CN111865609A - Private cloud platform data encryption and decryption system based on state cryptographic algorithm - Google Patents
Private cloud platform data encryption and decryption system based on state cryptographic algorithm Download PDFInfo
- Publication number
- CN111865609A CN111865609A CN202010630398.2A CN202010630398A CN111865609A CN 111865609 A CN111865609 A CN 111865609A CN 202010630398 A CN202010630398 A CN 202010630398A CN 111865609 A CN111865609 A CN 111865609A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- national
- data
- cloud platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000006854 communication Effects 0.000 claims abstract description 7
- 238000004891 communication Methods 0.000 claims abstract description 5
- 230000002452 interceptive effect Effects 0.000 claims abstract 2
- 230000005540 biological transmission Effects 0.000 claims description 19
- 230000008859 change Effects 0.000 claims description 14
- 238000000034 method Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 11
- 230000002457 bidirectional effect Effects 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
Abstract
The invention discloses a private cloud platform data encryption and decryption system based on a national cryptographic algorithm, wherein an encryption and decryption module is used for communication encryption and decryption between a client and a server and storage encryption of a database; the cloud platform client module is used for receiving data encrypted by a national secret algorithm from the server, completing decryption, encrypting an access request by the national secret algorithm and transmitting the access request to the server; the cloud platform server module is established on the database module and the application service module and provides an interactive interface between the client and the private cloud platform internal application service and the database; receiving encrypted data of a client through a national encryption algorithm, and forwarding the encrypted data to an internal server of a private cloud platform after decryption; receiving data of a server in the private cloud platform, encrypting the data through a national cryptographic algorithm, and forwarding the encrypted data to a client; the database module comprises structured data service and backup service provided for the application service module, and the database module encrypts the structured data through a cryptographic algorithm and stores the encrypted structured data on the internal server.
Description
Technical Field
The invention relates to the technical field of data encryption, in particular to a private cloud platform data encryption and decryption system based on a national encryption algorithm.
Background
With the increase of the number of users and the expansion of services of enterprises, the existing computing resources and storage facilities of the enterprises cannot meet the requirements more and more, and meanwhile, the increase of system cost and operation cost is considered, so that the enterprises need an economic, effective and easy-to-manage solution. Accordingly, cloud computing is an emerging information service delivery and usage model, which abstracts server hardware into a shared resource pool through virtualization, and dynamically provides users with convenient and low-cost services in three forms of infrastructure, platform and application. The enterprise can select a proper cloud platform service provider according to self requirements, store mass business data of the enterprise, obtain computing resources and application services, and further achieve resource sharing and adapt to business requirements such as dynamic change.
The cloud platform can be divided into a public cloud and a private cloud, wherein the public cloud is a cloud resource pool which is built on the internet, and all users with use permission can use the cloud resource pool as required; different from a public cloud, a private cloud is a cloud service platform constructed for users to use independently, and cannot be used by other users except the owner. Some enterprises have great concern about migrating their core services to public clouds, and many enterprises select private cloud platforms in view of the fact that private clouds are cloud service platforms independently constructed for enterprise users and can provide more effective control over data security, service quality and the like.
However, the private cloud platform environment leaves the user out of control of the data, which may be obtained by the private cloud platform provider if the data is in clear; meanwhile, in the data transmission process of the equipment accessed to the private cloud platform, hidden dangers of interception or stealing exist midway, and the series of problems can cause the hidden dangers of data safety and privacy disclosure of users. Particularly for enterprises, data related to business is the life line of the enterprise, and enterprise users pay more attention to the security requirement of the data. Therefore, encrypting the private cloud platform data is the mainstream method for protecting data security at present.
Disclosure of Invention
The technical scheme provided by the invention is a private cloud platform data encryption and decryption system based on a national cryptographic algorithm, and solves the problems of the framework of the private cloud platform data encryption and decryption system and the one-way and two-way authentication of a client side for accessing a server side.
The technical scheme of the invention is to provide a private cloud platform data encryption and decryption system based on a state cryptographic algorithm, which comprises an encryption and decryption module, a cloud platform client module, a cloud platform server module, a database module and an application service module.
The cloud platform client initiates an access request to the server to access a private cloud platform database or application service. And simultaneously, the application service can call the private cloud platform database. The communication process of the client and the communication process of the server are based on a national secret algorithm, transmission data between the client and the server are encrypted through the national secret algorithm, and the database of the private cloud platform is encrypted and stored through the national secret algorithm based on the consideration of safety.
And the encryption and decryption module is used for encrypting and decrypting communication between the client and the server on one hand and encrypting storage of the database on the other hand. The encryption and decryption module is based on a national cryptographic algorithm proposed by the national cryptographic administration, and comprises an SM2 algorithm and an asymmetric encryption algorithm based on an elliptic curve; the SM4 algorithm is a grouping symmetric algorithm and is used for realizing encryption and decryption operations of data so as to ensure confidentiality of the data and information; the SM3 algorithm, a hash algorithm, is used to compute a digest of a message to verify the integrity of the message.
The cloud platform client module mainly comprises cloud platform client software. The system is used for receiving data encrypted by a cryptographic algorithm from a server and completing decryption; and encrypting the access request through a cryptographic algorithm and transmitting the access request to the server.
And the database module comprises a structured data service and a backup service which are provided for the application service module. The database module is used for encrypting the structured data through a national secret algorithm and storing the encrypted structured data on an internal server of the private cloud platform.
The application service module provides a complete application system for enterprise data application, management and monitoring, and comprises a function of providing support for front-end application and WEB-end access of the whole set of system, and providing data, sharing service and the like for users.
Based on the system module, a one-way authentication and two-way authentication process of data transmission is formed between the client and the server. The one-way authentication under the private cloud platform specifically means that the client does not need to possess a national secret certificate; accordingly, bidirectional authentication means that both the client and the server possess a national secret certificate.
The one-way authentication using scene related to the private cloud platform can generally include, but is not limited to, WEB access, network disk access and the like, and the specific process of the client accessing the server includes:
(1) client sends out request
The client informs the server of a locally supported national encryption suite list and a random number generated by the client.
Preferably, the present invention uses the national encryption suite SM2_ SM4_ SM 3.
Preferably, the random number will be encrypted with the premaster secret in combination with the SM3 cryptographic algorithm to generate a working key for encrypting and decrypting the transmission data.
(2) Server side response
And after receiving the request of the client, the server side sends the national secret certificate of the server side to the client. The certificate is an SSL certificate approved by an issued secret SM2 algorithm by a special digital Certificate Authority (CA). In particular, issuing a certificate simultaneously generates a pair of keys, including a public key and a private key, the private key being stored by the server, and the public key being appended to the information of the national certificate. Also the server needs to generate a random number and send it to the client,
Preferably, when the amount of information in the certificate sent by the server to the client is insufficient, a key agreement request needs to be sent to the client.
Preferably, the random number is combined with the client random number and the premaster secret and encrypted by the cryptographic algorithm SM3 to generate a working key for encrypting and decrypting the transmission data.
(3) Client side responses
The client checks the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice.
Preferably, the client in this step generates a third random number, which is a 48-byte key generated by the client using SM2, referred to as the premaster key.
Preferably, this step sends the SM3 encrypted data for all content previously sent for verification by the server.
(4) Server side responses
The server side decrypts the encrypted data by using the private key after receiving the pre-master key transmitted by the client side, verifies the data, generates a working key in the same way as the client side, then sends a code change notice to the client side, informs the client side that the client side is switched to a negotiated state of the national encryption suite, and prepares to encrypt the data by using the national encryption suite and the working key.
Preferably, if the client and the server can both perform normal encryption and decryption on the end information and the message is correctly checked, it indicates that the national encryption channels of the client and the server are successfully established, and then the working key can be used to perform encryption and decryption transmission on the transmission data.
(5) Client initiates access request
The client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform. Accordingly, the database/application service responds to the request.
Preferably, the database is stored on the internal server of the private cloud platform after being encrypted by a national secret algorithm.
Preferably, the encrypted stored database resources can be called when the application service responds, so that complete enterprise data application, management and monitoring application services can be provided.
The bidirectional authentication use scenario related to the private cloud platform can generally include, but is not limited to, an online banking application, an enterprise docking application, and the like, and the specific process of accessing the server by the client includes:
(1) client sends out request
The client informs the server of a locally supported national encryption suite list and a random number generated by the client.
Preferably, the present invention uses the national encryption suite SM2_ SM4_ SM 3.
Preferably, the random number will be encrypted with the premaster secret in combination with the SM3 cryptographic algorithm to generate a working key for encrypting and decrypting the transmission data.
(2) Server side response
And after receiving the request of the client, the server side sends the national secret certificate of the server side to the client. The certificate is an SSL certificate approved by an issued secret SM2 algorithm by a special digital Certificate Authority (CA). In particular, issuing a certificate simultaneously generates a pair of keys, including a public key and a private key, the private key being stored by the server, and the public key being appended to the information of the national certificate. The server also needs to generate a random number and send the random number to the client. Under the requirement of mutual authentication, the server also needs to send a certificate request to the client.
Preferably, when the amount of information in the certificate sent by the server to the client is insufficient, a key agreement request needs to be sent to the client.
Preferably, the random number is combined with the client random number and the premaster secret and encrypted by the cryptographic algorithm SM3 to generate a working key for encrypting and decrypting the transmission data.
(3) Client side responses
The client sends the local country secret certificate to the server, and the server verifies the validity of the client. Meanwhile, the client needs to check the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice.
Preferably, the client in this step generates a third random number, which is a 48-byte key generated by the client using SM2, referred to as the premaster key.
Preferably, this step sends the SM3 encrypted data for all content previously sent for verification by the server.
(4) Server side responses
The server side receives the national encryption certificate of the client side and then checks the certificate, if no problem exists, the server side decrypts the encrypted premaster secret key by using a private key, generates a working secret key in the same way as the client side, then sends a code change notice to the client side to tell the client side that the client side is switched to a negotiated state of the national encryption suite, and prepares to use the national encryption suite and the working secret key to encrypt data.
Preferably, if the client and the server can both perform normal encryption and decryption on the end information and the message is correctly checked, it indicates that the national encryption channels of the client and the server are successfully established, and then the working key can be used to perform encryption and decryption transmission on the transmission data.
(5) Client initiates access request
The client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform. Accordingly, the private cloud responds to the database/application service access request.
Preferably, the database is stored on the internal server of the private cloud platform after being encrypted by a national secret algorithm.
Preferably, the encrypted stored database resources can be called when the application service responds, so that complete enterprise data application, management and monitoring application services can be provided.
(6) Server side responding to access request
The private cloud platform responds to a database/application service access request of the client and transmits an access result to the server; the server side encrypts data through the working key and forwards the data to the client side.
The invention has the advantages that: the private cloud platform data encryption and decryption system based on the national cryptographic algorithm is provided, the user data security is further guaranteed under the private cloud environment, and meanwhile, the cryptographic algorithm which is independently researched and developed in China is applied in response to the requirement of the national cryptographic administration.
Drawings
The invention is further described with reference to the following figures and examples:
FIG. 1 is a block diagram of a private cloud platform data encryption and decryption system;
FIG. 2 is a relational diagram of a client-side access server-side one-way authentication process;
fig. 3 is a relationship diagram of a bidirectional authentication process of a client accessing a server.
Detailed Description
Example 1
The one-way authentication process between the client and the server comprises the following steps:
1. The client side informs the server side that: a locally supported national secret encryption suite list and a random number A generated by a client; the random number A is combined with the pre-master key to generate a working key for encrypting and decrypting transmission data through a cryptographic algorithm SM 3.
2. After receiving the request of the client and the working key a, the server sends a national secret certificate of the server to the client; the national secret certificate can generate a public key and a private key at the same time; the private key is stored by the server side, and the public key is attached to the information of the national password certificate; meanwhile, the server also needs to generate a random number B, and the server combines the random number A, the random number B and the pre-master key, encrypts the combined random number A, the random number B and the pre-master key through a cryptographic algorithm SM3 to generate a working key B for encrypting and decrypting transmission data, and sends the working key B to the client.
3. The client checks the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice; meanwhile, the client generates a third random number C, which is a 48-byte pre-master key generated by the client using SM 2.
4. After receiving the pre-master key transmitted by the client, decrypting the encrypted data by using a private key and verifying the data; the server side generates a working key c in the same way as the client side, then sends a code change notice to the client side, informs the client side that the client side is switched to the state of the negotiated national encryption suite, and prepares to encrypt data by using the national encryption suite.
5. The client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform.
Example 2:
the bidirectional authentication process between the client and the server comprises the following steps:
1. the client side informs the server side that: a locally supported national secret encryption suite list and a random number A generated by a client; the random number A is combined with the pre-master key to generate a working key for encrypting and decrypting transmission data through a cryptographic algorithm SM 3.
2. After receiving the request of the client and the working key a, the server sends a national secret certificate of the server to the client; the national secret certificate can generate a public key and a private key at the same time; the private key is stored by the server side, and the public key is attached to the information of the national password certificate; meanwhile, the server side also needs to generate a random number B, and the server side combines the random number A, the random number B and the pre-master key, encrypts the combined random number A, the random number B and the pre-master key through a cryptographic algorithm SM3 to generate a working key B for encrypting and decrypting transmission data and sends the working key B to the client side; meanwhile, the server also needs to send a request for the national secret certificate to the client.
3. The client sends a local national secret certificate to the server, so that the server verifies the validity of the client; meanwhile, the client checks the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice; meanwhile, the client generates a third random number C, which is a 48-byte pre-master key generated by the client using SM 2.
4. The server side receives the national secret certificate of the client side and then checks the certificate, and if the certificate is qualified, the server side decrypts the encrypted premaster secret key by using the private key; the server side generates a working key c in the same way as the client side, then sends a code change notice to the client side, informs the client side that the client side is switched to the state of the negotiated national encryption suite, and prepares to use the national encryption suite to encrypt data.
5. The client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform.
The embodiments are merely illustrative of the principles and effects of the present invention, and do not limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical concepts disclosed herein be covered by the appended claims.
Claims (6)
1. A private cloud platform data encryption and decryption system based on a national cryptographic algorithm comprises; the system comprises an encryption module, a cloud platform client module, a cloud platform server module, a database module and an application service module; the method is characterized in that:
The encryption and decryption module is used for encrypting and decrypting communication between the client and the server and storing and encrypting the database;
the cloud platform client module is used for receiving the data encrypted by the national secret algorithm from the server, completing decryption, encrypting the access request by the national secret algorithm and transmitting the access request to the server;
the cloud platform server module is established on the database module and the application service module and provides an interactive interface between the client and the private cloud platform internal application service and the database; receiving data encrypted by a client through a national cryptographic algorithm, and forwarding the data to an internal server of the private cloud platform after decryption; receiving data of a server in the private cloud platform, encrypting the data through a national cryptographic algorithm, and forwarding the encrypted data to a client;
and the database module comprises a structured data service and a backup service which are provided for the application service module, and the database module encrypts the structured data through a national secret algorithm and stores the encrypted structured data on an internal server of the private cloud platform.
2. The private cloud platform data encryption and decryption system based on the cryptographic algorithm of claim 1, wherein: the encryption and decryption module comprises: the client side does not adopt a one-way authentication process of encrypting and decrypting the communication between the national secret certificate and the server side, and the client side and the server side both adopt the two-way authentication process of encrypting and decrypting the communication between the national secret certificate and the server side.
3. The private cloud platform data encryption and decryption system based on the cryptographic algorithm of claim 2, wherein: the one-way authentication process includes:
the client side informs the server side that: a locally supported national secret encryption suite list and a random number A generated by a client; the random number A is combined with a pre-master key to generate a working key for encrypting and decrypting transmission data through a cryptographic algorithm SM 3;
after receiving the request of the client and the working key a, the server sends a national secret certificate of the server to the client; the national secret certificate can generate a public key and a private key at the same time; the private key is stored by the server side, and the public key is attached to the information of the national password certificate; meanwhile, the server side also needs to generate a random number B, and the server side combines the random number A, the random number B and the pre-master key, encrypts the combined random number A, the random number B and the pre-master key through a cryptographic algorithm SM3 to generate a working key B for encrypting and decrypting transmission data and sends the working key B to the client side;
the client checks the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice; meanwhile, the client generates a third random number C, which is a 48-byte pre-master key generated by the client using SM 2;
After receiving the pre-master key transmitted by the client, decrypting the encrypted data by using a private key and verifying the data; the server side generates a working key c in the same way as the client side, then sends a code change notice to the client side, informs the client side that the client side is switched to a negotiated state of a national encryption suite and prepares to use the national encryption suite to encrypt data;
the client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform.
4. The private cloud platform data encryption and decryption system based on the cryptographic algorithm of claim 3, wherein: the national secret encryption suite in the first step comprises a national secret algorithm SM2, a national secret algorithm SM3 and a national secret algorithm SM 4.
5. The private cloud platform data encryption and decryption system based on the cryptographic algorithm of claim 3, wherein: in the fifth step, the database is encrypted through a national secret algorithm and then stored on an internal server of the private cloud platform; and when the application service responds, the encrypted and stored database resources can be called so as to provide complete application, management and monitoring application services of the enterprise data.
6. The private cloud platform data encryption and decryption system based on the cryptographic algorithm of claim 3, wherein: the bidirectional authentication process comprises:
the client side informs the server side that: a locally supported national secret encryption suite list and a random number A generated by a client; the random number A is combined with a pre-master key to generate a working key for encrypting and decrypting transmission data through a cryptographic algorithm SM 3;
after receiving the request of the client and the working key a, the server sends a national secret certificate of the server to the client; the national secret certificate can generate a public key and a private key at the same time; the private key is stored by the server side, and the public key is attached to the information of the national password certificate; meanwhile, the server side also needs to generate a random number B, and the server side combines the random number A, the random number B and the pre-master key, encrypts the combined random number A, the random number B and the pre-master key through a cryptographic algorithm SM3 to generate a working key B for encrypting and decrypting transmission data and sends the working key B to the client side; meanwhile, the server also needs to send out a national secret certificate request to the client;
the client sends a local national secret certificate to the server, so that the server verifies the validity of the client; meanwhile, the client checks the national secret certificate of the server, and if the certificate has no problem, the client completes secret key negotiation and sends a code change notice; meanwhile, the client generates a third random number C, which is a 48-byte pre-master key generated by the client using SM 2;
The server side receives the national secret certificate of the client side and then checks the certificate, and if the certificate is qualified, the server side decrypts the encrypted premaster secret key by using the private key; the server side generates a working key c in the same way as the client side, then sends a code change notice to the client side, informs the client side that the client side is switched to the state of the negotiated national encryption suite and prepares to use the national encryption suite to encrypt data;
the client side initiates an encrypted access request of the database/application service to the server side, and the server side decrypts the encrypted access request and forwards the encrypted access request to the private cloud platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010630398.2A CN111865609A (en) | 2020-07-03 | 2020-07-03 | Private cloud platform data encryption and decryption system based on state cryptographic algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010630398.2A CN111865609A (en) | 2020-07-03 | 2020-07-03 | Private cloud platform data encryption and decryption system based on state cryptographic algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111865609A true CN111865609A (en) | 2020-10-30 |
Family
ID=73153746
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010630398.2A Pending CN111865609A (en) | 2020-07-03 | 2020-07-03 | Private cloud platform data encryption and decryption system based on state cryptographic algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111865609A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112672098A (en) * | 2020-12-30 | 2021-04-16 | 北京弈天诚达科技有限公司 | Cloud video conference encryption method, device and system |
| CN113190878A (en) * | 2021-05-12 | 2021-07-30 | 广东康宝莱智慧水务有限公司 | National secret encryption algorithm and water affair internet of things acquisition system |
| CN113642014A (en) * | 2021-07-23 | 2021-11-12 | 广州有信科技有限公司 | Data access system based on hybrid cloud and public cloud server |
| CN113992702A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Storage state encryption reinforcing method and system for ceph distributed file system |
| CN113992346A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Implementation method of security cloud desktop based on state password reinforcement |
| CN115208615A (en) * | 2022-05-20 | 2022-10-18 | 北京科技大学 | Data encryption transmission method for numerical control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107896147A (en) * | 2017-12-07 | 2018-04-10 | 福建联迪商用设备有限公司 | A kind of method and its system for consulting interim conversation key based on national secret algorithm |
| CN108429620A (en) * | 2018-01-25 | 2018-08-21 | 新华三技术有限公司 | Method for building up, system and the client and server-side of secure connection |
| CN108683498A (en) * | 2018-05-14 | 2018-10-19 | 国网江西省电力有限公司电力科学研究院 | A kind of cloud terminal management-control method based on changeable key national secret algorithm |
| CN110299995A (en) * | 2019-07-11 | 2019-10-01 | 北京电子科技学院 | A kind of two-way authentication cryptographic key negotiation method and system for supporting domestic cryptographic algorithm based on RLWE |
| CN110995414A (en) * | 2019-12-23 | 2020-04-10 | 中金金融认证中心有限公司 | Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm |
-
2020
- 2020-07-03 CN CN202010630398.2A patent/CN111865609A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107896147A (en) * | 2017-12-07 | 2018-04-10 | 福建联迪商用设备有限公司 | A kind of method and its system for consulting interim conversation key based on national secret algorithm |
| CN108429620A (en) * | 2018-01-25 | 2018-08-21 | 新华三技术有限公司 | Method for building up, system and the client and server-side of secure connection |
| CN108683498A (en) * | 2018-05-14 | 2018-10-19 | 国网江西省电力有限公司电力科学研究院 | A kind of cloud terminal management-control method based on changeable key national secret algorithm |
| CN110299995A (en) * | 2019-07-11 | 2019-10-01 | 北京电子科技学院 | A kind of two-way authentication cryptographic key negotiation method and system for supporting domestic cryptographic algorithm based on RLWE |
| CN110995414A (en) * | 2019-12-23 | 2020-04-10 | 中金金融认证中心有限公司 | Method for establishing channel in TLS1_3 protocol based on cryptographic algorithm |
Non-Patent Citations (3)
| Title |
|---|
| XIN ZHENG: "The Software/Hardware Co-Design and Implementation of SM2/3/4 Encryption/Decryption and Digital Signature System", 《IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS》 * |
| 国家市场监督管理总局国家标准化管理委员会: "《中华人民共和国国家标准GB/T38636-2020》", 28 April 2020 * |
| 陈庄: "一种基于国密算法的云数据加密方案研究", 《信息安全研究》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112672098A (en) * | 2020-12-30 | 2021-04-16 | 北京弈天诚达科技有限公司 | Cloud video conference encryption method, device and system |
| CN112672098B (en) * | 2020-12-30 | 2022-09-20 | 北京真视通数字科技有限公司 | Cloud video conference encryption method, device and system |
| CN113190878A (en) * | 2021-05-12 | 2021-07-30 | 广东康宝莱智慧水务有限公司 | National secret encryption algorithm and water affair internet of things acquisition system |
| CN113642014A (en) * | 2021-07-23 | 2021-11-12 | 广州有信科技有限公司 | Data access system based on hybrid cloud and public cloud server |
| CN113992702A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Storage state encryption reinforcing method and system for ceph distributed file system |
| CN113992346A (en) * | 2021-09-16 | 2022-01-28 | 深圳市证通电子股份有限公司 | Implementation method of security cloud desktop based on state password reinforcement |
| CN113992702B (en) * | 2021-09-16 | 2023-11-03 | 深圳市证通电子股份有限公司 | Ceph distributed file system storage state password reinforcement method and system |
| CN113992346B (en) * | 2021-09-16 | 2024-01-26 | 深圳市证通电子股份有限公司 | Implementation method of security cloud desktop based on national security reinforcement |
| CN115208615A (en) * | 2022-05-20 | 2022-10-18 | 北京科技大学 | Data encryption transmission method for numerical control system |
| CN115208615B (en) * | 2022-05-20 | 2023-12-19 | 北京科技大学 | Data encryption transmission method for numerical control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111865609A (en) | Private cloud platform data encryption and decryption system based on state cryptographic algorithm | |
| CN103795692B (en) | Open authorization method, system and certification authority server | |
| CN106161402B (en) | Encryption equipment key injected system, method and device based on cloud environment | |
| CN101981890B (en) | Systems and methods for secure workgroup management and communication | |
| CN114726643B (en) | Data storage and access methods and devices on cloud platform | |
| CN104917741B (en) | A kind of plain text document public network secure transmission system based on USBKEY | |
| WO2018095322A1 (en) | Method for issuing quantum key chip, application method, issuing platform and system | |
| US20120254622A1 (en) | Secure Access to Electronic Devices | |
| CN101771699A (en) | Method and system for improving SaaS application security | |
| CN110489996B (en) | Database data security management method and system | |
| US20210006548A1 (en) | Method for authorizing access and apparatus using the method | |
| CN108809633B (en) | Identity authentication method, device and system | |
| US20030135734A1 (en) | Secure mutual authentication system | |
| CN114584307B (en) | Trusted key management method and device, electronic equipment and storage medium | |
| CN108989290A (en) | A kind of control method and control device for realizing server network access limitation in outer net | |
| CN115567312B (en) | Alliance chain data authority management system and method capable of meeting various scenes | |
| CN101325483B (en) | Method and apparatus for updating symmetrical cryptographic key, symmetrical ciphering method and symmetrical deciphering method | |
| CN114866323B (en) | User-controllable privacy data authorization sharing system and method | |
| CN110519222A (en) | Outer net access identity authentication method and system based on disposable asymmetric key pair and key card | |
| CN109040109B (en) | Data transaction method and system based on key management mechanism | |
| CN114154181A (en) | Privacy calculation method based on distributed storage | |
| CN113326529A (en) | Decentralized architecture unifying method based on trusted computing | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN113872992B (en) | Method for realizing remote Web access strong security authentication in BMC system | |
| CN109831244A (en) | A kind of real-time controllable transmission of satellite data based on all-in-one machine and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201030 |