CN112636927B - KPI (Key performance indicator) double-certificate-based cloud platform encryption method - Google Patents

KPI (Key performance indicator) double-certificate-based cloud platform encryption method Download PDF

Info

Publication number
CN112636927B
CN112636927B CN202011578370.5A CN202011578370A CN112636927B CN 112636927 B CN112636927 B CN 112636927B CN 202011578370 A CN202011578370 A CN 202011578370A CN 112636927 B CN112636927 B CN 112636927B
Authority
CN
China
Prior art keywords
key
certificate
user
password
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011578370.5A
Other languages
Chinese (zh)
Other versions
CN112636927A (en
Inventor
贾小松
宋星
董安琪
张路路
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Xinda Institute of Advanced Technology
Original Assignee
Zhengzhou Xinda Institute of Advanced Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Xinda Institute of Advanced Technology filed Critical Zhengzhou Xinda Institute of Advanced Technology
Priority to CN202011578370.5A priority Critical patent/CN112636927B/en
Publication of CN112636927A publication Critical patent/CN112636927A/en
Application granted granted Critical
Publication of CN112636927B publication Critical patent/CN112636927B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a KPI (Key performance indicator) double-certificate-based cloud platform encryption method, which comprises the following steps of: after a user legally logs in a cloud management platform, the cloud management platform receives a password virtual machine request form submitted by the user, creates a password virtual machine according to the password virtual machine request form, generates a password virtual machine configuration file and applies resources to start the password virtual machine; a user logs in the virtual password machine, receives an encryption key use application form returned by the virtual password machine and sends the encryption key use application form to the key management center through the cloud management platform; the key management center returns an encryption key pair to a user through the cloud management platform; and the user logs in the virtual password machine, sends the encryption key pair to the virtual password machine and executes a key injection program.

Description

KPI (Key Performance indicator) double-certificate-based cloud platform encryption method
Technical Field
The invention relates to a cloud platform encryption method, in particular to a cloud platform encryption method based on KPI double certificates.
Background
The use of digital certificates in a cloud environment is now in phase. In commercial application, the market share of the Ali and the Amazon at home and abroad is higher, the use mode of a single certificate is adopted, a user keeps a unique pair of asymmetric secret keys, the pair of secret keys are injected into an applied virtual cipher machine during use to carry out signature verification and cipher operation, and if the private key is lost, the previously encrypted information cannot be recovered.
In order to solve the above problems, people are always seeking an ideal technical solution.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a KPI dual-certificate-based cloud platform cryptosystem method.
In order to achieve the purpose, the invention adopts the technical scheme that: a KPI dual certificate-based cloud platform encryption method comprises the following steps:
creation and initiation of cryptographic vdisk
A user logs in a cloud platform after signing and checking pass through self-held password equipment containing a signature certificate and a signature private key on the cloud platform;
the cloud management platform receives a password virtual machine request form submitted by a user, dynamically allocates an IP address to the password virtual machine according to a controlled IP address range and a use condition, and randomly generates a login password of the password virtual machine; synthesizing the password virtual machine application form, the IP address of the password virtual machine and the login password to generate a password virtual machine configuration file, applying for resource generation according to the password virtual machine configuration file, and starting the password virtual machine for logging in a user;
key application for cryptographic virtual machine
A user logs in the password virtual machine, generates an encryption key through the cloud management platform, and forwards the encryption key to a key management center by using a request form;
the key management center receives the encryption key use request form, acquires an encryption key pair and returns the encryption key pair to the user through the cloud management platform;
key injection for cryptographic vdisk
The user logs in the virtual password machine and sends the encryption key pair to the virtual password machine;
and the virtual cipher machine executes a key injection program to inject the encryption key pair into the virtual cipher machine.
Based on the above, the request form of the virtual machine of the password comprises the user information and the requirements on the strength of the algorithm key, the password resource, the general CPU resource, the memory resource and the hard disk resource.
Based on the above, after receiving the password virtual machine request form submitted by the user, the cloud management platform audits the user permission according to the user information, and after the user permission audit is passed, applies for resource generation according to the password virtual machine configuration file and starts the password virtual machine.
Based on the above, the user passes through the self-held password device containing the signature certificate and the signature private key, and the specific steps of logging in the cloud management platform after passing signature verification on the cloud management platform are as follows: a user is connected with a login terminal through self-held password equipment containing a signature certificate and a signature private key, the signature private key is called to generate a signature, and the signature certificate are sent to the cloud management platform; and the cloud management platform acquires a signature public key from the signature certificate, calls the signature public key to verify the signature, and returns legal login information to the user after the signature verification is passed.
Based on the above, before the user connects to the login terminal through the self-contained cryptographic device containing the signature certificate and the signature private key, the method further comprises the signature certificate issuing step:
the user registers and fills in user information;
a user calls a self-held password device to generate a key pair of a signature certificate, and a public key of the signature certificate and the user information are sent to a third party certificate authentication center CA;
and the third party certificate authentication center CA generates a user certificate according to the public key of the signature certificate and the user information, calls a private key of the third party certificate authentication center CA to sign the user certificate, generates a signature certificate, and returns the signature certificate to the user for installation.
Based on the above, after signing and issuing the signing certificate, the third party certificate authentication center CA requests the key management center for an encryption key pair, generates a user certificate according to the obtained public key of the encryption key pair and the user information, and invokes the private key of the third party certificate authentication center CA to sign the user certificate, thereby generating the encryption certificate; and storing the encryption certificate and the encryption key pair binding in the LDAP key management library, and returning the certificate number of the encryption certificate to the user.
Based on the above, in the key application stage of the virtual machine, after the user logs in, the virtual machine generates a temporary key pair, invokes the public key of the key management center to encrypt the user information and the public key of the temporary key pair, and splices the user information and the public key of the temporary key pair to form the application form for the encryption key, where the user information includes the certificate number of the encryption certificate.
Based on the above, after receiving the encryption key use request form, the key management center obtains an encryption key pair, and returns the encryption key pair to the user through the cloud management platform, which specifically includes:
the key management center calls a private key of the key management center to decrypt the encryption key use request form after receiving the encryption key use request form, and obtains the user information and the public key of the temporary key pair; and searching an encryption certificate and an encryption key pair stored by a user in the LDAP key management library according to the certificate number of the encryption certificate in the user information, calling a public key of the temporary key pair to encrypt the encryption key pair, calling a private key of the key management center to encrypt the user information and a ciphertext of the encryption key pair, splicing the user information and the user information into a key application result, returning the key application result to the cloud management platform, and sending the key application result to the user through the cloud management platform.
Based on the above, in the key injection stage of the virtual machine, after receiving the key application result, the virtual machine invokes the public key of the key management center to decrypt the key application result, obtains the user information, the encryption certificate and the ciphertext of the encryption key pair, invokes the private key of the temporary key pair to decrypt the ciphertext of the encryption key pair, obtains the encryption key pair, executes a key injection program, and injects the encryption key pair into the virtual machine.
Compared with the prior art, the cloud platform cryptomorphic method based on the PKI dual-certificate system has outstanding substantive characteristics and remarkable progress, and particularly, the cloud platform cryptomorphic method based on the PKI dual-certificate system is constructed, the signature certificate is arranged on the password equipment of a user, the password virtual machine is constructed on the cloud platform, and the encryption certificate is arranged on the password virtual machine, so that the encryption and the signature of the user can be logically distinguished, when the encryption key is lost, a backup can be obtained from a third party for decryption, the safety is high, and the cloud platform based on the PKI dual-certificate system is particularly suitable for government affairs cloud platforms.
Meanwhile, the virtual password machine is distributed and recycled after the password service is finished, so that the virtual password machine needs to be generated and the encryption certificate is obtained from the key management center every time the password service is executed, the risk of losing the encryption certificate is reduced, and the storage safety of the encryption certificate is ensured.
Simultaneously, in key application and injection process, still be provided with the interim public private of password virtual machine right with the public private key of key management center is right, thereby has realized password virtual machine vcm's key application stage and key injection stage the public private key of encryption certificate is to the security of pub/pri.
Drawings
FIG. 1 is a schematic flow diagram of the present invention.
Fig. 2 is a flow chart of key application and key injection according to the present invention.
Detailed Description
The technical solution of the present invention is further described in detail by the following embodiments.
As shown in fig. 1, a KPI dual-certificate-based cloud platform cryptomorphism method includes the following steps:
creation and initiation of crypto-virtual machine vcm
A user logs in a cloud management platform after passing signature verification of a signature on the cloud management platform through self-held password equipment containing a signature certificate and a signature private key;
in specific implementation, the specific steps of the above process are as follows: a user is connected with a login terminal through self-held password equipment containing a signature certificate and a signature private key, the signature private key is called to generate a signature, and the signature certificate are sent to the cloud management platform; and the cloud management platform acquires a signature public key from the signature certificate, calls the signature public key to verify the signature, and returns legal login information to the user after the signature verification is passed.
The cloud management platform receives a password virtual machine request form submitted by a user, dynamically allocates an IP address to the password virtual machine vcm according to a controlled IP address range and a use condition, and randomly generates a login password of the password virtual machine vcm; and synthesizing the password virtual machine application form, the IP address of the password virtual machine vcm and the login password to generate a password virtual machine vcm configuration file, and applying for resource generation according to the password virtual machine vcm configuration file and starting the password virtual machine vcm for the user to login. Preferably, the request form of the virtual machine of the password comprises user information and the requirements for the strength of the algorithm key, password resources, general CPU resources, memory resources and hard disk resources.
It can be understood that after the cloud management platform receives the password virtual machine request form submitted by the user, the user authority can be further checked according to the user information, and after the user authority is checked, the password virtual machine vcm is created according to the content of the password virtual machine request form, so that it is ensured that only a user with a specific authority can create the password virtual machine vcm.
Under normal conditions, the virtual cryptographic engine vcm applied by the user is a bare computer with basic cryptographic function, and must be configured as necessary to be used normally, and the core of the configuration is to inject the key of the virtual cryptographic engine vcm. The complete key application and injection process involves four parties, namely a deployed virtual password machine vcm applied by a user, a key management center KMC, a cloud management platform and the user, wherein the key management center KMC manages and manages a certificate resource pool and can distribute a certificate and a private key to the virtual password machine vcm: the cloud management platform is a management front end of the cloud platform; the user is the initiator of the application and injection of the keys and is the intermediary for transferring the keys from the key management centre KMC to the crypto-virtualizer vcm.
The whole key application and injection process is a process of transmitting an encryption key from a key management center KMC to the virtual machine vcm; the method comprises the following specific steps:
key application of virtual machine vcm of password
A user logs in the virtual password machine vcm and generates an encryption key through the cloud management platform and forwards the encryption key to the key management center KMC by using a request form;
the key management center KMC acquires a public key pair pub/pri after receiving the encryption key use request form, and returns the public key pair pub/pri to the user through the cloud management platform;
key injection for crypto-vdcm
The user logs in the virtual machine vcm of the password, and sends the encryption key pair pub/pri to the virtual machine vcm of the password;
and executing a key injection program by the virtual machine vcm of the password, and injecting the encryption key pair pub/pri into the virtual machine vcm of the password.
Specifically, as shown in fig. 2, the key application of the virtual cryptogram vcm includes the following specific steps:
after a user logs in, the cryptogra phic virtual machine vcm generates a temporary key pair, a public key of the key management center KMC is called to encrypt the user information and the public key of the temporary key pair, the user information and the user information are spliced into the encryption key, an application form is used for returning the encryption key to the user, and the encryption key is forwarded to the key management center KMC through the cloud management platform, wherein the user information comprises a certificate number of the encryption certificate.
The key management center KMC calls a private key of the key management center KMC to decrypt the encryption key use application form after receiving the encryption key use application form, and acquires the user information and a public key of the temporary key pair; and searching an encryption certificate and an encryption key pair pub/pri stored by a user in the LDAP key management library according to the certificate number of the encryption certificate in the user information, calling a public key of the temporary key pair to encrypt the encryption key pair pub/pri, calling a private key of the key management center KMC to encrypt the user information and a ciphertext of the encryption key pair pub/pri, splicing the user information and the user information into a key application result, returning the key application result to the cloud management platform, and sending the key application result to the user through the cloud management platform.
Specifically, as shown in fig. 2, the key injection of the virtual cryptograph vcm specifically includes the following steps:
the user logs in the virtual machine vcm of the password and sends the key application result to the virtual machine vcm of the password;
after receiving the key application result, the virtual machine vcm invokes the public key of the key management center KMC to decrypt the key application result, obtains the user information and the ciphertext of the encryption key pair pub/pri, invokes the private key of the temporary key pair to decrypt the ciphertext of the encryption key pair pub/pri, obtains the encryption key pair pub/pri, executes a key injection program, and injects the encryption key pair pub/pri into the virtual machine vcm.
Obviously, in order to ensure the security of the encryption key pair pub/pri during the key application phase and the key injection phase of the cryptogra phic vcm, two sets of public and private key pairs are involved in the process, which are:
tempPub/tempPri: a temporary key pair generated by the virtual crypto-machine vcm, wherein a private key tempPri of the temporary key pair is stored by the virtual crypto-machine vcm and is invisible to a user; the public key tempPub of the temporary key pair is used for encrypting and transmitting the encryption key pair pub/pri applied from the key management center KMC.
BarPub/BarPri: the key management center KMC is used for storing a public and private key pair, wherein a public key BarPub of the public and private key pair is stored in the cryptogra phic virtual machine vcm in a certificate mode, and a private key BarPri of the public and private key pair is stored in a secret mode by the key management center KMC.
The whole application injection process is a process of transmitting the encryption key pair pub/pri from the key management center KMC to the crypto virtual machine vcm.
In an initial state, the key management center KMC owns BarPri, pub/pri, and the crypto virtual machine vcm owns BarPub, tempPub/tempPri and the user information. After the injection process is finished, the crypto virtual machine vcm obtains pub/pri transmitted from the key management center KMC.
Before the creation and starting stages of the key virtual machine, a user connects a login terminal through self-contained password equipment containing a signature certificate and a signature private key, calls the signature private key to generate a signature, and sends the signature and the signature certificate to the cloud management platform; and the cloud management platform acquires a signature public key from the signature certificate, calls the signature public key to verify the signature, and returns legal login information to the user after the signature verification is passed.
Further, before the user connects the login terminal through the self-contained password device containing the signature certificate and the signature private key, the signature certificate issuing method further comprises the following steps:
the user registers and fills in user information;
a user calls a self-held password device to generate a key pair of a signature certificate, and a public key of the signature certificate and the user information are sent to a third party certificate authentication center CA;
and the third party certificate authentication center CA generates a user certificate according to the public key of the signature certificate and the user information, calls a private key of the third party certificate authentication center CA to sign the user certificate, generates a signature certificate, and returns the signature certificate to the user for installation.
After signing and issuing a signature certificate, the third party certificate authentication center CA requests an encryption key pair from the key management center KMC, generates a user certificate according to the public key of the obtained encryption key pair and the user information, and calls a private key of the third party certificate authentication center CA to sign the user certificate to generate an encryption certificate; and storing the encryption certificate, the encryption key pair and the corresponding user information in the LDAP key management library together, so that the key management center KMC inquires and downloads the encryption certificate at the later stage of the application stage of the virtual machine vcm of the password.
Finally, it should be noted that the above examples are only used to illustrate the technical solutions of the present invention and not to limit the same; although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that: modifications to the specific embodiments of the invention or equivalent substitutions for parts of the technical features may be made; without departing from the spirit of the present invention, it is intended to cover all aspects of the invention as defined by the appended claims.

Claims (9)

1. A cloud platform encryption method based on KPI double certificates is characterized by comprising the following steps:
creation and initiation of cryptographic vdisk
A user logs in a cloud management platform after passing signature verification of a signature on the cloud management platform through self-held password equipment containing a signature certificate and a signature private key;
the cloud management platform receives a password virtual machine request form submitted by a user, dynamically allocates an IP address to the password virtual machine according to a controlled IP address range and a use condition, and randomly generates a login password of the password virtual machine; synthesizing the password virtual machine application form, the IP address of the password virtual machine and the login password to generate a password virtual machine configuration file, applying for resource generation according to the password virtual machine configuration file, starting the password virtual machine, and logging in for a user;
key application for cryptographic virtual machine
A user logs in the password virtual machine, generates an encryption key through the cloud management platform, and forwards the encryption key to a key management center by using a request form;
the key management center receives the encryption key use request form, acquires an encryption key pair and returns the encryption key pair to the user through the cloud management platform;
key injection for cryptographic vdisk
The user logs in the virtual password machine and sends the encryption key pair to the virtual password machine;
and the virtual cipher machine executes a key injection program to inject the encryption key pair into the virtual cipher machine.
2. The KPI dual certificate-based cloud platform cryptographic method according to claim 1, wherein: the password virtual machine request sheet comprises user information and the requirements for algorithm key strength, password resources, general CPU resources, memory resources and hard disk resources.
3. The KPI dual certificate-based cloud platform cryptography method according to claim 2, characterized in that: and after receiving the password virtual machine application form submitted by the user, the cloud management platform verifies the user authority according to the user information, and after the user authority verification is passed, applies for resource generation and starts the password virtual machine according to the password virtual machine configuration file.
4. The KPI dual-certificate-based cloud platform cryptography method according to claim 1, wherein a user passes through a self-held cryptographic device containing a signature certificate and a signature private key, and signs and checks on the cloud management platform, and the specific steps of logging in the cloud management platform are as follows: a user is connected with a login terminal through self-held password equipment containing a signature certificate and a signature private key, the signature private key is called to generate a signature, and the signature certificate are sent to the cloud management platform; and the cloud management platform acquires a signature public key from the signature certificate, calls the signature public key to verify the signature, and returns legal login information to the user after the signature verification is passed.
5. The method according to claim 4, wherein before the user connects to the login terminal through a self-contained cryptographic device containing a signature certificate and a signature private key, the method further comprises a signature certificate issuing step:
the user registers and fills in user information;
a user calls a self-held password device to generate a key pair of a signature certificate, and a public key of the signature certificate and the user information are sent to a third party certificate authentication center CA;
and the third party certificate authentication center CA generates a user certificate according to the public key of the signature certificate and the user information, calls a private key of the third party certificate authentication center CA to sign the user certificate, generates a signature certificate, and returns the signature certificate to the user for installation.
6. The KPI dual-certificate-based cloud platform cryptographic method according to claim 5, wherein after signing a signature certificate, the third party certificate CA requests an encryption key pair from the key management center, generates a user certificate according to the obtained public key of the encryption key pair and the user information, invokes the private key of the third party certificate CA to sign the user certificate, and generates an encryption certificate; and storing the encryption certificate and the encryption key pair binding in an LDAP key management library, and returning the certificate number of the encryption certificate to the user.
7. The KPI dual certificate-based cloud platform cryptographic method according to claim 6, wherein: and a key application stage of the crypto-virtual machine, wherein the crypto-virtual machine generates a temporary key pair after a user logs in, a public key of the key management center is called to encrypt the user information and the public key of the temporary key pair, and the user information are spliced to form the encryption key application form, wherein the user information comprises the certificate number of the encryption certificate.
8. The method according to claim 7, wherein the key management center obtains an encryption key pair after receiving the encryption key usage request form, and returns the encryption key pair to the user through the cloud management platform, and specifically includes:
the key management center calls a private key of the key management center to decrypt the encryption key use request form after receiving the encryption key use request form, and obtains the user information and the public key of the temporary key pair; and searching an encryption certificate and an encryption key pair stored by a user in the LDAP key management library according to the certificate number of the encryption certificate in the user information, calling a public key of the temporary key pair to encrypt the encryption key pair, calling a private key of the key management center to encrypt the user information and a ciphertext of the encryption key pair, splicing the user information and the user information into a key application result, returning the key application result to the cloud management platform, and sending the key application result to the user through the cloud management platform.
9. The KPI dual certificate-based cloud platform cryptographic method according to claim 8, wherein: and a key injection stage of the virtual cipher machine, wherein the virtual cipher machine calls a public key of the key management center to decrypt the key application result after receiving the key application result to obtain the user information and the ciphertext of the encryption key pair, calls a private key of the temporary key pair to decrypt the ciphertext of the encryption key pair to obtain the encryption key pair, executes a key injection program, and injects the encryption key pair into the virtual cipher machine.
CN202011578370.5A 2020-12-28 2020-12-28 KPI (Key performance indicator) double-certificate-based cloud platform encryption method Active CN112636927B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011578370.5A CN112636927B (en) 2020-12-28 2020-12-28 KPI (Key performance indicator) double-certificate-based cloud platform encryption method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011578370.5A CN112636927B (en) 2020-12-28 2020-12-28 KPI (Key performance indicator) double-certificate-based cloud platform encryption method

Publications (2)

Publication Number Publication Date
CN112636927A CN112636927A (en) 2021-04-09
CN112636927B true CN112636927B (en) 2022-08-16

Family

ID=75326069

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011578370.5A Active CN112636927B (en) 2020-12-28 2020-12-28 KPI (Key performance indicator) double-certificate-based cloud platform encryption method

Country Status (1)

Country Link
CN (1) CN112636927B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113791872B (en) * 2021-11-11 2022-03-22 北京信安世纪科技股份有限公司 Cloud computing-based authentication method and system
CN114244565B (en) * 2021-11-16 2023-09-19 广东电网有限责任公司 Key distribution method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103975567A (en) * 2012-11-14 2014-08-06 华为技术有限公司 Dual-factor authentication method and virtual machine device
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN104954137A (en) * 2015-06-18 2015-09-30 浪潮集团有限公司 Method of virtual machine security certification based on domestic password technique
CN110321695A (en) * 2019-07-11 2019-10-11 成都卫士通信息产业股份有限公司 Big data system password method of servicing, device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916237B (en) * 2012-12-30 2017-02-15 航天信息股份有限公司 Method and system for managing user encrypted-key retrieval
CN105184154B (en) * 2015-09-15 2017-06-20 中国科学院信息工程研究所 A kind of system and method that crypto-operation service is provided in virtualized environment
EP3435270B1 (en) * 2017-07-27 2020-09-23 Siemens Aktiengesellschaft Device and method for cryptographically protected operation of a virtual machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103975567A (en) * 2012-11-14 2014-08-06 华为技术有限公司 Dual-factor authentication method and virtual machine device
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN104954137A (en) * 2015-06-18 2015-09-30 浪潮集团有限公司 Method of virtual machine security certification based on domestic password technique
CN110321695A (en) * 2019-07-11 2019-10-11 成都卫士通信息产业股份有限公司 Big data system password method of servicing, device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
政务云平台国密应用技术研究;焦少波等;《网络安全技术与应用》;20201015;57-60页 *

Also Published As

Publication number Publication date
CN112636927A (en) 2021-04-09

Similar Documents

Publication Publication Date Title
EP3661120B1 (en) Method and apparatus for security authentication
US10142107B2 (en) Token binding using trust module protected keys
RU2325693C2 (en) Methods of authentication of potentials members, which were invited to join the group
US8196186B2 (en) Security architecture for peer-to-peer storage system
US7395549B1 (en) Method and apparatus for providing a key distribution center without storing long-term server secrets
CN111464301B (en) Key management method and system
CN105873031B (en) Distributed unmanned plane cryptographic key negotiation method based on credible platform
CN101051904B (en) Method for landing by account number cipher for protecting network application sequence
CN114584307B (en) Trusted key management method and device, electronic equipment and storage medium
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN109525565B (en) Defense method and system for short message interception attack
CN112636927B (en) KPI (Key performance indicator) double-certificate-based cloud platform encryption method
CN111865609A (en) Private cloud platform data encryption and decryption system based on state cryptographic algorithm
JP2022540653A (en) Data protection and recovery system and method
CN109921902A (en) A kind of key management method, safety chip, service server and information system
WO2023174038A1 (en) Data transmission method and related device
CN113992346A (en) Implementation method of security cloud desktop based on state password reinforcement
CN115473655B (en) Terminal authentication method, device and storage medium for access network
JP2024501326A (en) Access control methods, devices, network equipment, terminals and blockchain nodes
CN115348077A (en) Virtual machine encryption method, device, equipment and storage medium
CN114329395A (en) Supply chain financial privacy protection method and system based on block chain
CN114765551A (en) SDP access control method and device based on block chain
WO2023174350A1 (en) Identity authentication method, apparatus and device, and storage medium
CN113727059B (en) Network access authentication method, device and equipment for multimedia conference terminal and storage medium
CN114553557B (en) Key calling method, device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant