CN111934885A

CN111934885A - Password device security virtualization method and system based on proxy mechanism

Info

Publication number: CN111934885A
Application number: CN202010718000.0A
Authority: CN
Inventors: 涂翠; 王茜艳
Original assignee: Wuhan Jahport Technology Co ltd
Current assignee: Wuhan Jahport Technology Co ltd
Priority date: 2020-07-23
Filing date: 2020-07-23
Publication date: 2020-11-13
Anticipated expiration: 2040-07-23
Also published as: CN111934885B

Abstract

The invention discloses a safe virtualization method and a system of cryptographic equipment based on an agent mechanism, which realize a cryptographic algorithm interface based on an agent signature mechanism; the password equipment and the virtual machines sign a proxy protocol through the password algorithm interface, and the password service of the password equipment is entrusted to the plurality of virtual machines; after receiving a password service request of a user, directly calling password equipment to execute the password service corresponding to the password service request, or forwarding the task to an authorized virtual machine so that the authorized virtual machine executes the password service corresponding to the password service request. The method and the system can sign the proxy protocol through the proxy signature algorithm interface, entrust the password service of the password equipment to a plurality of virtual machines, expand the service resources and solve the performance bottleneck problem of the password equipment.

Description

Password device security virtualization method and system based on proxy mechanism

Technical Field

The invention relates to the technical field of information security, in particular to a secure virtualization method and a secure virtualization system for cryptographic equipment based on an agent mechanism.

Background

With the rapid development of the internet and information technology, network communication becomes an indispensable part of daily work and life of people, people store more and more information on the internet, utilize the internet to process various matters, and how to ensure the information security of people in the information era is a long-standing problem.

The cryptographic technology is a key technology for information security, and has a particularly important and effective role in ensuring data security. In order to ensure confidentiality, integrity, authenticable and non-repudiation of data transmission process, both communication parties often encrypt communication data and generate digital signatures. With the advent of the data era, service networks become more and more huge and complicated, the requirements for encryption, decryption, signature verification and calculation in the communication process become more and more large, the use amount of private keys becomes more and more large, and the problem of how to solve the performance bottleneck of a cryptographic operation function provider is also solved.

The importance of cryptographic devices as the primary product in the current market for providing key management and cryptographic services is self-evident. Although cloud password devices have been proposed and developed rapidly, in most industrial field applications, a physical password device is still used. On one hand, people still have doubtful worry about the safety guarantee of cloud password equipment, and on the other hand, due to the cost problem of upgrading and reconstruction, a plurality of industries are not yet transited to the cloud era. With the continuous expansion of services and the increasing demand of service speed, higher requirements are also put forward on the service performance of the password device, and how to improve the machine performance as much as possible under the condition of ensuring the security of the password device becomes a hot research problem.

The inventor of the present application finds that the method of the prior art has at least the following technical problems in the process of implementing the present invention:

the traditional virtualization technology can abstract bottom hardware resources and then transparently provide services for users, and although the performance of the services can be improved to a certain extent, the final pressure of the services still remains on the cryptographic device for storing the private key based on the characteristics of the cryptographic device, such as accessing the interface for operation by the private key and the like, and the service performance cannot be effectively improved no matter how abstract the cryptographic device stores the private key. Expanding the resources of the cryptographic equipment can effectively solve the performance problem, but in view of the over-high price of the entity cryptographic equipment, how to find an economic and efficient solution is bound to become a new direction for the development of the information security industry.

Disclosure of Invention

The invention provides a secure virtualization method and a secure virtualization system for cryptographic equipment based on a proxy mechanism, which are used for solving or at least partially solving the technical problem of poor service performance of the method in the prior art.

In order to solve the above technical problem, a first aspect of the present invention provides a secure virtualization method for a cryptographic device based on an agent mechanism, including:

a cryptographic algorithm interface based on a proxy signature mechanism is realized;

the password equipment and the virtual machines sign a proxy protocol through the password algorithm interface, and the password service of the password equipment is entrusted to the plurality of virtual machines;

after receiving a password service request of a user, directly calling password equipment to execute the password service corresponding to the password service request, or forwarding the task to an authorized virtual machine so that the authorized virtual machine executes the password service corresponding to the password service request.

In one embodiment, the cryptographic algorithm based on the proxy signature mechanism includes a proxy signature algorithm with proxy authorization information and a proxy signature algorithm without proxy authorization information.

In one embodiment, the proxy signature algorithm with proxy authorization information comprises the following steps:

preparing system parameters; wherein, the original signer identity information is ID_AWith a key pair: p_A＝[d_A]G, the identity information of the proxy signer is ID_BProxy expiration Time_ABThe serial number NUM (8 bits) of the key of the proxy, and proxy authorization information w, which is combined into a proxy signer, are ID_A||ID_B||Time_AB||NUM；

Proxy authorization; the original signer obtains the random number

Calculating the point G on the elliptic curve_A＝[k_A]G＝(x_A,y_A) Wherein x is_A，y_AAre each G_AX coordinate of (1), y coordinate ofThe hash value e of proxy authorization information is hash (w) mod n, and the proxy private key d_P＝k_A·x_A+e·d_Amod n, proxy secret information (w, G)_A,d_P) Sending the signature to the proxy signer through a secure channel;

verifying the proxy key; the proxy signer calculates a proxy authorization information hash value e ═ hash (w) mod n, and verifies: proxy public key P_p＝[x_A]G_A+[e]P_AIf true, then (w, G)_A,d_P) Is a set of valid proxy keys, d_PAnd P_pIs a valid proxy key of a group of original keys numbered NUM;

generating a proxy signature; using proxy private key d_PGenerating a proxy signature by adopting a generation algorithm of a public key cryptographic algorithm digital signature;

verifying the proxy signature; using a proxy public key P_pAnd verifying the proxy signature by adopting a verification algorithm of a public key cryptographic algorithm digital signature.

In one embodiment, the proxy signature algorithm without proxy authorization information comprises the following steps:

preparing system parameters; the original signer has a key pair: p_A＝[d_A]G，P_AIs a public key, d_AIs a private key, G is a generator;

proxy authorization; the original signer calculates: generating random numbers

Calculating the point G on the elliptic curve_A＝[k_A]G＝(x_A,y_A) Proxy private key d_P＝k_A·x_A+d_Amod n, proxy secret information (G)_A,d_P) Sending the signature to the proxy signer through a secure channel;

verifying the proxy key; proxy signer verifies proxy public key P_p＝[x_A]G_A+P_AIf it is true, the equation is true (G)_A,d_P) Is a set of valid proxy keys;

generating a proxy signature: utilizing proxy private keysd_PGenerating a proxy signature by adopting a generation algorithm of a public key cryptographic algorithm digital signature;

and (3) proxy signature verification: using a proxy public key P_pAnd verifying the proxy signature by adopting a verification algorithm of a public key cryptographic algorithm digital signature.

In one embodiment, before the proxy protocol is signed between the cryptographic device and the virtual machine through the cryptographic algorithm interface, the method further comprises:

the virtual machine sends a registration request to a password equipment service center, wherein the registration request comprises the identity information of the virtual machine;

the password equipment service center conducts identity verification on the virtual machine based on the virtual machine identity information in the registration request, if verification is passed, virtual identity information is registered, registration is successful, if verification is not passed, error information is returned, and when verification is passed, a proxy protocol is signed between the password equipment and the virtual machine through the password algorithm interface, wherein the proxy protocol comprises a proxy time limit and a proxy range.

In one embodiment, the signing an agent agreement between the cryptographic device and the virtual machine through the cryptographic algorithm interface to delegate the cryptographic service of the cryptographic device to the plurality of virtual machines includes:

the cryptographic equipment service center receives a request agent sent by a virtual machine through the virtual machine center, wherein the request agent comprises a requested key index number;

examining the proxy protocol content signed by the virtual machine, generating a proxy key corresponding to the key index number requested by the virtual machine through the password equipment after the examination is passed, and storing the information of the proxy key;

and sending the proxy key to the corresponding virtual machine in a preset safety mode, and storing the proxy key after the virtual machine receives the proxy key.

In one embodiment, the cryptographic service that is directly invoked to be executed by the cryptographic device includes a signature service and a signature verification service that are executed by the cryptographic device, and the specific implementation steps include:

receiving a cryptographic equipment signature request or signature verification request sent by a user, wherein input parameters contained in the signature request comprise user identity data, a key password and signature parameters, and input parameters contained in the signature verification request comprise the user identity data, the key password and the signature verification parameters;

if the signature service is adopted, the formats of the user identity data, the key password and the input parameters of the signature request are verified, and after the verification is passed, the signature parameters are forwarded to the password equipment through a forwarding layer, wherein the signature parameters comprise the message to be signed and the index number of the signature key in the password equipment; if the signature verification service is the signature verification service, the formats of the user identity data, the key password and the input parameters of the signature verification request are verified, and after the verification is passed, the signature verification parameters are forwarded to the password equipment through a forwarding layer, wherein the signature verification parameters comprise signature information, signature data to be verified and a signature verification key index number in the password equipment;

and the password equipment executes corresponding signature calculation based on the signature parameters, executes corresponding signature verification calculation based on the signature verification parameters, and returns a calculation result to the forwarding layer so that the forwarding layer sends the calculation result to the user of the service layer.

In one embodiment, the cryptographic service executed by the virtual machine includes a signature service and a signature verification service, and the specific implementation steps include:

if the signature service is adopted, the formats of the user identity data, the key password and the input parameters of the signature request are verified, and after the verification is passed, the signature parameters are forwarded to the password equipment through a forwarding layer, wherein the signature parameters comprise the message to be signed and the signature key index number in the virtual machine; if the signature verification service is adopted, the formats of the user identity data, the key password and the input parameters of the signature verification request are verified, and after the verification is passed, the signature verification parameters are forwarded to the password equipment through a forwarding layer, wherein the signature verification parameters comprise signature information, signature data to be verified and a signature verification key index number in the virtual machine;

and the virtual machine executes corresponding signature calculation based on the signature parameters, executes corresponding signature verification calculation based on the signature verification parameters, and returns a calculation result to the forwarding layer so that the forwarding layer sends the calculation result to a user of the service layer.

Based on the same inventive concept, the second aspect of the present invention provides a secure virtualization system for cryptographic devices based on a proxy mechanism, the system comprising:

the user management center is used for managing the user, including the management of life cycles of registration, suspension, activation, logout and the like of the user, the management of user identity information, the distribution and management of user authority, the generation, the issuance and the verification of a user login token password;

cryptographic device service center: registering and managing the virtual machine for receiving a registration request sent by a virtual machine service center, and after the registration is successful, receiving a request for applying a relevant agent key sent by the virtual machine service center and carrying out entrusting and authorization on the virtual machine;

the password equipment is a carrier for realizing the password service function, and generates an agent key after the password equipment service center entrusts and authorizes the virtual machine;

and the virtual machine service center sends a registration request and a request for applying a related proxy key to the cryptographic equipment service center, and manages the proxy key after the virtual machine is successfully authorized.

In one embodiment, the functions of the cryptographic device service center further include cryptographic device cryptographic service invocation and virtual machine identity information management.

One or more technical solutions in the embodiments of the present application have at least one or more of the following technical effects:

the invention provides a safe virtualization method of password equipment based on an agent mechanism, which comprises the following steps of firstly realizing a password algorithm interface based on an agent signature mechanism; then, signing a proxy protocol between the password equipment and the virtual machines through the password algorithm interface, and entrusting password service of the password equipment to the plurality of virtual machines; after receiving a password service request of a user, directly calling password equipment to execute the password service corresponding to the password service request, or forwarding the task to an authorized virtual machine so that the authorized virtual machine executes the password service corresponding to the password service request. In the invention, the proxy protocol can be signed between the cryptographic equipment and the virtual machines through the proxy signature algorithm interface, the cryptographic service of the cryptographic equipment is entrusted to the plurality of virtual machines, and the cryptographic equipment is authorized to entrust the virtual machines to replace the cryptographic equipment to execute high-demand cryptographic service operation under the condition of ensuring that the security key stored by the cryptographic equipment is not leaked by using the proxy mechanism, so that the service resources are effectively expanded, the problem of performance bottleneck of the cryptographic equipment is solved, and the service performance of the cryptographic equipment can be improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic diagram of secure virtualized cryptographic service invocation in an embodiment of the present invention.

Fig. 2 is a flow chart of signature verification of a cryptographic device in an embodiment of the present invention.

Fig. 3 is a flowchart of virtual machine authorization delegation in an embodiment of the invention.

Fig. 4 is a flow chart of virtual machine signature verification in the embodiment of the present invention.

Fig. 5 is a schematic diagram of a secure virtualization system of a cryptographic device in an embodiment of the present invention.

Detailed Description

In order to solve the problem of poor service performance of the password equipment in the prior art, the invention provides a password equipment security virtualization method and system based on a proxy mechanism. By using the proxy mechanism, the password device authorizes the entrusted virtual machine to replace the password device to execute high-demand password service operation under the condition of ensuring that a security key stored by the password device is not leaked, so that service resources are effectively expanded, and the problem of performance bottleneck of the password device is solved.

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The embodiment of the invention provides a safe virtualization method of password equipment based on an agent mechanism, which comprises the following steps:

Specifically, a cryptographic algorithm interface based on a proxy signature mechanism, namely a proxy signature algorithm, mainly comprises system parameter setting, proxy authorization and a proxy verification interface; the proxy protocol is signed between the password equipment and the virtual machines through a proxy signature algorithm interface, the password service of the password equipment is entrusted to the plurality of virtual machines, the service resources are expanded, and the problem of performance bottleneck of the password equipment is solved. The system mainly comprises: the system comprises four parts, namely password equipment, a user management center, a password equipment service center and a virtual machine service center. A safe virtualization method and a system of password equipment based on an agent mechanism have the following characteristics:

(1) and ensuring the security of the original key. The original key should only be stored in the original entity cryptographic device and cannot be exported to the original cryptographic device; after the proxy virtual machine obtains the proxy key of the original key, it should be difficult to calculate the original key through the proxy key;

(2) the agent is non-protective. In this type of proxy signature, except for the original signer, only the proxy signer designated by the original signer can sign a valid proxy signature instead of the original signer (i.e., both the original signer and the proxy signer know the proxy key), and an unspecified third party cannot acquire the relevant proxy key or forge a valid proxy signature. Most applications for the original signer need to be able to master the application scenario of the proxy signer key, even if the proxy signer cannot fulfill the proxy role for some unexpected reasons, the original signer can complete the task instead of its location. In a secure virtualization application scenario of the password device, it must be ensured that when the virtual machine is down for some reason and cannot continue to provide services, the password device can replace the virtual machine to complete corresponding work, and therefore, the proxy signature must use a proxy non-protection type;

(3) it is not forgeable. In addition to the cryptographic device, only the specified virtual machine can complete the computing task (including signature verification, encryption and decryption, etc.) of the specified key on behalf of the cryptographic device;

(4) verifiability. From the results given by the virtual machine (e.g., the signature result is a digital signature of a message returned), the user can trust that the cryptographic device agreed with the signed message;

(5) non-repudiation. Once the virtual machine has given the relevant calculation result (e.g. the signature result is a digital signature returned), it cannot deny the cryptographic device the result he has given;

(6) identifiability. The calculation result given by the password device and the calculation result given by the virtual machine are recognizable and distinguishable for the user; for the cryptographic device, the calculation results of the plurality of different virtual machines are distinguishable, and the identity of the virtual machine can be determined from the calculation results;

(7) independent security. After a virtual machine is broken, an attacker cannot obtain the original security key of the password equipment or the proxy keys of other virtual machines from the key of the virtual machine;

(8) based on public key cryptographic algorithms (including but not limited to algorithms such as SM2, SM9, ECC, RSA and the like) and a proxy signature mechanism, the secure virtualization of the cryptographic equipment is realized, the pressure of the cryptographic equipment is relieved, and the system performance is improved.

Specifically, the invention provides a secure virtualization method of a password device based on a proxy mechanism, which realizes the secure virtualization of the password device by utilizing a proxy signature mechanism. The proxy signature means that the original signer delegates the authority of self signature to the proxy signer, and the proxy signer can generate a valid signature for the message needing to be signed on behalf of the original signer.

Generally, a specific proxy signature algorithm includes the following five stages: the first stage is an initialization process, which completes the preparation of system parameters; the second stage is an authorization entrusting stage, and the original signer generates secret information or an agent secret key and transmits the secret information or the agent secret key to the agent signer; the third phase is an agent verification phase, wherein an agent signer verifies whether the received authorization information is real and valid; the fourth stage is a proxy signing stage, and a proxy signer signs a message to be signed by using a proxy key; and finally, a proxy signature verification stage, wherein a verifier verifies whether the proxy signature is valid. The formal definition of the proxy signature algorithm is given below:

system parameter preparation (prepare): the device is provided with Alice as an original signer and a secret key pair: p_A＝[d_A]G，P_AIs a public key, d_AIs the private key and G is the generator.

Proxy authorization (proxy) Alice computes: selecting random numbers

Calculating the point G on the elliptic curve_A＝[k_A]G＝(x_A,y_A) If x_AWhen k is equal to 0, k is regenerated_A. Computing agent private key d_P＝k_A·x_A+d_Amod n, proxy secret information (G)_A,d_P) Sent to the agent over a secure channelThe signer Bob. Bob calculates: and (3) verification: [ d_P]G＝[x_A]G_A+P_AIf true, then (G)_A,d_P) Is a set of valid proxy keys. Agent private key d_PThe corresponding public key is P_p＝[x_A]G_A+P_A。

Proxy signature verification (verify): and after receiving the proxy signature combination, the verifier calculates a proxy public key by inquiring the public information and verifies the validity of the proxy signature by using the proxy public key.

Proxy authorization; the original signer obtains the random number

Calculating the point G on the elliptic curve_A＝[k_A]G＝(x_A,y_A) Wherein x is_A，y_AAre each G_AX coordinate, y coordinate, proxy authorization information hash value e ═ hash (w) mod n, proxy private key d_P＝k_A·x_A+e·d_Amod n, proxy secret information (w, G)_A,d_P) Sending the signature to the proxy signer through a secure channel;

generating a proxy signature;using proxy private key d_PGenerating a proxy signature by adopting a generation algorithm of a public key cryptographic algorithm digital signature;

It should be noted that, in the present embodiment, the implementation steps of the proxy signature algorithm are given by taking the SM2 elliptic curve public key cryptographic algorithm in combination with the proxy signature mechanism, and other algorithms such as SM9, ECC, RSA, and the like may also be used for implementation, which is not described in detail herein.

proxy authorization; the original signer calculates: generating random numbers

generating a proxy signature: using proxy private key d_PGenerating a proxy signature by adopting a generation algorithm of a digital signature of an SM2 elliptic curve public key cryptographic algorithm;

and (3) proxy signature verification: using a proxy public key P_pAnd verifying the proxy signature by adopting a verification algorithm of the digital signature of the SM2 elliptic curve public key cryptographic algorithm.

It should be noted that, in the embodiment, the implementation steps of the proxy signature algorithm are given by taking the SM2 public key cryptographic algorithm in combination with the proxy signature mechanism as an example, and other algorithms such as SM9, ECC, RSA, and the like may also be used for implementation, which is not described in detail herein.

The proxy protocol is signed between the password equipment and the virtual machines through the proxy signature algorithm interface, the password service of the password equipment is entrusted to the plurality of virtual machines, the service resources are expanded, and the problem of performance bottleneck of the password equipment is solved.

Fig. 1 shows a schematic diagram of a cryptographic service call implemented by adding an agent mechanism to implement secure virtualization of a cryptographic device based on a traditional cryptographic service system architecture. The system comprises three layers, an execution layer, a forwarding layer and a Server layer (application layer).

Specifically, the Server layer is a user layer, the user is used for making a related password service request, the user is managed by a user management center, the forwarding layer is an intermediate layer and is used for forwarding the user request to the execution layer and forwarding a calculation result of the execution layer to the user, and the execution layer is a password device and a virtual machine. The password equipment service center, the password equipment, the virtual machine service center and the virtual machine are used for completing the operations of entrusting authorization, password service and the like. The cipher device stores the number 1-m cipher keys, firstly authorizes the cipher service function to a plurality of virtual machines through an agent mechanism, and safely transmits the number 1-k cipher keys to the virtual machine A after processing, and the others are similar. After the Server layer receives the password service request, the corresponding task is forwarded to the corresponding virtual machine through the forwarding layer, or the password equipment is directly called to execute the corresponding password service, so that the calculation resources are expanded horizontally and elastically, and the password service performance is improved.

Specifically, the registration process of the virtual machine can be seen in the left part of the flowchart of fig. 3. The virtual machine identity information includes, but is not limited to, name, affiliation, server configuration information. The method for auditing the virtual machine by the cryptographic equipment service center comprises the form of on-line submission of material auditing or off-line auditing, the cryptographic equipment service center verifies the identity of the virtual machine, and the cryptographic equipment service center signs an agent protocol after the verification, and can comprise information such as an agent period, an agent range and the like.

Specifically, the flow of implementation of delegating the cryptographic service of the cryptographic device to multiple virtual machines may be seen in the right flow diagram of fig. 3. The virtual machine sends a request proxy through the virtual machine center, then the password equipment service center performs verification, and after the verification is passed, the password equipment generates a proxy key corresponding to the key index number requested by the virtual machine. The stored proxy key information includes an index number of the key.

The preset security mode comprises an offline mode or sending after encryption processing. After receiving the proxy key, the virtual machine stores the proxy key, verifies the proxy key, safely stores the proxy key in a database after the proxy key is verified, and the access control of the virtual machine can be limited by a password or setting to be available for a certain type of users.

Specifically, according to different services requested by a user, the password device can be directly called to complete corresponding password services, which mainly comprise a signature service and a signature verification service.

The implementation flow of the cryptographic device cryptographic signature/signature verification service is shown in fig. 2.

The user identity data comprises a user name and a token, wherein the token is acquired from a user management center, a key password is optional, and the key password must be input if password authentication is required. The interface parameters in fig. 2 are input parameters. Key usage rights may also be included.

Specifically, according to different services requested by a user, a virtual machine can be called to complete corresponding password services, which mainly comprise a signature service and a signature verification service. The virtual machine cryptographic signature/signature verification service implementation flow is shown in fig. 4.

The user identity data comprises a user name and a token, wherein the token is acquired from a user management center, a key password is optional, and the key password must be input if password authentication is required. The interface parameters in fig. 4 are input parameters. Key usage rights may also be included.

And when signature calculation is carried out, the virtual machine acquires the proxy key signature private key corresponding to the signature verification key index number in the virtual machine in the signature parameters, executes signature operation of the message to be signed, acquires a signature value, and returns the signature value serving as a calculation result of the signature service.

Example two

Based on the same inventive concept, a second aspect of the present invention provides a secure virtualization system for cryptographic devices based on a proxy mechanism, please refer to fig. 5, the system includes:

In particular, (1) the cryptographic device is a carrier that implements cryptographic service functions,

(2) the user management center is mainly used for managing users, including the management of life cycles of registration, suspension, activation, logout and the like of the users; managing user identity information; distributing and managing user rights; generation, issuance, verification and the like of the user login token.

(3) Cryptographic device service center: and interfacing the entity password equipment interface and providing password service for the outside. The password equipment service center comprises a password equipment password service call function, a virtual machine identity information management function, a virtual machine agent authorization management function and the like.

a) Password device password service invocation: and a password service interface provided for the entity password device.

b) Virtual machine identity information management: identity information of a virtual machine registered with a cryptographic device service center is managed. The identity information of the virtual machine comprises: virtual machine ID, affiliated organization, hardware configuration information, agent authorization scope, agent validity period, etc. And providing a life cycle management and related information maintenance function interface of the virtual machine, and the like. After the virtual machine submits the identity registration request, the cryptographic equipment service center verifies the registration request, signs an agent protocol, manages the contents of the agent authorization range, the validity period and the like, and simultaneously carries out certain supervision on the virtual machine, if the virtual machine has dishonest behaviors or needs to stop the protocol due to other reasons, the cryptographic equipment service center uniformly manages the issued agent virtual machine information.

c) Virtual machine agent authorization management: when a key owner puts forward a certain index number key to the cryptographic equipment service center through the virtual machine center for virtualization proxy, the cryptographic equipment service center verifies the request, and the verification can include related contents such as proxy authorization range, valid period and the like. After the verification is passed, calling the newly-added password equipment interface to obtain a related proxy key, storing the proxy key by the password equipment service center, and then sending the key to the virtual machine center in a safe mode. The secure virtualized proxy key application modes of the cryptographic device include the following two modes, corresponding to two different proxy signature schemes, and a key owner initiates a call request for a related interface:

the mode without certificate (proxy signature algorithm without proxy authorization information): the parameters comprise virtual machine ID, key index number to be proxied, corresponding password, type of proxy key (used for encryption, decryption or signature verification), encryption public key (optional) used in proxy key transmission and the like, and after the proxy key is generated, the key can be sent to the requesting virtual machine in a safe mode of offline transmission, online encryption transmission and the like;

a certificate-carrying mode (proxy signature algorithm with proxy authorization information): in addition to the above listed parameters, a proxy certificate (warrant) is also needed, and the certificate content can be customized by the system, and generally includes the identity information of the cryptographic equipment, the identity information of the virtual machine, the validity period, the key index number of the proxy, and the like. And after the key is generated, the key is also sent to the virtual machine in a secure mode.

(4) Virtual machine service center: the method mainly comprises two parts, namely a cryptographic algorithm library and virtual machine proxy key management.

a) A cryptographic algorithm library: the service calling mode is consistent with the calling mode of the interface provided by the entity password equipment.

b) Virtual machine proxy key management: and managing the proxy key generated by the safe virtualization of the cryptographic equipment. The method comprises the steps of applying for a relevant agent key from a cryptographic equipment service center, and safely storing and using the key after the key is received.

The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims

1. A secure virtualization method for cryptographic devices based on an agent mechanism is characterized by comprising the following steps:

2. The secure virtualization method for a cryptographic device as in claim 1, wherein the cryptographic algorithm based on the proxy signature mechanism comprises a proxy signature algorithm with proxy authorization information and a proxy signature algorithm without proxy authorization information.

3. The secure virtualization method for a cryptographic device as recited in claim 2, wherein the proxy signature algorithm with proxy authorization information comprises the steps of:

Proxy authorization; the original signer obtains the random number

4. The secure virtualization method for a cryptographic device as recited in claim 2, wherein the proxy signature algorithm without proxy authorization information comprises the steps of:

proxy authorization; the original signer calculates: generating random numbers

generating a proxy signature: using proxy private key d_PGenerating a proxy signature by adopting a generation algorithm of a public key cryptographic algorithm digital signature;

5. The secure virtualization method for a cryptographic device as in claim 1, wherein before an agent agreement is entered between the cryptographic device and the virtual machine through the cryptographic algorithm interface, the method further comprises:

6. The secure virtualization method for cryptographic devices as claimed in claim 1, wherein the proxy protocol is signed between the cryptographic device and the virtual machines through the cryptographic algorithm interface, and the proxy protocol delegates cryptographic services of the cryptographic device to the plurality of virtual machines, and includes:

7. The secure virtualization method for cryptographic devices according to claim 1, wherein the cryptographic services directly invoked by the cryptographic devices include signature services and signature verification services executed by the cryptographic devices, and the specific implementation steps include:

8. The secure virtualization method for cryptographic devices according to claim 1, wherein the cryptographic services executed by the virtual machine include a signature service and a signature verification service, and the specific implementation steps include:

9. A secure virtualization system for cryptographic devices based on a proxy mechanism, the system comprising:

10. The secure virtualization system of a cryptographic device of claim 9, wherein the functions of the cryptographic device service center further comprise cryptographic device cryptographic service invocation and virtual machine identity information management.