CN112073192B - Data processing method and device and cipher machine - Google Patents

Data processing method and device and cipher machine Download PDF

Info

Publication number
CN112073192B
CN112073192B CN202010927585.7A CN202010927585A CN112073192B CN 112073192 B CN112073192 B CN 112073192B CN 202010927585 A CN202010927585 A CN 202010927585A CN 112073192 B CN112073192 B CN 112073192B
Authority
CN
China
Prior art keywords
key
cryptographic
algorithm
card
queue
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010927585.7A
Other languages
Chinese (zh)
Other versions
CN112073192A (en
Inventor
陈翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202010927585.7A priority Critical patent/CN112073192B/en
Publication of CN112073192A publication Critical patent/CN112073192A/en
Application granted granted Critical
Publication of CN112073192B publication Critical patent/CN112073192B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data processing method, a data processing device and a cipher machine, wherein the method comprises the following steps: respectively establishing N queues for each password card, wherein each cryptographic algorithm at least corresponds to one queue, and N is an integer greater than 2; under the condition of receiving the data packet, analyzing the data packet to determine the algorithm type of the cryptographic algorithm corresponding to the data packet; and determining queues with loads meeting the preset conditions in corresponding queues of all the password cards according to the algorithm types, and sending the data packets to the queues with the loads meeting the preset conditions for processing. Compared with the existing load balancing processing mode, the data packet can be distributed to the queue where the corresponding cryptographic algorithm is located, and compared with the existing mode that all the cryptographic algorithms are processed in the same queue, the embodiment of the invention considers that different cryptographic algorithms have different operation processing capacities, thereby obviously improving the processing efficiency.

Description

Data processing method and device and cipher machine
Technical Field
The present invention relates to the field of data processing, and in particular, to a data processing method, apparatus, and cryptographic machine.
Background
The cipher machine is a platform developed based on cipher technology and specially used for cipher operation, and is one equipment for realizing clear-to-cipher conversion or cipher-to-clear conversion under the action of cipher key.
The prior cipher machine adopts a multi-cipher-card mode, uses a concurrent encryption and decryption method under the environment of multi-cipher cards, and when the realization is realized, each cipher card has a corresponding queue, and data packets needing to be processed by the cipher card are stored in the queue of the cipher card; when a new data packet is received, a relatively most idle cryptographic card is selected according to the load of the cryptographic card queue (calculated based on the number and length of the data packets in the queue), and the new data packet is added into the cryptographic card queue to wait for data processing. However, the processing method of the idle cryptographic card is selected by calculating the load according to the number and the length of the data packets in the queue, and the processing efficiency is low because the operation processing capability of the cryptographic card is not considered.
On the other hand, for the cryptographic engine, in addition to the processing efficiency of data, the security of the operational data is also important, and according to the principle that the secret key does not come out of the cryptographic card, under the condition that multiple cards are called in parallel, the consistency of the secret keys stored in different cryptographic cards needs to be ensured, so that the advantage of the parallel multiple cards can be exerted, different data are ensured to be distributed to different cryptographic cards, and the consistency of the operational results is obtained. However, the existing keys are all transmitted from the outside to the inside of the cryptographic card, and although the keys ensure consistency, the security of the keys cannot be guaranteed.
Disclosure of Invention
In view of this, embodiments of the present invention provide a data processing method, an apparatus, and a cryptographic engine, so as to solve the following problems in the prior art: and the load is calculated according to the number and the length of the data packets in the queue, so that an idle password card processing mode is selected, the operation processing capacity of the password card is not considered, and the processing efficiency is low.
In one aspect, an embodiment of the present invention provides a data processing method, including: respectively establishing N queues for each password card, wherein each cryptographic algorithm at least corresponds to one queue, and N is an integer greater than 2; under the condition of receiving a data packet, analyzing the data packet to determine the algorithm type of a cryptographic algorithm corresponding to the data packet; and determining queues with loads meeting preset conditions in corresponding queues of all the password cards according to the algorithm types, and sending the data packets to the queues with the loads meeting the preset conditions for processing.
In some embodiments, further comprising: generating a first secret key required by cryptographic operation in a source cryptographic card, wherein the source cryptographic card is any one cryptographic card determined in advance in all cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards; acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of the N queues; encrypting the first key according to the public key of the SM2 algorithm to obtain a ciphertext of the first key; and sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
In some embodiments, further comprising: generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in advance in all the cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards; acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of the N queues; encrypting the first key through the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key; encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext; and sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptocard through the key synchronization queue.
In some embodiments, further comprising: when the target password card receives the ciphertext of the first key, the ciphertext of the first key is decrypted through the private key of the SM2 algorithm to obtain the first key, and the key identification in the target password card is set to exist so as to realize key synchronization; or, when the target cryptogram receives the cryptogram of the first key and the cryptogram of the SM4 algorithm temporary symmetric key, decrypting the cryptogram of the SM4 algorithm temporary symmetric key by the private key of the respective SM2 algorithm to obtain the SM4 algorithm temporary symmetric key; and decrypting the ciphertext of the first key by the obtained SM4 algorithm temporary symmetric key to obtain the first key, and setting the key identification in the target cipher card to exist so as to realize key synchronization.
In some embodiments, after sending the data packet to the queue whose load meets the predetermined condition for processing, the method further includes: detecting whether a first key exists in a password card where the queue with the load meeting a preset condition is located; under the condition that the first key does not exist, the data packet is sent to other queues with loads meeting the preset conditions for processing; and under the condition that a first key exists, performing cryptographic operation processing on the data packet by using the first key.
On the other hand, an embodiment of the present invention provides a data processing apparatus, including: the system comprises a creating module, a receiving module and a processing module, wherein the creating module is used for creating N queues for each password card respectively, and each cryptographic algorithm at least corresponds to one queue; the analysis module is used for analyzing the data packet under the condition of receiving the data packet so as to determine the algorithm type of the cryptographic algorithm corresponding to the data packet; the determining module is used for determining a queue with the load meeting a preset condition in the corresponding queues of all the password cards according to the algorithm type; and the data sending module is used for sending the data packet to the queue with the load meeting the preset condition for processing.
In some embodiments, further comprising: the system comprises a first generation module, a second generation module and a third generation module, wherein the first generation module is used for generating a first secret key required by cryptographic operation in a source cryptographic card, the source cryptographic card is any cryptographic card determined in all cryptographic cards in advance, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards; the first obtaining module is used for obtaining the public key of the SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one queue of the N queues;
the first encryption module is used for encrypting the first secret key according to the public key of the SM2 algorithm to obtain a ciphertext of the first secret key; and the first sending module is used for sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
In some embodiments, further comprising: the second generation module is used for generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in advance in all the cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards; a second obtaining module, configured to obtain, through a key synchronization queue, a public key of an SM2 algorithm in each destination cryptographic card, where the key synchronization queue is one of the N queues; the second encryption module is used for encrypting the first key through the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key; encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext; and the second sending module is used for sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptographic card through the key synchronization queue.
In some embodiments, further comprising: the first decryption module is used for decrypting the ciphertext of the first key through the private key of the respective SM2 algorithm under the condition that the target password card receives the ciphertext of the first key to obtain the first key, and setting the key identification in the target password card to exist so as to realize key synchronization; the second decryption module is used for decrypting the ciphertext of the SM4 algorithm temporary symmetric key through the private key of the SM2 algorithm of each destination password card under the condition that the destination password card receives the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to obtain the SM4 algorithm temporary symmetric key; and decrypting the ciphertext of the first key by the obtained SM4 algorithm temporary symmetric key to obtain the first key, and setting the key identification in the target cipher card to exist so as to realize key synchronization.
In some embodiments, further comprising: the detection module is used for detecting whether a first key exists in the password card where the queue with the load meeting the preset condition is located; the data sending module is further configured to send the data packet to other queues whose loads meet a predetermined condition for processing in the absence of the first key; and the processing module is used for carrying out cryptographic operation processing on the data packet by using the first secret key under the condition that the first secret key exists.
In another aspect, an embodiment of the present invention provides a cryptographic engine, including: a data processing apparatus as claimed in any of the embodiments of the present invention.
The embodiment of the invention creates N queues on each cipher card, so that each state cipher algorithm at least corresponds to one queue, when a new data packet is received, the queue with less load at present can be searched according to the algorithm type of the state cipher algorithm corresponding to the data packet, and the data packet is distributed to the queue with less load at present for processing.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present disclosure, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a data processing method according to an embodiment of the present invention;
FIG. 2 is a flow chart of a key synchronization process provided by an embodiment of the present invention;
FIG. 3 is a flow chart of a cryptographic operation process according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the drawings of the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the described embodiments of the invention without any inventive step, are within the scope of protection of the invention.
Unless defined otherwise, technical or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The use of "first," "second," and the like, herein does not denote any order, quantity, or importance, but rather the terms "first," "second," and the like are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item preceding the word comprises the element or item listed after the word and its equivalent, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
To maintain the following description of the embodiments of the present invention clear and concise, a detailed description of known functions and known components of the invention have been omitted.
Each cryptographic card can calculate three categories of cryptographic algorithms (SM 2, SM3, and SM 4), however, the prior art does not perform corresponding processing for specific cryptographic operations, and the computing capabilities of different cryptographic algorithms are different, and if different cryptographic algorithms are added to one queue of the cryptographic card for processing, the efficiency of the cryptographic card cannot be maximized.
Based on the above considerations, an embodiment of the present invention provides a data processing method, whose flow is shown in fig. 1, and includes steps S101 to S103:
s101, respectively establishing N queues for each password card, wherein each cryptographic algorithm at least corresponds to one queue, and N is an integer larger than 2.
Because one password card usually calculates the three types of national password algorithms, N in the embodiment of the present invention is required to be greater than 2, otherwise, the password card cannot be compatible with the three types of national password algorithms, and the performance of the password card is lost. In the embodiment of the present invention, N may be 3, 4, or 6, and the specific value of N is not limited here as long as at least one separate processing queue exists for each category of cryptographic algorithm.
S102, under the condition that the data packet is received, analyzing the data packet to determine the algorithm type of the cryptographic algorithm corresponding to the data packet.
When a new data packet is received, the algorithm type of the required cryptographic algorithm can be determined as the data packet specifies what type of cryptographic algorithm needs to be adopted.
S103, determining queues with loads meeting preset conditions in corresponding queues of all the password cards according to the algorithm types, and sending the data packets to the queues with the loads meeting the preset conditions for processing.
The queue whose load meets the predetermined condition is actually to process the data packet in a load balancing manner, search the queue in the most idle state (the least unprocessed data currently) in all the queues of the same algorithm class, and send the new data packet to the queue. If the predetermined condition is set strictly, the number of queues with the load meeting the predetermined condition may be only one, and if the predetermined condition is set loosely, the number of queues with the load meeting the predetermined condition may be multiple. If it is determined that the loads of the queues all satisfy the predetermined condition, the new data packet may be further preferentially allocated to one of the queues according to the load condition for processing, and of course, since the loads of the queues all satisfy the predetermined condition, the new data packet may also be randomly allocated to any one of the queues whose loads satisfy the predetermined condition.
The embodiment of the invention creates N queues on each cipher card, so that each state cipher algorithm at least corresponds to one queue, when a new data packet is received, the queue with less load at present can be searched according to the algorithm type of the state cipher algorithm corresponding to the data packet, and the data packet is distributed to the queue with less load at present for processing.
The existing keys are transmitted from the outside to the inside of the cipher card, and although the keys ensure consistency, the security of the keys cannot be guaranteed, so the embodiment of the invention also provides a specific process for transmitting the keys. In specific implementation, different encryption processes are executed according to the required security level.
If the highest level of security is required, the strongest encryption process is required, which includes: (1) Generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in all cryptographic cards in advance, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards; (2) Acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of N queues; (3) Encrypting the first key by using the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key; (4) Encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext; (5) And sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptocard through a key synchronization queue.
If there is no higher requirement for the security level, the encryption process may include: (1) Generating a first secret key required by cryptographic operation in a source cryptographic card, wherein the source cryptographic card is any one cryptographic card determined in advance in all the cryptographic cards, and the other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards; (2) Acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of N queues; (3) Encrypting the first key according to the public key of the SM2 algorithm to obtain a ciphertext of the first key; (4) And sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
The decryption process in the destination cryptographic card is correspondingly different corresponding to different encryption processes.
For the scheme of generating the first key and the SM4 algorithm temporary symmetric key in the source cipher card, under the condition that the target cipher card receives the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key, the ciphertext of the SM4 algorithm temporary symmetric key is decrypted by the respective private key of the SM2 algorithm to obtain the SM4 algorithm temporary symmetric key; and decrypting the ciphertext of the first key by the obtained SM4 algorithm temporary symmetric key to obtain the first key, and setting the key identification in the target cipher card to exist so as to realize key synchronization.
For the scheme of generating only the first key in the source cryptographic card, when the destination cryptographic card receives the ciphertext of the first key, the ciphertext of the first key is decrypted by the private key of the respective SM2 algorithm to obtain the first key, and the key identifier in the destination cryptographic card is set to exist, so as to implement key synchronization.
The target cipher card can accurately receive the ciphertext of the first key without disordering any encryption and decryption scheme, and the corresponding key is used for decrypting the ciphertext of the first key to obtain the first key, so that the synchronization of the first key is realized. The source password card is also any one password card determined in advance in all the password cards, the first secret key is generated in the source password card, one of the N queues is used as a queue for specially transmitting the secret key, the whole process does not involve any operation outside, and the safety of the secret key is guaranteed.
After the data packet is sent to the queue with the load meeting the predetermined condition for processing, whether a first key exists in the cryptographic card where the queue with the load meeting the predetermined condition is located needs to be detected.
If the first key exists in the cipher card where the queue is located, the first key can be used for carrying out cipher operation processing on the data packet. If the cipher card where the queue is located does not have the first key, the cipher card capable of processing the data packet needs to be determined again, and then the data packet is sent to other queues with loads meeting the preset conditions for processing; during specific implementation, if a plurality of queues with loads meeting the preset conditions can be determined at one time, directly determining that one queue sends a data packet, and detecting whether a first key exists in a password card where the queue with the loads meeting the preset conditions is located; if only one queue with the load meeting the preset conditions can be determined at one time, the queue with the load meeting the preset conditions needs to be determined again in the corresponding queues of other password cards according to the algorithm type, and then the data packet is sent.
In the following, taking fig. 2 and fig. 3 as an example, a scheme of generating a first key (hereinafter, simply referred to as a key, i.e. a key K, since there is no other generated key) and an SM4 algorithm temporary symmetric key in a source cryptographic card is taken as an example for explanation.
In order to improve the load capacity of the cryptographic card device, the embodiment of the invention sets 4 operation queues for each cryptographic card, the cryptographic operation queues store data packets to be processed, wherein the queue 0 is used as a key synchronization, the queues 1 to 3 are used as cryptographic operations, and the key synchronization and the cryptographic operation queues are processed separately. When the cryptographic operation is carried out, specific cryptographic operation types are distinguished, the problem of unreasonable load distribution is solved, and aiming at the current mainstream cryptographic algorithm (SM 2/SM3/SM 4), 3 cryptographic operation queues in each cryptographic card respectively correspond to one algorithm, for example, the queue 1 is an SM2 queue, the queue 2 is an SM3 queue, and the queue 3 is an SM4 queue.
In addition, there is a choice of key synchronization direction, specifically from which cryptographic card to synchronize, at the time of key synchronization. During implementation, one of the source password cards is selected as a source password card, the other password cards are selected as destination password cards, the source password card is appointed to be a number 0 password card, and the number of the other password cards is started from 1; in addition, it is agreed that there is a pair of SM2 device encryption keys within each cryptocard. The process sets the source and destination cryptocards to use when synchronizing keys. This embodiment may be as shown in fig. 2, and the specific process includes (1) to (7).
(1) And (3) starting key synchronization, and generating a key K required by cryptographic operation through the source cryptographic card when the key is generated, wherein the key mark in the cryptographic card is present.
(2) And executing key synchronization operation, acquiring SM2 equipment encryption public keys of all the target cipher cards through a key synchronization queue, and generating SM4 temporary symmetric keys by the source cipher card.
(3) And (3) encrypting the key K generated in the step (1) by using the SM4 temporary symmetric key in the source cipher card to obtain a cipher text of the key K.
(4) And encrypting the SM4 temporary symmetric key by using the SM2 equipment encryption public keys of all the target cipher cards in the source cipher card to obtain the ciphertext of the SM4 temporary symmetric key.
(5) And the source cipher card issues the cipher text of the key K in the step (3) and the cipher text of the SM4 temporary symmetric key in the step (4) to each destination cipher card through the key synchronization queue of each destination cipher card.
(6) After each target cipher card receives the cipher text of the key K and the cipher text of the SM4 temporary symmetric key, the SM2 equipment of each cipher card encrypts the private key and decrypts the cipher text of the SM4 temporary symmetric key to obtain the plaintext SM4 temporary symmetric key.
(7) And decrypting the ciphertext of the key K by the SM4 temporary symmetric key in each target cipher card to obtain a plaintext key K, and setting the key identification in the target cipher card as existing, namely finishing the key synchronization process.
According to the foregoing, each cryptographic card is provided with 3 cryptographic operation queues corresponding to cryptographic algorithms SM2, SM3, and SM4, respectively, the cryptographic card queues store data tasks to be processed, and when a new data packet is received, a cryptographic operation process can be started, where the process is shown in fig. 3, and specifically includes:
when a new data packet is received, judging which cryptographic algorithm is, and selecting a cryptographic card with lower load from the algorithm queues corresponding to all the cryptographic cards. And when the password card with lower load is selected from the algorithm queues corresponding to all the password cards, comparing the number of the data packets to be processed in the algorithm queue corresponding to each password card, wherein the password card with the lowest load is the password card with the lowest number to be processed. And after the cipher card with the lowest load is selected, judging whether the operation key K required in the cipher card is synchronized, namely whether the key K exists. If the data packet exists, the data packet is added into the algorithm queue corresponding to the password card. If the operation key K does not exist in the password cards with lower loads, an error can be returned, and the password cards with lower loads are selected from the rest password cards continuously, so that the data packets are processed continuously.
The embodiment of the invention uses the key synchronization function for ensuring the data security and the consistency of keys in the multiple encryption cards; according to the cipher machine based on the national cryptographic algorithm, when multiple cipher cards are used, the specific algorithm is used for specifically distributing and the cipher cards balance load, and the cryptographic operation capacity of the cipher cards is utilized to the maximum extent.
In the data processing scheme in the prior art, data packets are distributed to different cipher cards according to the number for processing, and the capability of ignoring different cipher operation processing data is different. Meanwhile, for the operation under multiple cipher cards, in order to ensure the safety of data operation, under the principle that a cipher key does not exist in the cipher card, the parallel operation under the multiple cipher cards also needs to consider the principle of consistency of the cipher keys of different cipher cards; furthermore, the above-mentioned allocating different data packets to different cryptographic cards for processing ignores that the operation efficiency and the operation rule of different cryptographic algorithms are different, and does not perform specific allocation for a specific algorithm, which results in a decrease in the utilization rate of the cryptographic cards. Based on the above thought, the embodiment of the invention provides a data processing device, which can be arranged in a cipher machine, wherein the cipher machine based on the national cryptographic algorithm uses a plurality of cipher cards, the processing performance of the cipher machine is improved by a scheme of the plurality of cipher cards, and how to schedule the plurality of cipher cards and how to improve the utilization efficiency of the plurality of cipher cards is also disclosed.
An embodiment of the present invention further provides a data processing apparatus, where a schematic structure of the apparatus is shown in fig. 4, and the apparatus includes:
a creating module 10, configured to create N queues for each cryptographic card, where each cryptographic algorithm corresponds to at least one queue, and N is an integer greater than 2; the analysis module 20 is coupled with the creation module 10 and is used for analyzing the data packet under the condition that the data packet is received so as to determine the algorithm type of the cryptographic algorithm corresponding to the data packet; a determining module 30, coupled to the parsing module 20, configured to determine, according to the algorithm type, a queue whose load meets a predetermined condition from among corresponding queues of all the cryptographic cards; and a data sending module 40, coupled to the determining module 30, for sending the data packet to a queue whose load meets a predetermined condition for processing.
Because one password card usually calculates the three types of national password algorithms, N in the embodiment of the present invention is required to be greater than 2, otherwise, the password card cannot be compatible with the three types of national password algorithms, and the performance of the password card is lost. In the embodiment of the present invention, N may be 3, 4, or 6, and the specific value of N is not limited herein as long as at least one separate processing queue exists for each type of cryptographic algorithm.
When a new packet is received, the parsing module 20 may determine the algorithm type of the required cryptographic algorithm, since the packet will specify what type of cryptographic algorithm needs to be taken.
The determining module 30 determines that the queue whose load meets the predetermined condition actually processes the data packet in a load balancing manner, searches for the queue in the most idle state (the least unprocessed data currently) in all queues of the same algorithm type, and sends the new data packet to the queue, so that the processing efficiency is greatly improved compared with the case where the same queue needs to process multiple algorithms because the queue processes one type of cryptographic algorithm. If the predetermined condition is set strictly, the number of queues with the load meeting the predetermined condition may be only one, and if the predetermined condition is set loosely, the number of queues with the load meeting the predetermined condition may be multiple. If it is determined that the loads of the queues all satisfy the predetermined condition, the new data packet may be further preferentially allocated to one of the queues according to the load condition for processing, and of course, since the loads of the queues all satisfy the predetermined condition, the new data packet may also be randomly allocated to any one of the queues whose loads satisfy the predetermined condition.
The embodiment of the invention creates N queues on each cipher card, so that each state cipher algorithm at least corresponds to one queue, when a new data packet is received, the queue with less load at present can be searched according to the algorithm type of the state cipher algorithm corresponding to the data packet, and the data packet is distributed to the queue with less load at present for processing.
Because the existing keys are all transmitted from the outside to the inside of the cipher card, the keys ensure the consistency, but the security of the keys cannot be guaranteed, therefore, the embodiment of the invention can also execute different encryption processes according to the required security level.
For the first encryption method, the data processing apparatus may further include:
the system comprises a first generation module, a second generation module and a third generation module, wherein the first generation module is used for generating a first secret key required by cryptographic operation in a source cryptographic card, the source cryptographic card is any cryptographic card determined in all cryptographic cards in advance, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards; the first acquisition module is coupled with the first generation module and used for acquiring the public key of the SM2 algorithm in each destination cryptocard through a key synchronization queue, wherein the key synchronization queue is one of N queues; the first encryption module is coupled with the first acquisition module and used for encrypting the first key according to the public key of the SM2 algorithm to obtain a ciphertext of the first key; and the first sending module is coupled with the first encryption module and used for sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
For the second encryption method, the data processing apparatus may further include: the second generation module is used for generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in all the cryptographic cards in advance, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards; the second obtaining module is coupled with the second generating module and used for obtaining the public key of the SM2 algorithm in each destination cryptographic card through a key synchronization queue, wherein the key synchronization queue is one of the N queues; the second encryption module is coupled with the second acquisition module and used for encrypting the first key through the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key; encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext; and the second sending module is coupled with the second encryption module and used for sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptocard through the key synchronization queue.
The decryption process in the destination cryptographic card is correspondingly different corresponding to different encryption processes. The above apparatus may further include: the first decryption module is used for decrypting the ciphertext of the first key through the private key of the respective SM2 algorithm under the condition that the target password card receives the ciphertext of the first key to obtain the first key, and setting the key identification in the target password card to exist so as to realize key synchronization; the second decryption module is used for decrypting the ciphertext of the SM4 algorithm temporary symmetric key through the private key of the SM2 algorithm of each destination password card under the condition that the destination password card receives the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to obtain the SM4 algorithm temporary symmetric key; and decrypting the ciphertext of the first key by the obtained SM4 algorithm temporary symmetric key to obtain the first key, and setting the key identification in the target cipher card to exist to realize key synchronization.
The target cipher card can accurately receive the ciphertext of the first key without disordering any encryption and decryption scheme, and the corresponding key is used for decrypting the ciphertext of the first key to obtain the first key, so that the synchronization of the first key is realized. The source password card is also any one password card determined in advance in all the password cards, the first secret key is generated in the source password card, one of the N queues is used as a queue for specially transmitting the secret key, the whole process does not involve any operation outside, and the safety of the secret key is guaranteed.
In a preferred embodiment, the data processing apparatus may further include: the detection module is used for detecting whether a first key exists in a password card where a queue with a load meeting a preset condition is located; the data sending module is coupled with the detection module and is also used for sending the data packet to other queues with loads meeting the preset conditions for processing under the condition that the first secret key does not exist; and the processing module is coupled with the detection module and used for carrying out cryptographic operation processing on the data packet by using the first key under the condition that the first key exists.
An embodiment of the present invention further provides a cryptographic engine, where the cryptographic engine uses a plurality of cryptographic cards, and includes the data processing apparatus in the foregoing embodiment, and details regarding a specific structure of the data processing apparatus are not described here, which is referred to in the foregoing embodiment.
The invention has the following effects:
1. the problem of key consistency under the existing multi-password card is solved, a key synchronization function is adopted, and a queue used by the key synchronization function is distinguished from a password operation queue, so that the password operation capability is not influenced.
As described above, when the keys are synchronized, there is a choice of the key synchronization direction, one is selected as the source cryptographic card, and the other cryptographic cards are selected as the destination cryptographic cards, and when the keys are synchronized, the keys in the source cryptographic card are synchronized to each destination cryptographic card respectively. Therefore, the key of each password card is consistent, and the password can be invoked indiscriminately during multi-card password operation.
2. The problem of load balancing under the existing multi-password cards is solved, the technology adopts the steps of expanding a password operation queue of the password cards, matching the password operation queue with an algorithm aiming at a mainstream national password algorithm, and distinguishing the password operations because different password operation capacities are different, so that the efficiency of the password cards can be more greatly exerted.
The embodiment of the invention stores the key required by the operation in the password card through the key consistency processing, thereby ensuring the security of the password operation data; the processing capacity of the cryptographic operation under multiple cards is improved, and the cryptographic operation efficiency is greatly improved by matching different cryptographic algorithm types during operation.
Moreover, although exemplary embodiments have been described herein, the scope thereof includes any and all embodiments based on the invention with equivalent elements, modifications, omissions, combinations (e.g., of various embodiments across), adaptations or alterations. The elements of the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents.
The above description is intended to be illustrative and not restrictive. For example, the above-described examples (or one or more versions thereof) may be used in combination with each other. For example, other embodiments may be utilized by those of ordinary skill in the art upon reading the foregoing description. In addition, in the above-described embodiments, various features may be grouped together to streamline the disclosure. This should not be interpreted as an intention that a disclosed feature not claimed is essential to any claim. Rather, inventive subject matter may lie in less than all features of a particular disclosed embodiment. Thus, the following claims are hereby incorporated into the detailed description as examples or embodiments, with each claim standing on its own as a separate embodiment, and it is contemplated that these embodiments may be combined with each other in various combinations or permutations. The scope of the invention should be determined with reference to the appended claims, along with the full scope of equivalents to which such claims are entitled.
While the embodiments of the present invention have been described in detail, the present invention is not limited to these specific embodiments, and those skilled in the art can make various modifications and modifications of the embodiments based on the concept of the present invention, which fall within the scope of the present invention as claimed.

Claims (10)

1. A method of data processing, comprising:
respectively establishing N queues for each password card, wherein each cryptographic algorithm at least corresponds to one queue, and N is an integer greater than 2;
under the condition of receiving a data packet, analyzing the data packet to determine the algorithm type of a cryptographic algorithm corresponding to the data packet;
and determining queues with loads meeting preset conditions in corresponding queues of all the password cards according to the algorithm types, and sending the data packets to the queues with the loads meeting the preset conditions for processing.
2. The data processing method of claim 1, further comprising:
generating a first secret key required by cryptographic operation in a source cryptographic card, wherein the source cryptographic card is any one cryptographic card determined in advance in all cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards;
acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of the N queues;
encrypting the first key according to the public key of the SM2 algorithm to obtain a ciphertext of the first key;
and sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
3. The data processing method of claim 1, further comprising:
generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in advance in all the cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards;
acquiring a public key of an SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one of the N queues;
encrypting the first key through the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key;
encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext;
and sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptocard through the key synchronization queue.
4. A data processing method according to claim 2 or 3, further comprising:
when the target password card receives the ciphertext of the first key, the ciphertext of the first key is decrypted through the private key of the SM2 algorithm to obtain the first key, and the key identification in the target password card is set to exist so as to realize key synchronization; alternatively, the first and second liquid crystal display panels may be,
under the condition that the target password card receives the ciphertext of the first secret key and the ciphertext of the SM4 algorithm temporary symmetric key, decrypting the ciphertext of the SM4 algorithm temporary symmetric key through respective private keys of the SM2 algorithm to obtain the SM4 algorithm temporary symmetric key; and decrypting the ciphertext of the first key by the obtained SM4 algorithm temporary symmetric key to obtain the first key, and setting the key identification in the target cipher card to exist so as to realize key synchronization.
5. The data processing method of claim 4, wherein after sending the data packet to the queue whose load meets a predetermined condition for processing, further comprising:
detecting whether a first key exists in a password card where the queue with the load meeting a preset condition is located;
under the condition that the first key does not exist, the data packet is sent to other queues with loads meeting a preset condition for processing;
and if the first key exists, performing cryptographic operation processing on the data packet by using the first key.
6. A data processing apparatus, comprising:
the system comprises a creating module, a judging module and a processing module, wherein the creating module is used for creating N queues for each password card respectively, each cryptographic algorithm at least corresponds to one queue, and N is an integer greater than 2;
the analysis module is used for analyzing the data packet under the condition of receiving the data packet so as to determine the algorithm type of the cryptographic algorithm corresponding to the data packet;
the determining module is used for determining a queue with the load meeting the preset conditions in the corresponding queues of all the password cards according to the algorithm type;
and the data sending module is used for sending the data packet to the queue with the load meeting the preset condition for processing.
7. The data processing apparatus of claim 6, further comprising:
the system comprises a first generation module, a second generation module and a third generation module, wherein the first generation module is used for generating a first secret key required by cryptographic operation in a source cryptographic card, the source cryptographic card is any cryptographic card determined in all cryptographic cards in advance, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are destination cryptographic cards;
the first obtaining module is used for obtaining the public key of the SM2 algorithm in each target cipher card through a key synchronization queue, wherein the key synchronization queue is one queue of the N queues;
the first encryption module is used for encrypting the first secret key according to the public key of the SM2 algorithm to obtain a ciphertext of the first secret key;
and the first sending module is used for sending the ciphertext of the first key to each destination cryptocard through the key synchronization queue.
8. The data processing apparatus of claim 6, further comprising:
the second generation module is used for generating a first secret key and an SM4 algorithm temporary symmetric secret key required by cryptographic operation in a source cryptographic card, and setting a secret key identifier in the source cryptographic card to exist, wherein the source cryptographic card is any one cryptographic card determined in advance in all the cryptographic cards, and other cryptographic cards except the source cryptographic card in all the cryptographic cards are target cryptographic cards;
a second obtaining module, configured to obtain, through a key synchronization queue, a public key of an SM2 algorithm in each destination cryptographic card, where the key synchronization queue is one of the N queues;
the second encryption module is used for encrypting the first key through the SM4 algorithm temporary symmetric key to obtain a ciphertext of the first key; encrypting the SM4 algorithm temporary symmetric key through the SM2 algorithm public key to obtain the SM4 algorithm temporary symmetric key ciphertext;
and the second sending module is used for sending the ciphertext of the first key and the ciphertext of the SM4 algorithm temporary symmetric key to each destination cryptocard through the key synchronization queue.
9. The data processing apparatus of claim 7 or 8, further comprising:
the detection module is used for detecting whether a first key exists in the password card where the queue with the load meeting the preset condition is located;
the data sending module is further configured to send the data packet to other queues whose loads meet a predetermined condition for processing in the absence of the first key;
and the processing module is used for carrying out cryptographic operation processing on the data packet by using the first secret key under the condition that the first secret key exists.
10. A cryptographic engine, comprising: the data processing apparatus of any one of claims 6 to 9.
CN202010927585.7A 2020-09-07 2020-09-07 Data processing method and device and cipher machine Active CN112073192B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010927585.7A CN112073192B (en) 2020-09-07 2020-09-07 Data processing method and device and cipher machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010927585.7A CN112073192B (en) 2020-09-07 2020-09-07 Data processing method and device and cipher machine

Publications (2)

Publication Number Publication Date
CN112073192A CN112073192A (en) 2020-12-11
CN112073192B true CN112073192B (en) 2023-01-10

Family

ID=73663680

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010927585.7A Active CN112073192B (en) 2020-09-07 2020-09-07 Data processing method and device and cipher machine

Country Status (1)

Country Link
CN (1) CN112073192B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420310B (en) * 2021-07-01 2022-05-17 上海交通大学 State cryptographic algorithm detection method in Android application
CN113572611B (en) * 2021-09-27 2022-01-11 渔翁信息技术股份有限公司 Key processing method and device and electronic device
CN116668026B (en) * 2023-08-02 2023-10-31 北京国信云是科技有限公司 Method, device, equipment and storage medium for processing password card data

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018014723A1 (en) * 2016-07-20 2018-01-25 腾讯科技(深圳)有限公司 Key management method, apparatus, device and system
CN209625213U (en) * 2019-05-22 2019-11-12 神州龙芯(江苏)智能科技有限公司 A kind of PCI-E interface cipher card based on CCP903T chip
CN111258756A (en) * 2020-01-09 2020-06-09 奇安信科技集团股份有限公司 Load balancing method and device, computer equipment and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11290258B2 (en) * 2019-02-22 2022-03-29 Panasonic Avionics Corporation Hybrid cryptographic system and method for encrypting data for common fleet of vehicles

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018014723A1 (en) * 2016-07-20 2018-01-25 腾讯科技(深圳)有限公司 Key management method, apparatus, device and system
CN209625213U (en) * 2019-05-22 2019-11-12 神州龙芯(江苏)智能科技有限公司 A kind of PCI-E interface cipher card based on CCP903T chip
CN111258756A (en) * 2020-01-09 2020-06-09 奇安信科技集团股份有限公司 Load balancing method and device, computer equipment and readable storage medium

Also Published As

Publication number Publication date
CN112073192A (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN112073192B (en) Data processing method and device and cipher machine
US11329965B2 (en) Method for dynamic encryption and signing, terminal, and server
US10291590B2 (en) Communication system, communication apparatus, communication method, and computer program product
CN106357396B (en) Digital signature method and system and quantum key card
CN107038383B (en) Data processing method and device
CN106533669B (en) The methods, devices and systems of equipment identification
US20050154896A1 (en) Data communication security arrangement and method
CN106972927B (en) Encryption method and system for different security levels
US20140013101A1 (en) Communication device, key generating device, and computer readable medium
US8200960B2 (en) Tracking of resource utilization during cryptographic transformations
US11784815B2 (en) Method of time-delay encryption with keyword search and system using the same
US11626976B2 (en) Information processing system, information processing device, information processing method and information processing program
CN109347839A (en) Centralized password management method and centralized password management, device, electronic equipment and computer storage medium
JP4079319B2 (en) IDENTIFICATION INFORMATION GENERATION DEVICE, IDENTIFICATION INFORMATION RESOLUTION DEVICE, INFORMATION SYSTEM USING THEM, CONTROL METHOD AND PROGRAM THEREOF
EP2922236B1 (en) Authentication by use of symmetric and asymmetric cryptography
EP2246800A1 (en) Process distribution system, authentication server, distribution server, and process distribution method
EP2429117A2 (en) Cryptographic device management method, cryptographic device management server, and program
CN117077123A (en) Service processing method and device for multiple password cards and electronic equipment
CN113992427A (en) Data encryption sending method and device based on adjacent nodes
CN112738037B (en) Data encryption communication method
SE526070C2 (en) Synchronizing method of communication session between e.g. enterprise and employees, involves performing handshake procedure to synchronize session counters of communication units by successively communicated signatures
CN116155491B (en) Symmetric key synchronization method of security chip and security chip device
US20230114198A1 (en) Device in network
CN106487761B (en) Message transmission method and network equipment
CN110247925A (en) Power distribution automation information interacting method, system, terminal and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant