CN112003697B - Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium - Google Patents

Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium Download PDF

Info

Publication number
CN112003697B
CN112003697B CN202010865200.9A CN202010865200A CN112003697B CN 112003697 B CN112003697 B CN 112003697B CN 202010865200 A CN202010865200 A CN 202010865200A CN 112003697 B CN112003697 B CN 112003697B
Authority
CN
China
Prior art keywords
key
cryptographic module
module
random number
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010865200.9A
Other languages
Chinese (zh)
Other versions
CN112003697A (en
Inventor
吕国栋
刘成
陈琢
杨李萍
王俊人
陈志辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN202010865200.9A priority Critical patent/CN112003697B/en
Publication of CN112003697A publication Critical patent/CN112003697A/en
Application granted granted Critical
Publication of CN112003697B publication Critical patent/CN112003697B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The disclosure relates to a cryptographic module encryption and decryption method, a cryptographic module encryption and decryption device, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: receiving data to be processed sent by a client through a calling interface of a password module; processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key; and transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client. According to the encryption and decryption method for the cryptographic module, the client can only use the session key in the cryptographic module by calling the interface, cannot acquire the session key and cannot crack the session key, so that the security of the session key is protected, and the security of the cryptographic module is further guaranteed. The disclosure relates to a cryptographic module encryption and decryption device, an electronic device and a computer readable storage medium, which also solve corresponding technical problems.

Description

Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium
Technical Field
The present disclosure relates to the field of information security and privacy technologies, and more particularly, to a cryptographic module encryption and decryption method, a cryptographic module encryption and decryption device, an electronic device, and a computer storage medium.
Background
A cryptographic module refers to hardware, software, firmware, or a collection thereof that implements secure cryptographic functions such as cryptographic operations, key management, etc., and is contained within a cryptographic boundary.
In the use process of the cryptographic module, when the cryptographic module is operated on a terminal device connected with the internet, an attacker may encrypt and output a session key inside the cryptographic module by using an external public key and decrypt the session key by using a held private key, thereby causing leakage of the session password and threatening the security of the cryptographic module.
In summary, how to improve the security of the cryptographic module is a problem to be solved by those skilled in the art.
Disclosure of Invention
The purpose of the present disclosure is to provide a cryptographic module encryption and decryption method, which can solve the technical problem how to improve the security of the cryptographic module to a certain extent. The disclosure also provides a cryptographic module encrypting and decrypting device, an electronic device and a computer readable storage medium.
According to a first aspect of an embodiment of the present disclosure, there is provided a cryptographic module encrypting and decrypting method, including:
receiving data to be processed sent by a client through a calling interface of the password module;
processing the data to be processed based on a stored session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key;
and transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client.
Preferably, before the receiving, by the call interface of the cryptographic module, the data to be processed sent by the client, further includes:
obtaining a public key and a corresponding private key;
receiving an encrypted session key, wherein the encrypted session key comprises a key obtained by encrypting the session key by using the public key based on an asymmetric cryptographic algorithm;
and decrypting the encrypted session key by using the private key based on the asymmetric cryptographic algorithm to obtain the session key.
Preferably, the obtaining the public key and the corresponding private key includes:
and receiving the public key and the corresponding private key transmitted by an offline injection mode or a secure channel writing mode.
Preferably, before the receiving, by the call interface of the cryptographic module, the data to be processed sent by the client, further includes:
obtaining a public key, a private key, a digital certificate and a certificate issuing public key;
the session key is generated based on the public key, the private key, the digital certificate, and the certificate issuing public key.
Preferably, the generating the session key based on the public key, the private key, the digital certificate, and the certificate issuing public key includes:
sending the public key of the cryptographic module and the digital certificate of the cryptographic module to another cryptographic module; and receiving a public key of the other cryptographic module, a digital certificate of the other cryptographic module;
verifying the digital certificate of the other cryptographic module based on the public certificate issuing key of the cryptographic module, and if the verification is passed, and the other cryptographic module verifies that the digital certificate of the cryptographic module is passed based on the public certificate issuing key of the other cryptographic module, generating a first random number;
encrypting the first random number based on the public key of the other cryptographic module to obtain an encrypted first random number, and sending the encrypted first random number to the other cryptographic module;
receiving an encrypted second random number sent by the other cryptographic module, wherein the encrypted second random number comprises a random number obtained by encrypting the generated second random number by the other cryptographic module based on a public key of the cryptographic module;
decrypting the encrypted second random number based on a private key of the cryptographic module to obtain the second random number;
and performing exclusive OR operation on the first random number and the second random number to obtain the session key.
Preferably, the obtaining the public key, the private key, the digital certificate, and the certificate issuing public key includes:
generating the public key and the private key;
sending the public key to a password management system;
receiving the digital certificate issued by the password management system based on the public key;
and receiving the certificate issuing public key transmitted by an offline injection mode or a secure channel writing mode.
Preferably, the method further comprises:
encrypting the session key based on a pre-received symmetric key transmitted in an offline injection mode or a secure channel writing mode by adopting a symmetric cryptographic algorithm to obtain a first session key;
and transmitting the first session key to a management module of the cryptographic module so that the management module backs up or monitors the session key.
Preferably, the method further comprises:
encrypting the session key based on a pre-received encryption public key transmitted in an offline injection mode or a secure channel writing mode by adopting an asymmetric cryptographic algorithm to obtain a second session key;
and transmitting the second session key to a management module of the cryptographic module so that the management module backs up or monitors the session key.
According to a second aspect of the embodiments of the present disclosure, there is provided a cryptographic module encrypting and decrypting apparatus, including:
the first receiving module is used for receiving the data to be processed sent by the client through the calling interface of the password module;
the first processing module is used for processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key;
and the first transmission module is used for transmitting the processing result to the client through the calling interface and prohibiting the transmission of the session key to the client.
According to a third aspect of embodiments of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of any of the methods described above.
According to a fourth aspect of embodiments of the present disclosure, there is provided an electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of any of the methods as described above.
According to the encryption and decryption method for the cryptographic module, data to be processed sent by a client is received through a calling interface of the cryptographic module; processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key; and transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client. According to the encryption and decryption method for the cryptographic module, the call interface of the cryptographic module is used for receiving data to be processed, the data to be processed is processed based on the saved session key, and the session key comprises the encryption key or the decryption key, so that the data to be processed can be encrypted or decrypted based on the session key to obtain a corresponding processing result, then the call interface is used for transmitting the processing result to the client, and the session key is forbidden to be transmitted to the client, so that the client can only use the session key in the cryptographic module through the call interface, and cannot acquire the session key, thereby protecting the security of the session key and further guaranteeing the security of the cryptographic module. The disclosure provides a cryptographic module encryption and decryption device, electronic equipment and a computer readable storage medium, which also solve corresponding technical problems.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present disclosure, and other drawings may be obtained according to the provided drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a first flow chart of a cryptographic module encryption and decryption method according to an exemplary embodiment;
FIG. 2 is a first flowchart illustrating a cryptographic module generating a session key, according to an example embodiment;
FIG. 3 is a schematic diagram of a first configuration of a cryptographic module encryption and decryption device according to an exemplary embodiment;
FIG. 4 is a second schematic diagram of a cryptographic module encryption and decryption device according to an exemplary embodiment;
fig. 5 is a block diagram of an electronic device, according to an example embodiment.
Detailed Description
The following description of the technical solutions in the embodiments of the present disclosure will be made clearly and completely with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. Based on the embodiments in this disclosure, all other embodiments that a person of ordinary skill in the art would obtain without making any inventive effort are within the scope of protection of this disclosure.
Referring to fig. 1, fig. 1 is a first flowchart illustrating a cryptographic module encryption and decryption method according to an exemplary embodiment.
The encryption and decryption method of the cryptographic module related in the disclosure can comprise the following steps:
step S101: and receiving the data to be processed sent by the client through a calling interface of the password module.
It can be understood that the client sends the data to be processed to the cryptographic module through the call interface of the cryptographic module, and correspondingly, the cryptographic module receives the data to be processed sent by the client through the call interface, and the form of the call interface and the type of the data to be processed can be determined according to the application scene.
It should be noted that the cryptographic module related to the present disclosure is generally used for developing a cryptographic product, implementing a basic cryptographic service, and providing a basic cryptographic service for an upper layer through an application interface standard, where the interface standard includes the national cryptographic industry standard "cryptographic equipment application interface Specification," the general cryptographic service interface Specification, "the Intelligent cryptographic key cryptographic application interface Specification," and PKCS#11 issued by RSA laboratories; the key management functions that can be provided include asymmetric key import and export, generation of a session key using RSA public key encryption export, import of an encrypted session key and decryption with an internal private key, digital envelope conversion, generation of a session key and encryption of an output with a key encryption key, import of a session key and decryption with a cryptographic decryption key, etc.
Step S102: and processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key.
It can be understood that after the cryptographic module receives the data to be processed, the data to be processed can be processed based on the session key stored by the cryptographic module to obtain a processing result, and when the session key is an encryption key, the cryptographic module processes the data to be processed based on the session key, that is, encrypts the data to be processed by adopting the encryption key, and accordingly, an encryption processing result is obtained; when the session key is a decryption key, the cryptographic module processes the data to be processed based on the session key, that is, adopts the decryption key to decrypt the data to be processed, and correspondingly, obtains a decryption processing result.
Step S103: and transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client.
It can be understood that after the processing result is obtained by the cryptographic module, the processing result can be transmitted to the client through the call interface, so that the client obtains the required processing result, in addition, the cryptographic module prohibits the transmission of the session key to the client, so that the client cannot obtain the session key from the cryptographic module, that is, the client cannot process the data to be processed by itself using the session key to obtain the processing result, that is, the client can only obtain the processing result by means of the cryptographic module, thereby avoiding the situation that the security of the cryptographic module is threatened by the malicious client obtaining the session key.
According to the encryption and decryption method for the cryptographic module, data to be processed sent by a client is received through a calling interface of the cryptographic module; processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key; and transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client. According to the encryption and decryption method for the cryptographic module, the call interface of the cryptographic module is used for receiving data to be processed, the data to be processed is processed based on the saved session key, and the session key comprises the encryption key or the decryption key, so that the data to be processed can be encrypted or decrypted based on the session key to obtain a corresponding processing result, then the call interface is used for transmitting the processing result to the client, and the session key is forbidden to be transmitted to the client, so that the client can only use the session key in the cryptographic module through the call interface, and cannot acquire the session key, thereby protecting the security of the session key and further guaranteeing the security of the cryptographic module.
In the first embodiment, in order to further ensure the security of the cryptographic module and meet the requirement of the user on management and control of the session key, the security protection can be performed on the process of obtaining the session key by the cryptographic module, for example, a public-private key pair is adopted to obtain trusted devices, such as a trusted institution and the like, and a generated session password and the like, and then the cryptographic module can also obtain a public key and a corresponding private key before receiving the data to be processed sent by the client through the call interface of the cryptographic module; receiving an encrypted session key, wherein the encrypted session key comprises a key obtained by encrypting the session key by using a public key based on an asymmetric cryptographic algorithm; based on the asymmetric cryptographic algorithm, the encrypted session key is decrypted by using the private key to obtain the session key. It can be understood that the cryptographic module firstly obtains the public key and the private key corresponding to the public key, and then sends the public key to the trusted device; the trusted device encrypts the session key generated by the trusted device by using the received public key to obtain an encrypted session key, and sends the encrypted session key to the cryptographic module; after the encryption module receives the encrypted session key, the private key is used for decrypting the encrypted session key to obtain the session key. It should be noted that the algorithm used for encrypting and decrypting the session key may be an asymmetric cryptographic algorithm or may be another algorithm.
In this embodiment, in order to further ensure the security of the cryptographic module, the process of obtaining the public key and the private key by the cryptographic module may be protected, for example, the process of obtaining the public key and the corresponding private key may be that the cryptographic module receives the public key and the private key in a secure and trusted manner: and receiving the public key and the corresponding private key transmitted by an offline injection mode or a secure channel writing mode. It should be noted that, in order to further ensure the security of the public key and the private key obtained by the cryptographic module, when the cryptographic module is initially installed, the cryptographic module may be enabled to receive the public key and the private key transmitted through an offline injection manner or a secure channel writing manner, and prohibit the cryptographic module from obtaining the public key and the private key after the initial installation is completed. In addition, a service interface special for transmitting data through an off-line injection mode or a secure channel writing mode can be arranged for the password module.
In the first embodiment, in order to further ensure the security of the cryptographic module and reduce the burden of the user and the like, the cryptographic module may be configured to generate a secure and reliable session key, for example, the cryptographic module is configured to negotiate with other trusted devices by means of a public key, a private key, a digital certificate, a certificate issuing public key to generate a secure session key and the like, and before the cryptographic module receives the data to be processed sent by the client through the call interface of the cryptographic module, the cryptographic module may also acquire the public key, the private key, the digital certificate, the certificate issuing public key; the session key is generated based on the public key, the private key, the digital certificate, and the certificate issuing public key. It will be appreciated that in this process, parameters, a generation manner, and the like required for generating the session key may need to be set for the cryptographic module from the outside.
In this embodiment, a cryptographic module may negotiate with another cryptographic module to generate a session key. Referring to fig. 2, fig. 2 is a first flowchart illustrating a cryptographic module generating a session key according to an example embodiment.
The process by which the cryptographic module generates a session key based on the public key, the private key, the digital certificate, and the certificate issuing public key may include:
step S201: sending the public key of the cipher module and the digital certificate of the cipher module to another cipher module; and receives the public key of the other cryptographic module, the digital certificate of the other cryptographic module.
For easy understanding, two cryptographic modules participating in the negotiation process are illustrated as a and B, respectively, and the cryptographic module B represents another cryptographic module, then, when just started, the cryptographic module a sends the public key of the cryptographic module a, the digital certificate of the cryptographic module a, to the cryptographic module B; and, the cryptographic module a needs to receive the public key of the cryptographic module B and the digital certificate of the cryptographic module B, which are sent by the cryptographic module B. In order to ensure the communication security between the cryptographic module A and the cryptographic module B, the cryptographic module A and the cryptographic module B can perform data transmission through a signaling channel or a service channel.
Step S202: the first random number is generated after the digital certificate of the other cryptographic module is verified based on the public key of the certificate issuance of the cryptographic module, and the digital certificate of the cryptographic module is verified based on the public key of the certificate issuance of the other cryptographic module.
It will be understood that after the digital certificate of the cryptographic module B is received by the cryptographic module a, the public key is signed by the certificate stored in the cryptographic module a to verify the digital certificate of the cryptographic module B, and correspondingly, the cryptographic module B also needs to sign the digital certificate of the cryptographic module a by using the public key stored in the cryptographic module B, if the digital certificate of the cryptographic module B is verified by the cryptographic module a, the identity security of the cryptographic module B is indicated, and if the digital certificate of the cryptographic module a is verified by the cryptographic module B, the identity security of the cryptographic module a is indicated. When the cryptographic module a verifies that the digital certificate of the cryptographic module B passes and the cryptographic module B verifies that the digital certificate of the cryptographic module a passes, the cryptographic module a generates a first random number, and at this time, the cryptographic module B also generates a second random number, and the lengths of the first random number and the second random number may be equal to the length of the final session key.
Step S203: and encrypting the first random number based on the public key of the other cipher module to obtain an encrypted first random number, and transmitting the encrypted first random number to the other cipher module.
It can be understood that after the first random number is generated by the cryptographic module a, the first random number can be encrypted based on the public key of the cryptographic module B to obtain an encrypted first random number, and the encrypted first random number is sent to the cryptographic module B. It is understood that the encrypted first random number is encrypted by the public key of the cryptographic module B, and only the private key of the cryptographic module B is used for decryption, so that even if an lawbreaker obtains the encrypted first random number, the lawbreaker cannot decrypt the encrypted first random number to obtain the first random number, thereby avoiding damage of the lawbreaker to the session key negotiation process.
Step S204: and receiving an encrypted second random number sent by the other cryptographic module, wherein the encrypted second random number comprises a random number obtained by encrypting the generated second random number by the other cryptographic module based on the public key of the cryptographic module.
It will be appreciated that after the second random number is generated by the cryptographic module B, the second random number is encrypted based on the public key of the cryptographic module a, so as to obtain an encrypted second random number, and the second encrypted random number is sent to the cryptographic module a.
Step S205: and decrypting the encrypted second random number based on the private key of the password module to obtain the second random number.
It can be appreciated that after the cryptographic module a receives the encrypted second random number, the cryptographic module a can decrypt the encrypted second random number based on the private key of the cryptographic module a to obtain the second random number, so that the cryptographic module a and the cryptographic module B both obtain the first random number and the second random number. It is understood that the encrypted second random number is encrypted by the public key of the cryptographic module a, and can be decrypted only by using the private key of the cryptographic module a, so that even if an lawbreaker obtains the encrypted second random number, the lawbreaker cannot decrypt the encrypted second random number, and damage of the lawbreaker to the session key negotiation process can be avoided.
Step S206: and performing exclusive OR operation on the first random number and the second random number to obtain a session key.
It can be understood that after the first random number and the second random number are obtained by the cryptographic module a, the first random number and the second random number can be subjected to exclusive-or operation to obtain the session key, and correspondingly, the cryptographic module B can also be subjected to exclusive-or operation to obtain the session key. Of course, there may be other methods of deriving the session key based on the first random number and the second random number.
In this embodiment, in order to ensure the security of the cryptographic module, the process of obtaining the public key, the private key, the digital certificate and the public key issued by the certificate by the cryptographic module may be secured, for example, for the public key, the private key and the digital certificate, the public key and the private key may be generated by the cryptographic module, and then the cryptographic module sends the public key to the cryptographic management system and receives the digital certificate issued by the cryptographic management system based on the public key; for the public key of certificate issue, the public key of certificate issue transmitted by the off-line injection mode or the secure channel writing mode can be received by the cryptographic module, and for the cryptographic module adopting the negotiation mode to generate the session key, in order to ensure the security of the public key of certificate issue, the public key of certificate issue can be transmitted to the cryptographic module by the off-line injection mode or the secure channel writing mode when the cryptographic module is initially installed. Of course, the public key and the private key can also be directly generated by the password management system, and the digital certificate can be directly generated by the password management system based on the public key, and correspondingly, the password module only needs to receive the public key, the private key and the digital certificate generated by the password management system.
In the encryption and decryption method of the above-mentioned cryptographic module shown in the embodiment of the present disclosure, there is a case that the cryptographic module must output a session key, for example, when a management module of the cryptographic module backs up the session key and listens, the cryptographic module is required to derive the session key, at this time, in order to ensure the security of the session key, a key for encrypting the session key may be added in the cryptographic module in advance through a secure transmission manner, the session key may be encrypted by using the key and derived to the management module, for example, the cryptographic module may use a symmetric cryptographic algorithm, encrypt the session key based on a symmetric key that is received in advance and transmitted through an offline injection manner or a secure channel writing manner, to obtain a first session key; and transmitting the first session key to a management module of the cryptographic module so that the management module backs up or monitors the session key. The encryption module can encrypt the session key based on a pre-received encryption public key transmitted in an offline injection mode or a secure channel writing mode by adopting an asymmetric encryption algorithm to obtain a second session key; and transmitting the second session key to the management module of the cryptographic module so that the management module backs up or monitors the session key. In this process, the management module only backs up or listens to the session key, so the management module only needs to back up or listen to the first session key or the second session key after obtaining the first session key or the second session key, taking the first session key as an example, when the security of the first session key needs to be judged, since the first session key sent to the management module by the cryptographic module is generated by the same symmetric cryptographic algorithm and symmetric key, under the condition that the session key of the cryptographic module is not changed, the first session key sent to the management module by the cryptographic module each time is the same, so the management module can judge the security of the session key by comparing whether the first session key received currently is the same as the first session key received last time, and does not need to decrypt the first session key to obtain the session key to judge the security of the session key.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating a first structure of a cryptographic module encrypting and decrypting apparatus according to an exemplary embodiment.
The encryption and decryption device 300 for a cryptographic module according to the present disclosure may include:
a first receiving module 310, configured to receive, through a call interface of the cryptographic module, data to be processed sent by the client;
the first processing module 320 is configured to process the data to be processed based on the saved session key, so as to obtain a processing result, where the session key includes an encryption key or a decryption key;
the first transmission module 330 is configured to transmit the processing result to the client through the call interface, and prohibit transmission of the session key to the client.
Referring to fig. 4, fig. 4 is a schematic diagram illustrating a second structure of a cryptographic module encrypting and decrypting apparatus according to an exemplary embodiment.
The encryption and decryption device 300 for a cryptographic module according to the present disclosure may further include:
the first obtaining module 340 is configured to obtain the public key and the corresponding private key before the first receiving module receives the data to be processed sent by the client through the call interface of the cryptographic module;
a second receiving module 350, configured to receive an encrypted session key, where the encrypted session key includes a key obtained by encrypting the session key with a public key based on an asymmetric cryptographic algorithm;
the first decryption module 360 is configured to decrypt the encrypted session key with the private key based on the asymmetric cryptographic algorithm, to obtain the session key.
The disclosure relates to a cryptographic module encryption and decryption device, a first obtaining module may include:
the first receiving unit is used for receiving the public key and the corresponding private key transmitted by an offline injection mode or a secure channel writing mode.
The encryption and decryption device for the cryptographic module, which is related by the present disclosure, may further include:
the second acquisition module is used for acquiring a public key, a private key, a digital certificate and a certificate issuing public key before the first receiving module receives the data to be processed sent by the client through a calling interface of the password module;
the first generation module is used for generating a session key based on the public key, the private key, the digital certificate and the certificate issuing public key.
The disclosure relates to a cryptographic module encryption and decryption device, and a first generation module may include:
the first transmission unit is used for transmitting the public key of the cipher module and the digital certificate of the cipher module to another cipher module; receiving a public key of another cryptographic module and a digital certificate of the other cryptographic module;
the first generation unit is used for verifying the digital certificate of the other cipher module based on the public key issued by the certificate of the cipher module, and if the verification is passed, the other cipher module verifies that the digital certificate of the cipher module is passed based on the public key issued by the certificate of the other cipher module, and then a first random number is generated;
the first encryption unit is used for encrypting the first random number based on the public key of the other encryption module to obtain an encrypted first random number, and sending the encrypted first random number to the other encryption module;
the second receiving unit is used for receiving an encrypted second random number sent by the other cryptographic module, wherein the encrypted second random number comprises a random number obtained by encrypting the generated second random number by the other cryptographic module based on the public key of the cryptographic module;
the first decryption unit is used for decrypting the encrypted second random number based on the private key of the password module to obtain the second random number;
the first exclusive-or operation unit is used for carrying out exclusive-or operation on the first random number and the second random number to obtain the session key.
The disclosure relates to a cryptographic module encryption and decryption device, and a second obtaining module may include:
the second generation unit is used for generating a public key and a private key;
a first transmitting unit for transmitting the public key to the password management device;
a third receiving unit for receiving the digital certificate issued by the password management device based on the public key;
and the fourth receiving unit is used for receiving the certificate issuing public key transmitted by an offline injection mode or a secure channel writing mode.
The encryption and decryption device for the cryptographic module, which is related by the present disclosure, may further include:
the first encryption module is used for encrypting the session key based on a symmetric key which is transmitted in an offline injection mode or a secure channel writing mode and received in advance by adopting a symmetric cryptographic algorithm to obtain a first session key;
and the second transmission module is used for transmitting the first session key to the management module of the password module so that the management module can backup or monitor the session key.
The encryption and decryption device for the cryptographic module, which is related by the present disclosure, may further include:
the second encryption module is used for encrypting the session key based on a pre-received encryption public key transmitted in an offline injection mode or a secure channel writing mode by adopting an asymmetric encryption algorithm to obtain a second session key;
and the third transmission module is used for transmitting the second session key to the management module of the cryptographic module so that the management module can backup or monitor the session key.
The specific manner in which the various modules perform the operations in the apparatus of the above embodiments have been described in detail in connection with the embodiments of the method, and will not be described in detail herein.
Fig. 5 is a block diagram of an electronic device 500, according to an example embodiment. As shown in fig. 5, the electronic device 500 may include: a processor 501, a memory 502. The electronic device 500 may also include one or more of a multimedia component 503, an input/output (I/O) interface 504, and a communication component 505.
The processor 501 is configured to control the overall operation of the electronic device 500, so as to complete all or part of the steps in the above-mentioned message encryption and decryption method. The memory 502 is used to store various types of data to support operation at the electronic device 500, which may include, for example, instructions for any application or method operating on the electronic device 500, as well as application-related data, such as contact data, messages sent and received, pictures, audio, video, and so forth. The Memory 502 may be implemented by any type of volatile or non-volatile Memory device or combination thereof, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk. The multimedia component 903 may include a screen and audio components. Wherein the screen may be, for example, a touch screen, the audio component being for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signals may be further stored in the memory 502 or transmitted through the communication component 505. The audio assembly further comprises at least one speaker for outputting audio signals. The I/O interface 504 provides an interface between the processor 501 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons. The communication component 505 is used for wired or wireless communication between the electronic device 500 and other devices. Wireless communication, such as Wi-Fi, bluetooth, near field communication (Near Field Communication, NFC for short), 2G, 3G or 4G, or a combination of one or more thereof, the corresponding communication component 505 may thus comprise: wi-Fi module, bluetooth module, NFC module.
In an exemplary embodiment, the electronic device 500 may be implemented by one or more application specific integrated circuits (Application Specific Integrated Circuit, abbreviated as ASIC), digital signal processors (Digital Signal Processor, abbreviated as DSP), digital signal processing devices (Digital Signal Processing Device, abbreviated as DSPD), programmable logic devices (Programmable LogicDevice, abbreviated as PLD), field programmable gate arrays (Field Programmable Gate Array, abbreviated as FPGA), controllers, microcontrollers, microprocessors, or other electronic components for performing the cryptographic module encryption and decryption methods described above.
In another exemplary embodiment, there is also provided a computer readable storage medium including program instructions which, when executed by a processor, implement the steps of the message encryption and decryption method described above. For example, the computer readable storage medium may be the memory 502 including program instructions described above, which are executable by the processor 501 of the electronic device 500 to perform the cryptographic module encryption and decryption method described above.
The description of the related parts in the cryptographic module encryption and decryption device, the electronic device and the computer readable storage medium provided in the embodiments of the present disclosure refers to the detailed description of the corresponding parts in the cryptographic module encryption and decryption method provided in the embodiments of the present disclosure, and will not be repeated here. In addition, the parts of the foregoing technical solutions provided in the embodiments of the present disclosure, which are consistent with the implementation principles of the corresponding technical solutions in the prior art, are not described in detail, so that redundant descriptions are avoided.
It is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. The encryption and decryption method for the cryptographic module is characterized by comprising the following steps of:
receiving data to be processed sent by a client through a calling interface of the password module;
processing the data to be processed based on a stored session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key;
transmitting the processing result to the client through the calling interface, and prohibiting the transmission of the session key to the client;
before receiving the data to be processed sent by the client through the calling interface of the cryptographic module, the method further comprises:
obtaining a public key, a private key, a digital certificate and a certificate issuing public key;
generating the session key based on the public key, the private key, the digital certificate, and the certificate issuing public key;
the generating the session key based on the public key, the private key, the digital certificate, and the certificate issuing public key includes:
sending the public key of the cryptographic module and the digital certificate of the cryptographic module to another cryptographic module; and receiving a public key of the other cryptographic module, a digital certificate of the other cryptographic module;
verifying the digital certificate of the other cryptographic module based on the public certificate issuing key of the cryptographic module, and if the verification is passed, and the other cryptographic module verifies that the digital certificate of the cryptographic module is passed based on the public certificate issuing key of the other cryptographic module, generating a first random number;
encrypting the first random number based on the public key of the other cryptographic module to obtain an encrypted first random number, and sending the encrypted first random number to the other cryptographic module;
receiving an encrypted second random number sent by the other cryptographic module, wherein the encrypted second random number comprises a random number obtained by encrypting the generated second random number by the other cryptographic module based on a public key of the cryptographic module;
decrypting the encrypted second random number based on a private key of the cryptographic module to obtain the second random number;
and performing exclusive OR operation on the first random number and the second random number to obtain the session key.
2. The method according to claim 1, further comprising, before receiving the data to be processed sent by the client through the call interface of the cryptographic module:
obtaining a public key and a corresponding private key;
receiving an encrypted session key, wherein the encrypted session key comprises a key obtained by encrypting the session key by using the public key based on an asymmetric cryptographic algorithm;
and decrypting the encrypted session key by using the private key based on the asymmetric cryptographic algorithm to obtain the session key.
3. The method of claim 2, wherein the obtaining the public key and the corresponding private key comprises:
and receiving the public key and the corresponding private key transmitted by an offline injection mode or a secure channel writing mode.
4. The method of claim 1, wherein the obtaining a public key, a private key, a digital certificate, a certificate issuing public key, comprises:
generating the public key and the private key;
sending the public key to a password management system;
receiving the digital certificate issued by the password management system based on the public key;
and receiving the certificate issuing public key transmitted by an offline injection mode or a secure channel writing mode.
5. The method according to any one of claims 1 to 4, further comprising:
encrypting the session key based on a pre-received symmetric key transmitted in an offline injection mode or a secure channel writing mode by adopting a symmetric cryptographic algorithm to obtain a first session key;
and transmitting the first session key to a management module of the cryptographic module so that the management module backs up or monitors the session key.
6. The method according to any one of claims 1 to 4, further comprising:
encrypting the session key based on a pre-received encryption public key transmitted in an offline injection mode or a secure channel writing mode by adopting an asymmetric cryptographic algorithm to obtain a second session key;
and transmitting the second session key to a management module of the cryptographic module so that the management module backs up or monitors the session key.
7. A cryptographic module encrypting and decrypting apparatus, comprising:
the first receiving module is used for receiving the data to be processed sent by the client through the calling interface of the password module;
the first processing module is used for processing the data to be processed based on the saved session key to obtain a processing result, wherein the session key comprises an encryption key or a decryption key;
the first transmission module is used for transmitting the processing result to the client through the calling interface and prohibiting the transmission of the session key to the client;
before receiving the data to be processed sent by the client through the calling interface of the cryptographic module, the method further comprises:
obtaining a public key, a private key, a digital certificate and a certificate issuing public key;
generating the session key based on the public key, the private key, the digital certificate, and the certificate issuing public key;
the generating the session key based on the public key, the private key, the digital certificate, and the certificate issuing public key includes:
sending the public key of the cryptographic module and the digital certificate of the cryptographic module to another cryptographic module; and receiving a public key of the other cryptographic module, a digital certificate of the other cryptographic module;
verifying the digital certificate of the other cryptographic module based on the public certificate issuing key of the cryptographic module, and if the verification is passed, and the other cryptographic module verifies that the digital certificate of the cryptographic module is passed based on the public certificate issuing key of the other cryptographic module, generating a first random number;
encrypting the first random number based on the public key of the other cryptographic module to obtain an encrypted first random number, and sending the encrypted first random number to the other cryptographic module;
receiving an encrypted second random number sent by the other cryptographic module, wherein the encrypted second random number comprises a random number obtained by encrypting the generated second random number by the other cryptographic module based on a public key of the cryptographic module;
decrypting the encrypted second random number based on a private key of the cryptographic module to obtain the second random number;
and performing exclusive OR operation on the first random number and the second random number to obtain the session key.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-6.
9. An electronic device, comprising:
a memory having a computer program stored thereon;
a processor for executing the computer program in the memory to implement the steps of the method of any one of claims 1-6.
CN202010865200.9A 2020-08-25 2020-08-25 Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium Active CN112003697B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010865200.9A CN112003697B (en) 2020-08-25 2020-08-25 Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010865200.9A CN112003697B (en) 2020-08-25 2020-08-25 Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN112003697A CN112003697A (en) 2020-11-27
CN112003697B true CN112003697B (en) 2023-09-29

Family

ID=73471828

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010865200.9A Active CN112003697B (en) 2020-08-25 2020-08-25 Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN112003697B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112861156B (en) * 2021-02-26 2022-12-13 上海升途智能系统有限公司 Secure communication method and device for display data, electronic equipment and storage medium
CN113438069A (en) * 2021-05-07 2021-09-24 中国科学院信息工程研究所 Security storage resource protection method, key sending end host and trusted root device
CN114221759B (en) * 2021-11-29 2024-04-12 成都卫士通信息产业股份有限公司 Remote monitoring deployment method and device, electronic equipment and storage medium

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101676925A (en) * 2008-09-16 2010-03-24 联想(北京)有限公司 Computer system and method of setting authentication information in security chip
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103093144A (en) * 2013-01-14 2013-05-08 中国科学院软件研究所 Detection method and detection system of crypto module application program interface (API) safety
KR101347124B1 (en) * 2012-09-18 2014-01-03 주식회사 드림시큐리티 Method of managing electronic prescription based on one-time public information and apparatus using the same
CN103560882A (en) * 2013-10-29 2014-02-05 武汉理工大学 Elliptic curve cryptosystem based on identity
CN103905188A (en) * 2014-04-02 2014-07-02 天地融科技股份有限公司 Method for generating dynamic password through intelligent secret key device, and intelligent secret key device
CN103929306A (en) * 2014-04-02 2014-07-16 天地融科技股份有限公司 Intelligent secret key device and information management method of intelligent secret key device
CN105049449A (en) * 2015-08-24 2015-11-11 成都卫士通信息产业股份有限公司 Method for safety communication of nodes in cluster of wireless sensor network based on key technique
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN106059767A (en) * 2016-08-17 2016-10-26 王树栋 Terminal private data protection system and method based on Internet
CN108200028A (en) * 2017-12-27 2018-06-22 飞天诚信科技股份有限公司 A kind of block chain obtains safely the method and system of server trust data
CN108322451A (en) * 2018-01-12 2018-07-24 深圳壹账通智能科技有限公司 Data processing method, device, computer equipment and storage medium
CN108765058A (en) * 2018-04-28 2018-11-06 中国科学院信息工程研究所 A kind of safe Synergistic method of manufacture link multiple entity based on block chain
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium
CN109462476A (en) * 2018-11-23 2019-03-12 成都卫士通信息产业股份有限公司 Cryptographic key negotiation method, device, terminal and computer readable storage medium
CN109639412A (en) * 2018-12-05 2019-04-16 成都卫士通信息产业股份有限公司 A kind of communication means, system and electronic equipment and storage medium
CN110061983A (en) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 A kind of data processing method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090276474A1 (en) * 2008-05-01 2009-11-05 Rotem Sela Method for copying protected data from one secured storage device to another via a third party

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101676925A (en) * 2008-09-16 2010-03-24 联想(北京)有限公司 Computer system and method of setting authentication information in security chip
KR101347124B1 (en) * 2012-09-18 2014-01-03 주식회사 드림시큐리티 Method of managing electronic prescription based on one-time public information and apparatus using the same
CN102932149A (en) * 2012-10-30 2013-02-13 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103093144A (en) * 2013-01-14 2013-05-08 中国科学院软件研究所 Detection method and detection system of crypto module application program interface (API) safety
CN103560882A (en) * 2013-10-29 2014-02-05 武汉理工大学 Elliptic curve cryptosystem based on identity
CN103905188A (en) * 2014-04-02 2014-07-02 天地融科技股份有限公司 Method for generating dynamic password through intelligent secret key device, and intelligent secret key device
CN103929306A (en) * 2014-04-02 2014-07-16 天地融科技股份有限公司 Intelligent secret key device and information management method of intelligent secret key device
CN105049449A (en) * 2015-08-24 2015-11-11 成都卫士通信息产业股份有限公司 Method for safety communication of nodes in cluster of wireless sensor network based on key technique
CN105763542A (en) * 2016-02-02 2016-07-13 国家电网公司 Device and method of encryption and authentication for distribution terminal serial port communication
CN106059767A (en) * 2016-08-17 2016-10-26 王树栋 Terminal private data protection system and method based on Internet
CN108200028A (en) * 2017-12-27 2018-06-22 飞天诚信科技股份有限公司 A kind of block chain obtains safely the method and system of server trust data
CN108322451A (en) * 2018-01-12 2018-07-24 深圳壹账通智能科技有限公司 Data processing method, device, computer equipment and storage medium
CN108765058A (en) * 2018-04-28 2018-11-06 中国科学院信息工程研究所 A kind of safe Synergistic method of manufacture link multiple entity based on block chain
CN109309910A (en) * 2018-10-30 2019-02-05 深圳市元征科技股份有限公司 Communication data transmission method, system, equipment and computer readable storage medium
CN109462476A (en) * 2018-11-23 2019-03-12 成都卫士通信息产业股份有限公司 Cryptographic key negotiation method, device, terminal and computer readable storage medium
CN109639412A (en) * 2018-12-05 2019-04-16 成都卫士通信息产业股份有限公司 A kind of communication means, system and electronic equipment and storage medium
CN110061983A (en) * 2019-04-09 2019-07-26 苏宁易购集团股份有限公司 A kind of data processing method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于簇结构的AdHoc网络密钥管理方案;王新颖;吴钊;王毅;;武汉理工大学学报(第18期);全文 *

Also Published As

Publication number Publication date
CN112003697A (en) 2020-11-27

Similar Documents

Publication Publication Date Title
WO2021022701A1 (en) Information transmission method and apparatus, client terminal, server, and storage medium
US10742626B2 (en) Method for key rotation
ES2687191T3 (en) Network authentication method for secure electronic transactions
US9838205B2 (en) Network authentication method for secure electronic transactions
CN107294937B (en) Data transmission method based on network communication, client and server
EP3324572B1 (en) Information transmission method and mobile device
CN112003697B (en) Encryption and decryption method and device for cryptographic module, electronic equipment and computer storage medium
CN108111497B (en) Mutual authentication method and device for camera and server
CN109361508B (en) Data transmission method, electronic device and computer readable storage medium
US11831753B2 (en) Secure distributed key management system
CN113438205B (en) Block chain data access control method, node and system
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
CN113992346A (en) Implementation method of security cloud desktop based on state password reinforcement
CN113868684A (en) Signature method, device, server, medium and signature system
CN111654503A (en) Remote control method, device, equipment and storage medium
CN112910641B (en) Verification method and device for cross-link transaction supervision, relay link node and medium
CN115549906A (en) Privacy calculation method, system, device and medium based on block chain
CN109542637A (en) A kind of interface of educational system calls and parameter tamper resistant method and electronic equipment
CN113810178B (en) Key management method, device, system and storage medium
CN114221759A (en) Remote monitoring deployment method and device, electronic equipment and storage medium
CN110601841B (en) SM2 collaborative signature and decryption method and device
CN113852469B (en) Method, device, equipment and readable storage medium for transmitting data between block chain nodes
CN115297442B (en) Relay communication connection establishment method, storage medium and electronic device
CN115276991B (en) Secure chip dynamic key generation method, secure chip device, equipment and medium
CN112804259A (en) Audio and video communication encryption method and system based on asymmetric encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant