provided by the embodiment of the application is mainly introduced from the perspective of a method. To implement the above functions, it includes hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiment of the present application, the processing apparatus may be divided into the functional modules according to the method example, for example, each functional module may be divided corresponding to each function, or two or more functions may be integrated into one processing module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation.
The method for processing the identity key provided in the embodiment of the present application is described in detail above with reference to fig. 4 to 5, and the apparatus for processing the identity key provided in the embodiment of the present application is described below with reference to fig. 6.
Fig. 6 is a schematic structural diagram of a processing apparatus 6 according to an embodiment of the present disclosure. The processing means 6 may be adapted to perform the processing method shown in any of the figures 4-5. The processing device 6 includes: a storage unit 60, an acquisition unit 61, an encryption unit 62, and a signature unit 63.
The storage unit 60 is configured to store an apparatus key, where the apparatus key is a globally unique key generated according to an identifier of the processing apparatus. The obtaining unit 61 is configured to obtain a first identity key of a virtual machine, where the first identity key is used to perform identity authentication on the virtual machine, and the virtual machine is deployed in a server. The encryption unit 62 is configured to encrypt the first identity key acquired by the acquisition unit 61 with the device key to obtain a second identity key. The storage unit 60 is further configured to store the second identity key acquired by the encryption unit 62 in the first storage area. And a signing unit 63, configured to sign the access request of the virtual machine according to the second identity key stored in the storage unit 60.
As an example, the processing device 6 may be a logical module or a physical device (e.g., a security chip) in the server. As an example, the processing device 6 may be the server.
For example, in conjunction with fig. 4-5, the storage unit 60 may be configured to store the program code of the processing device 6 of the identity key, and may also be configured to execute S406, S500, and the like; the acquisition unit 61 may execute the above S403, S407, and the like; the encryption unit 62 may execute the above-described S405 and the like; the signature unit 63 may perform the above-described S408, S501, and the like.
In a possible implementation manner, the first storage area is a storage area in a memory of the server or a storage area in the processing device.
In a possible implementation manner, the obtaining unit 61 is further configured to obtain, when the first storage area is a storage area in a memory of the server, the access request sent by the virtual machine, and obtain, by a processor of the server, the second identity key from the memory, where the processor is configured to manage the identity key. Correspondingly, the processing apparatus 6 further includes a decryption unit 64, where the decryption unit 64 is configured to decrypt the second identity key acquired by the acquisition unit 61 with the device key to obtain the first identity key. The signing unit 63 is further configured to sign the access request acquired by the acquiring unit 61 according to the first identity key obtained by the decrypting unit 64.
In a possible implementation manner, the obtaining unit 61 is further configured to obtain, when the first storage area is a storage area in the processing apparatus, the access request sent by the virtual machine, and obtain the second identity key. Correspondingly, the decryption unit 64 is configured to decrypt the second identity key acquired by the acquisition unit 61 with the device key to obtain the first identity key. The signing unit 63 is further configured to sign the access request acquired by the acquiring unit 61 according to the first identity key obtained by the decrypting unit 64.
Illustratively, in conjunction with fig. 4-5, the decryption unit 64 may be configured to perform S404 and the like as described above.
In a possible implementation manner, the processing apparatus 6 further includes a calculating unit 65, and the calculating unit 65 is configured to calculate the device key by using a preset algorithm according to the identifier of the processing apparatus 6.
Illustratively, in conjunction with fig. 4-5, the computing unit 65 may be configured to perform operations such as "compute device key".
For explanation of relevant contents and description of beneficial effects in this embodiment, reference may be made to the above method embodiments, and details are not described herein. As an example, in conjunction with fig. 2, the processing device 6 in the present embodiment may be the server 20 in fig. 2. As an example, in connection with fig. 2, the processing means 6 in the embodiment may be the first device 204 in fig. 2. Some or all of the above-described acquisition unit 61, encryption unit 62, signature unit 63, decryption unit 64, and calculation unit 65 may also be implemented by the first device 204.
It should be understood that the processing device 6 of the embodiment of the present application may be implemented by an ASIC, or a Programmable Logic Device (PLD), which may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof. When the method for processing the identity key shown in fig. 4-5 can also be implemented by software, the processing device 6 and its modules may also be software modules.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware or any combination thereof. When implemented using a software program, may take the form of a computer program product, either entirely or partially. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded or executed on a computer, cause the flow or functions according to embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a Solid State Drive (SSD).
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the embodiments of the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical functional division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another device, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The foregoing is only illustrative of the present invention. Those skilled in the art can conceive of changes or substitutions based on the specific embodiments provided by the present invention, and all such changes or substitutions are intended to be included within the scope of the present invention.

Claims (11)

1. A method for processing an identity key, comprising:
the method comprises the steps that first equipment obtains a first identity key of a virtual machine, the first identity key is used for carrying out identity authentication on the virtual machine, the first equipment is accessed into a server through a PCIe (peripheral component interface express) bus of a high-speed serial computer expansion bus standard, and the virtual machine is deployed in the server;
the first device encrypts the first identity key by using a device key to obtain a second identity key, wherein the device key is a globally unique key generated according to an identifier of the first device, the device key is stored in a storage area of the first device, and the first device and other components in the server are isolated from each other;
the first equipment stores the second identity key in a first storage area;
and the first equipment signs the access request of the virtual machine according to the second identity key.
2. The processing method according to claim 1,
the first storage area is a storage area in a memory of the server, or a storage area in the first device.
3. The processing method according to claim 2, wherein when the first storage area is a storage area in the memory of the server, the signing, by the first device, the access request of the virtual machine according to the second identity key includes:
the first equipment acquires an access request sent by the virtual machine;
the first device obtains the second identity key from the memory through a processor of the server, wherein the processor is used for managing the identity key;
the first device decrypts the second identity key by using the device key to obtain the first identity key;
the first device signs the access request according to the first identity key.
4. The processing method according to claim 2, wherein when the first storage area is a storage area in the processing apparatus of the identity key, the first device signs an access request of the virtual machine according to the second identity key, and includes:
the first equipment acquires an access request sent by the virtual machine;
the first equipment acquires the second identity key;
the first device decrypts the second identity key by using the device key to obtain the first identity key;
the first device signs the access request according to the first identity key.
5. The processing method according to any of claims 1 to 4, wherein the processing method for the identity key further comprises:
and the first equipment calculates the equipment key by adopting a preset algorithm according to the identifier of the first equipment.
6. A processing device for identity keys, the processing device accessing a server via a PCIe bus, a high speed serial computer expansion bus standard, the processing device being isolated from other components in the server, the processing device comprising:
the storage unit is used for storing an equipment key, and the equipment key is a global unique key generated according to the identifier of the processing device;
an obtaining unit, configured to obtain a first identity key of a virtual machine, where the first identity key is used to perform identity authentication on the virtual machine, and the virtual machine is deployed in the server;
the encryption unit is used for encrypting the first identity key acquired by the acquisition unit by using the equipment key to acquire a second identity key;
the storage unit is further configured to store the second identity key acquired by the encryption unit in a first storage area;
and the signature unit is used for signing the access request of the virtual machine according to the second identity key stored in the storage unit.
7. The processing apparatus according to claim 6,
the first storage area is a storage area in a memory of the server or a storage area in the processing device.
8. The processing apparatus according to claim 7,
the obtaining unit is further configured to obtain, when the first storage area is a storage area in a memory of the server, an access request sent by the virtual machine, and obtain, by a processor of the server, the second identity key from the memory, where the processor is configured to manage the identity keys;
the apparatus further comprises a decryption unit;
the decryption unit is configured to decrypt the second identity key acquired by the acquisition unit with the device key to obtain the first identity key;
the signature unit is further configured to sign the access request acquired by the acquisition unit according to the first identity key acquired by the decryption unit.
9. The processing apparatus according to claim 7,
the obtaining unit is further configured to obtain, when the first storage area is a storage area in the processing apparatus, an access request sent by the virtual machine and obtain the second identity key;
the processing apparatus further comprises a decryption unit;
the decryption unit is configured to decrypt the second identity key acquired by the acquisition unit with the device key to obtain the first identity key;
the signature unit is configured to sign the access request acquired by the acquisition unit according to the first identity key acquired by the decryption unit.
10. The processing apparatus according to any of claims 6-7, characterized in that the processing apparatus further comprises a calculation unit;
and the calculating unit is used for calculating the equipment secret key by adopting a preset algorithm according to the identifier of the processing device.
11. A server, characterized in that the server comprises a first device having computer executable instructions stored therein, and that when the server is running, the first device executes its stored computer executable instructions to perform the operational steps of the method for processing an identity key according to any one of claims 1 to 5 using hardware resources in the server.
CN201811163445.6A 2018-09-30 2018-09-30 Method and device for processing identity key and server Active CN109525396B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811163445.6A CN109525396B (en) 2018-09-30 2018-09-30 Method and device for processing identity key and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811163445.6A CN109525396B (en) 2018-09-30 2018-09-30 Method and device for processing identity key and server

Publications (2)

Publication Number Publication Date
CN109525396A CN109525396A (en) 2019-03-26
CN109525396B true CN109525396B (en) 2021-02-23

Family

ID=65771741

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811163445.6A Active CN109525396B (en) 2018-09-30 2018-09-30 Method and device for processing identity key and server

Country Status (1)

Country Link
CN (1) CN109525396B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111414640B (en) * 2020-02-14 2022-07-22 华为技术有限公司 Key access control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679037A (en) * 2013-12-05 2014-03-26 长城信息产业股份有限公司 Asymmetric encryption authentication method and embedded device based on asymmetric encryption authentication
CN104618096A (en) * 2014-12-30 2015-05-13 华为技术有限公司 Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center
CN106789037A (en) * 2017-01-24 2017-05-31 山东渔翁信息技术股份有限公司 A kind of endorsement method and device of PKCS#11 interface interchanges encryption device
CN108429719A (en) * 2017-02-14 2018-08-21 华为技术有限公司 Cryptographic key protection method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101778381B (en) * 2009-12-31 2012-07-04 卓望数码技术(深圳)有限公司 Digital certificate generation method, user key acquisition method, mobile terminal and device
CN102377564B (en) * 2011-11-15 2015-03-11 华为技术有限公司 Method and device for encrypting private key
CN103023920B (en) * 2012-12-27 2016-04-13 华为技术有限公司 Secure virtual machine guard method and device
US10348500B2 (en) * 2016-05-05 2019-07-09 Adventium Enterprises, Llc Key material management
CN106453313A (en) * 2016-10-15 2017-02-22 成都育芽科技有限公司 Virtual machine security verification system and method based on cloud computing platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103679037A (en) * 2013-12-05 2014-03-26 长城信息产业股份有限公司 Asymmetric encryption authentication method and embedded device based on asymmetric encryption authentication
CN104618096A (en) * 2014-12-30 2015-05-13 华为技术有限公司 Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center
CN106789037A (en) * 2017-01-24 2017-05-31 山东渔翁信息技术股份有限公司 A kind of endorsement method and device of PKCS#11 interface interchanges encryption device
CN108429719A (en) * 2017-02-14 2018-08-21 华为技术有限公司 Cryptographic key protection method and device

Also Published As

Publication number Publication date
CN109525396A (en) 2019-03-26

Similar Documents

Publication Publication Date Title
US10601596B2 (en) Techniques to secure computation data in a computing environment
JP7416775B2 (en) Peripheral device
US10116645B1 (en) Controlling use of encryption keys
US20160028551A1 (en) Systems and methods for hardware security module as certificate authority for network-enabled devices
US9396335B2 (en) Arbitrary code execution and restricted protected storage access to trusted code
US20150220709A1 (en) Security-enhanced device based on virtualization and the method thereof
US10003467B1 (en) Controlling digital certificate use
CN111641630B (en) Encryption transmission method and device, electronic equipment and storage medium
US20200127850A1 (en) Certifying a trusted platform module without privacy certification authority infrastructure
US11936784B2 (en) Attested end-to-end encryption for transporting sensitive data
CN111200593A (en) Application login method and device and electronic equipment
US11019033B1 (en) Trust domain secure enclaves in cloud infrastructure
US20210243030A1 (en) Systems And Methods To Cryptographically Verify An Identity Of An Information Handling System
EP2863329A1 (en) Establishing physical locality between secure execution environments
CN113342473B (en) Data processing method, migration method of secure virtual machine, related device and architecture
WO2022251987A1 (en) Data encryption and decryption method and apparatus
WO2019120231A1 (en) Method and device for determining trust state of tpm, and storage medium
CN109525396B (en) Method and device for processing identity key and server
US20210126776A1 (en) Technologies for establishing device locality
US10601806B1 (en) Runtime identity confirmation for restricted server communication control
EP4198780A1 (en) Distributed attestation in heterogenous computing clusters
KR20220162609A (en) Module and method for authenticating data transfer between a storage device and a host device
US20230403138A1 (en) Agentless single sign-on techniques
JP5908131B1 (en) COMMUNICATION SYSTEM, COMMUNICATION METHOD, TERMINAL DEVICE, AND TERMINAL PROGRAM
CN116167060A (en) Trusted read-only memory system and trusted baseboard management controller system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant