CN113452522B - Hardware security module software implementation method based on state password, storage medium and device - Google Patents

Hardware security module software implementation method based on state password, storage medium and device Download PDF

Info

Publication number
CN113452522B
CN113452522B CN202110721356.4A CN202110721356A CN113452522B CN 113452522 B CN113452522 B CN 113452522B CN 202110721356 A CN202110721356 A CN 202110721356A CN 113452522 B CN113452522 B CN 113452522B
Authority
CN
China
Prior art keywords
key
type
module
algorithm
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110721356.4A
Other languages
Chinese (zh)
Other versions
CN113452522A (en
Inventor
黄步添
刘成永
罗春凤
苑振霞
方航
王建冲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yunxiang Network Technology Co Ltd
Original Assignee
Hangzhou Yunxiang Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yunxiang Network Technology Co Ltd filed Critical Hangzhou Yunxiang Network Technology Co Ltd
Priority to CN202110721356.4A priority Critical patent/CN113452522B/en
Publication of CN113452522A publication Critical patent/CN113452522A/en
Application granted granted Critical
Publication of CN113452522B publication Critical patent/CN113452522B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Abstract

The invention discloses a hardware security module software implementation method, a storage medium and a device based on a state password, wherein the method comprises the following steps: the abstract object module abstracts the cryptographic type in OpenSSL in the OpenSSL module; acquiring an abstracted state cipher type result, and adding a key generation mechanism, a signature verification mechanism, an encryption and decryption mechanism and a hash mechanism to the security data management module; meanwhile, a key type is newly added in a security object storage module, and keys used by all mechanisms in the security data management module are marked according to the result of the abstracted state key type; all mechanisms of the security data management module are sent to a session management module, and the session management module increases the types of the mechanisms and the access paths of objects; and unifying external PKCS #11 interfaces according to the access path, calling a cryptographic algorithm in a bottom-layer open type secure socket layer protocol, and managing a cryptographic key. The invention realizes that the hardware security module supports the national encryption algorithm through software, and simultaneously improves the security of the output password.

Description

Hardware security module software implementation method, storage medium and device based on state password
Technical Field
The invention belongs to the technical field of hardware cryptographic technology, and particularly relates to a hardware security module software implementation method, a storage medium and a device based on the cryptographic technology.
Background
Currently, hardware encryption devices typically use interfaces of the PKCS family of cryptographic standards for the transmission of passwords, the PKCS comprising a set of cryptographic standards that provide guidelines for using cryptographic methods and Application Programming Interfaces (APIs). PKCS #11 is one of the cryptographic token interface standards that makes a set of APIs called Cryptoki. Using this API, an application can address the cryptographic devices as tokens and can perform the cryptographic functions implemented by these tokens. However, PKCS #11 is an international standard, and the interface specification design does not support the cryptographic algorithm at the beginning.
The hardware security module HSM generally needs to be connected with software to provide more secure and efficient hardware encryption security for software services, so that application development of the SoftHSM is available, and the SoftHSM implements an encrypted storage access interface defined by PKCS # 11. Secure storage of passwords can be achieved using SoftHSM without a hardware Security module, which is now developed as part of the opendnssec (open Domain Name System Security extensions) project.
In the current technical application field, the whole SoftHSM architecture comprises an OpenSSL (open secure socket layer protocol), an abstract object module, a secure object storage module, a secure data management module, a session management module, a slot management module, a user management module, a public key cryptography standard module, an initialization and configuration module, and an auditing module.
OpenSSL, although supporting the national commercial cipher SM2/SM3/SM4, does not provide an interface supporting SM2/SM3/SM4 like an elliptic curve algorithm interface, i.e. there is no public header file, but indirectly completes the national cryptographic algorithm by using a higher level function library (e.g. function library EVP, function encapsulating all algorithms inside the OpenSSL encryption library) interface.
As a password standard which is valued and popularized by the country, a national commercial password (abbreviated as a national password algorithm) is taken as a password standard, in practical application scenarios, more and more secure password environments in the Chinese market tend to adopt the password, but the national password algorithm does not form a wide technical ground to meet the national password encryption requirements of different application scenarios, and hardware encryption and software encryption are technical schemes which need to be realized on the ground.
Therefore, a hardware security module software implementation method, a storage medium and a device based on the national password are needed to support the software implementation of the hardware encryption of the national password, and meet the requirement of higher security encryption application.
Disclosure of Invention
Based on the background and the problems existing in the prior art, the invention designs a hardware security module software implementation method, a storage medium and a device based on the national cryptographic algorithm, so that PKCS #11 can support the national cryptographic algorithm. The invention also aims to realize that the hardware security module supports the national encryption algorithm through software, thereby improving the security of the output password.
To achieve these objects and other advantages and in accordance with the purpose of the invention, as embodied and broadly described herein, there is provided a hardware security module software implementation method based on a national password, comprising:
in response to a new state password type in an open secure socket layer protocol module (OpenSSL module), an abstract object module abstracts the state password type in an open secure socket layer protocol (OpenSSL protocol) in the open secure socket layer protocol module;
acquiring an abstracted state cipher type result, and adding a key generation mechanism, a signature verification mechanism, an encryption and decryption mechanism and a hash mechanism to the security data management module; at the same time, the user can select the desired position,
newly adding a key type in a secure object storage module, marking keys used by each mechanism in the secure data management module according to the result of the abstracted national key type, wherein the marks are a symmetric encryption algorithm or an asymmetric encryption algorithm;
sending all mechanisms of the security data management module to a session management module, wherein the session management module increases the types of the mechanisms and the access paths of objects;
and unifying PKCS #11 interfaces of external public key cryptography standard terminals according to the access path, calling a cryptographic algorithm in a bottom-layer open secure socket layer protocol, and managing a secret key.
Further, abstracting the newly added cryptographic type, including abstracting an asymmetric encryption algorithm SM2, a hash algorithm SM3, and a symmetric encryption algorithm SM4 as an open secure socket layer protocol type:
the asymmetric encryption algorithm SM2 is abstracted to an OSSLSM2 type in an open secure socket layer protocol type, two virtual functions are introduced, the virtual functions comprise a ciphertext length function (getCiphertext Len function) and a plaintext length function (getPlaintextLen function) to obtain the estimated length of a return value space when a public key is encrypted and a private key is decrypted, the secure object storage module stores an OSSLSM2 type object and a generation mechanism thereof, and an SM2 public and private key is obtained according to a handle key;
the hash algorithm SM3 is abstracted to OSSLSM3 type in open secure socket layer protocol type, and the secure object storage module stores the OSSLSM3 type object and its hash mechanism;
the symmetric encryption algorithm SM4 is abstracted to OSSLSM4 type in open secure socket layer protocol type, and the secure object storage module stores the OSSLSM4 type object and its symmetric key.
In an alternative embodiment, the key generation mechanism, including generation of a key pair of the secret SM2, mainly a private key of the key pair, includes:
acquiring an asymmetric key structure (eckey structure), an asymmetric cryptographic algorithm group and a target identifier OID of SM 2;
configuring an asymmetric cryptographic algorithm group based on the asymmetric key structure, generating an asymmetric key pair (eckey), and marking the OID format of SM 2;
and acquiring an asymmetric cryptographic algorithm group, a public key and a private key from the asymmetric key pair based on the operation.
In an optional implementation manner, the signature verification mechanism includes an algorithm that uses a cryptographic SM2 algorithm in combination with a cryptographic SM3 algorithm, where the specific implementation steps of the signature operation include:
acquiring a digital envelope key structure (evpkey structure);
binding a digital envelope key (evpkey) to a particular asymmetric key pair based on the digital envelope key structure;
assigning a usage secret SM2 algorithm alias type for the asymmetric key pair;
acquiring a calculation execution process (context) structure of the digital envelope key;
setting a unique user identity (UserID) in a secret SM2 algorithm;
binding the digital envelope key calculation execution process, wherein the execution process binds the user identity for signature initialization preparation;
and transmitting the data text to be signed, and using the SM3 algorithm to calculate the hash value to finish the signature.
In the above scheme, the method further comprises a signature verification operation, and the specific implementation steps of the signature verification operation comprise:
acquiring a signature checking request, carrying out signature checking initialization, and appointing to use SM3 to calculate a hash value;
and (4) transmitting the data original text to be checked and signed, and checking the data original text to be checked and signed by using the SM3 algorithm.
In the above scheme, executing the operation hash value of the SM3 cryptographic algorithm, and implementing the operation of the SM3 cryptographic algorithm on the abstract object module through the standard end of the public key cryptography, the specific implementation steps include:
responding to the signature hash digest information transmitted by the interface of the public key password standard terminal;
acquiring parameters stored in an integer type stage of the abstract object module, and transmitting the parameters to an open secure socket layer protocol module;
and the open secure socket layer protocol module performs hash signature operation on the OSSLSM3 type, and returns a hash result after executing the signature operation.
In an optional implementation manner, an interface of a public key cryptography standard end supports a key import/export operation, and an util tool supports an import/export operation of a secret SM2 key pair, where the import operation is implemented by the following steps:
converting the key pair into a public key cryptography standard PKCS #8 format, acquiring a target identifier OID of the key, and storing the public key cryptography standard PKCS #8 format to the local in a file form;
and judging the type of the national cryptographic algorithm according to the OID, and storing a private key of the national cryptographic algorithm in a security object storage module.
In the foregoing solution, the specific implementation step of the derivation operation includes:
the ID of the key to be derived is transmitted in;
exporting and decrypting the key to be exported by adopting a PKCS #11 interface of a public key cryptography standard through a built-in AES key;
and writing the decryption result into a local file.
In another aspect, the invention proposes a computer-readable storage medium storing a computer program which, when executed by a processor, implements the method and steps of any of the above.
In a third aspect, the present invention provides a hardware security module device based on a national password, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor can implement any one of the above methods and steps when executing the computer program.
The invention at least comprises the following beneficial effects: the invention is based on a hardware security module, executes the implementation of national secret software, and mainly carries out the reconstruction of an OpenSSL (open secure socket layer protocol) module, an abstract object module, a secure object storage module, a security data management module, a session management module and a PKCS (public key cryptography standard end) module (including the use of PKCS #11 and PKCS #8 type interfaces) in the hardware security module, wherein the PKCS #11 standard interface plays a role in communicating the hardware security module, OpenSSL and an encryption machine, so that the PKCS #11 supports the national secret algorithm, the function expansion of the PKSSL can be further realized, the support of the OpenSSL on the national secret algorithm is increased, and finally the more secure national secret algorithm is output by relying on the hardware encryption module, and the function of the national secret algorithm is output through the PKCS #11 standard interface, so that the invention is suitable for more commercial application scenes.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required to be used in the description of the embodiments are briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings may be obtained according to the drawings without any creative effort, and it is obvious that the concrete implementation flows in the drawings are further specific embodiments of the present invention and fall into the protection scope of the present invention.
FIG. 1 is a general SoftHSM architecture basic schematic diagram for use in the present invention;
FIG. 2 is a flowchart of the general implementation of the hardware security module software based on the cryptographic key according to the present invention.
Detailed Description
In order to clearly illustrate the present invention and make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, so that those skilled in the art can implement the technical solutions in reference to the description text. The technology of the present invention will be described in detail with reference to the accompanying drawings.
The noun explains:
PKCS: the Public-Key Cryptography Standards.
OpenSSL: opensecure Sockets Layer, an Open Secure socket Layer protocol, in a computer network, OpenSSL is a software library packet of Open source codes, and an application program can use this packet to perform Secure communication, thereby avoiding eavesdropping and confirming the identity of a connector at the other end. This package is widely used on web servers on the internet.
SoftHSM: soft HardWare SecurityModule, a HardWare security module implemented by software. According to the invention, the SoftHSM supports the cryptographic key, and OpenSSL of the operating environment is firstly upgraded to be more than 1.1.1 version.
OID: order Initiated Distribution, target identifier.
Specific example 1:
fig. 1 shows an implementation form of the present invention, which shows a general SoftHSM overall architecture diagram, and the present invention performs software implementation improvement on a hardware security module based on the hardware security module, and executes a cryptographic software implementation, as shown in fig. 2, the specific implementation steps include:
step 1: in response to the new state cipher types (OSSLSM2, OSSLSM3 and OSSLSM4) in the open secure socket layer protocol module (OpenSSL module), the abstract object module abstracts the state cipher types in the open secure socket layer protocol (OpenSSL protocol) in the open secure socket layer protocol module; abstracting the newly added cryptographic type, wherein the abstracting of an asymmetric encryption algorithm SM2, a hash algorithm SM3 and a symmetric encryption algorithm SM4 is an open secure socket layer protocol type:
(1) the asymmetric encryption algorithm SM2 is abstracted to an OSSLSM2 type of an OpenSSL protocol type, two virtual functions are introduced, the virtual functions comprise a getCiphertextLen function and a getLabentLen function, the estimated length of a return value space when a public key is encrypted and a private key is decrypted is obtained, the secure object storage module stores an OSSLSM2 type object and a generation mechanism thereof, and an SM2 public and private key is obtained according to a key handle;
(2) the hash algorithm SM3 is abstracted to an OSSLSM3 type of OpenSSL protocol type, and the secure object storage module stores the OSSLSM3 type object and a hash mechanism thereof;
(3) the symmetric encryption algorithm SM4 is abstracted to an OSSLSM4 type of OpenSSL protocol type, and the secure object storage module stores the OSSLSM4 type object and its symmetric key.
Step 2: acquiring an abstracted state cipher type result, and adding a key generation mechanism to the security data management module: the KEY generation mechanism instruction, signature verification mechanism, respectively execute SM2 and SM4 algorithm, when executed, are identified by commands such as CKM _ SM2_ KEY _ PAIR _ GEN, CKM _ SM4_ KEY _ GEN, respectively: the signature verification mechanism, encryption decryption mechanism, of the SM3 algorithm SM2 is executed by a command identification such as CKM _ SM3_ SM 2: the symmetric encryption mechanism and the asymmetric encryption mechanism and the hash mechanism of the SM4 and SM2 algorithms are respectively executed by command identifications such as CKM _ SM4_ CBC and CKM _ SM2_ RAW when executed: identifying, by a command such as CKM _ SM3, an execute SM3 hash computation mechanism when executed;
wherein the content of the first and second substances,
s21: the key generation mechanism comprises the generation of a key pair (sometimes mainly a private key) of the secret SM2, and the specific implementation steps comprise:
s211: acquiring an asymmetric key structure (eckey structure), wherein the asymmetric cipher adopts an elliptic curve ECC algorithm group and a target identifier OID of SM2 (for example, the OID is 1, 2, 156, 10197, 1, 301);
s212: configuring an asymmetric cryptographic algorithm group based on an eckey structure, generating an asymmetric key pair (eckey), and marking the OID format of the SM 2;
s213: and acquiring an asymmetric cryptographic algorithm group, a public key and a private key from the eckey based on the operation.
Wherein the content of the first and second substances,
s22: the signature and signature checking mechanism comprises the operation of adopting a national secret SM2 algorithm and combining the national secret SM3 algorithm,
s221: the specific implementation steps of the signature operation include:
s2211: acquiring a digital envelope key structure (evpkey structure);
s2212: binding a digital envelope key (evpkey) to a specific eckey based on the evpkey structure;
s2213: assigning the eckey with an alias type using a secret SM2 algorithm;
s2214: acquiring the evpkey calculation execution process (context) structure;
s2215: setting a unique user identity (UserID, generally a default of 1234567812345678) in a SM2 algorithm;
s2216: binding the evpkey calculation execution process, wherein the execution process binds the user identity for signature initialization preparation;
s2217: and transmitting the data text to be signed, and using the SM3 algorithm to calculate the hash value to finish the signature.
S222: the method further comprises a signature verification operation, and the specific implementation steps of the signature verification operation comprise:
s2221: acquiring a signature checking request, carrying out signature checking initialization, and appointing to use SM3 to calculate a hash value;
s2222: and (4) transmitting the data original text to be checked and signed, and checking the data original text to be checked and signed by using the SM3 algorithm.
Wherein, the first and the second end of the pipe are connected with each other,
s23: executing the SM3 algorithm operation hash value, and implementing the operation of the SM3 algorithm of the abstract object module through a public key password standard end, wherein the concrete implementation steps comprise:
s231: responding to the signature hash digest information transmitted by the interface of the public key password standard terminal;
s232: acquiring parameters stored in an integer type stage of the abstract object module, and transmitting the parameters to an open secure socket layer protocol module;
s233: the OpenSSL protocol module carries out hash signature operation on the OSSLSM3 type, and returns a hash result after executing signature operation.
Step 3: meanwhile, newly adding key types, such as a CKK _ SM2 type and a CKK _ SM4 type, in the security object storage module, marking the key types as asymmetric encryption algorithms or symmetric encryption algorithms, such as SM2 or SM4, according to the result mark of the abstracted state cipher type, wherein keys used by all mechanisms in the security data management module;
step 4: sending all mechanisms of the security data management module to a session management module, wherein the session management module increases the types of the mechanisms and the access paths of objects;
step 5: and unifying PKCS #11 interfaces of external public key cryptography standard terminals according to the access path, calling a cryptographic algorithm in a bottom-layer OpenSSL protocol, and managing keys. Wherein, the interface of the public key cryptography standard end supports the operation of importing and exporting the secret key, the use of the util tool supports the operation of importing and exporting the secret key pair of the SM2,
s51: the specific implementation steps of the import operation comprise:
s511: converting the key pair into a PKCS #8 format of a public key cryptography standard, acquiring the OID of the key, and storing the PKCS #8 format of the public key cryptography standard to the local in a file form;
s512: and judging the type of the cryptographic algorithm, such as the SM2 algorithm type, according to the OID, and storing the private key of the cryptographic algorithm in a security object storage module.
S52: the specific implementation steps of the derivation operation include:
s521: an ID of a key to be derived is transmitted;
s522: exporting and decrypting the key to be exported by adopting a PKCS #11 interface of a public key cryptography standard through a built-in AES key;
s523: and writing the decryption result into a local file.
Example 2:
a computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of any of the above. For the storage medium embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for the relevant points, refer to the partial description of the method embodiment.
The number of modules and the processing scale described herein are intended to simplify the description of the invention. Applications, modifications and variations of the software implementation method of the hardware security module based on the cryptographic key of the present invention will be apparent to those skilled in the art.
Example 3:
a hardware security module arrangement based on a national secret, comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing any of the method steps described above when executing the computer program. For the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The embodiments described above are presented to enable a person having ordinary skill in the art to make and use the invention. It will be readily apparent to those skilled in the art that various modifications to the above-described embodiments may be made, and the generic principles defined herein may be applied to other embodiments without the use of inventive faculty. Therefore, the present invention is not limited to the above embodiments, and those skilled in the art should make improvements and modifications to the present invention based on the disclosure of the present invention within the protection scope of the present invention.

Claims (10)

1. A hardware security module software implementation method based on a state password is characterized by comprising the following concrete implementation steps:
responding to a new state secret type in an open secure socket layer protocol module, and abstracting the state secret type in an open secure socket layer protocol in the open secure socket layer protocol module by an abstract object module;
acquiring an abstracted state cipher type result, and adding a key generation mechanism, a signature verification mechanism, an encryption and decryption mechanism and a hash mechanism to the security data management module; at the same time, the user can select the desired position,
newly adding a key type in a security object storage module, and marking keys used by each mechanism in the security data management module according to the result of the abstracted state key type;
all mechanisms of the security data management module are sent to a session management module, and the session management module increases the types of the mechanisms and the access paths of objects;
and unifying PKCS #11 interfaces of external public key cryptography standard ends according to the access path, calling a cryptographic algorithm in a bottom-layer open secure socket layer protocol, and managing a secret key.
2. The method for implementing hardware security module software based on national password of claim 1, wherein abstracting the new national password type comprises abstracting an asymmetric encryption algorithm SM2, a hash algorithm SM3 and a symmetric encryption algorithm SM4 into an open secure socket layer protocol type:
the SM2 is abstracted to an OSSLSM2 type in an open secure socket layer protocol type, two virtual functions are introduced, the virtual functions comprise a ciphertext length obtaining function and a plaintext length obtaining function, the estimated length of a return value space during public key encryption and private key decryption is obtained, the OSSLSM2 type object and a generating mechanism thereof are stored by the secure object storage module, and an SM2 public and private key is obtained according to a key handle;
the hash algorithm SM3 is abstracted to OSSLSM3 type in open secure socket layer protocol type, and the secure object storage module stores the OSSLSM3 type object and its hash mechanism;
the symmetric encryption algorithm SM4 is abstracted to OSSLSM4 type in open secure socket layer protocol type, and the secure object storage module stores the OSSLSM4 type object and its symmetric key.
3. The method for realizing the hardware security module software based on the national password of claim 1, wherein the key generation mechanism comprises generation of a national password SM2 key pair, and the specific implementation steps comprise:
acquiring an asymmetric key structure, an asymmetric cryptographic algorithm group and a target identifier OID of SM 2;
configuring an asymmetric cryptographic algorithm group based on an asymmetric key structure to generate an asymmetric key pair, and marking the OID format of SM 2;
and acquiring an asymmetric cryptographic algorithm group, a public key and a private key from the asymmetric key pair based on the operation.
4. The method for implementing hardware security module software based on national password of claim 1, wherein the signature verification mechanism comprises adopting the national password SM2 algorithm in combination with the national password SM3 algorithm, and the specific implementation steps of the signature operation comprise:
acquiring a digital envelope key structure;
binding a digital envelope key into a specific asymmetric key pair based on the digital envelope key structure;
assigning a usage secret SM2 algorithm alias type for the asymmetric key pair;
acquiring a digital envelope key calculation execution process structure;
setting a unique user identity in a SM2 cryptographic algorithm;
binding the digital envelope key to calculate an execution process, wherein the execution process binds the user identity to carry out signature initialization preparation;
and transmitting the data text to be signed, and using the SM3 algorithm to calculate the hash value to finish the signature.
5. The hardware security module software implementation method based on the national password of claim 4, further comprising a signature verification operation, wherein the specific implementation steps of the signature verification operation include:
acquiring a signature checking request, carrying out signature checking initialization, and appointing to use SM3 to calculate a hash value;
and (4) transmitting the data original text to be checked and signed, and checking the data original text to be checked and signed by using the SM3 algorithm.
6. The method for realizing the hardware security module software based on the national password of claim 4 or 5, wherein the operation of the hash value by executing the SM3 algorithm operation on the national password SM3 algorithm of the abstract object module is implemented by a public key cryptography standard terminal, and the concrete implementation steps comprise:
responding to the signature hash digest information transmitted by the interface of the public key cryptography standard terminal;
acquiring parameters stored in an integer type stage of the abstract object module, and transmitting the parameters to an open secure socket layer protocol module;
and the open secure socket layer protocol module performs hash signature operation on the OSSLSM3 type, and returns a hash result after executing the signature operation.
7. The method for realizing the hardware security module software based on the national password of claim 1, wherein an interface of a public key cryptography standard end supports a key import and export operation, an util tool is adopted to support the import and export operation of the national password SM2 key pair, and the specific implementation steps of the import operation include:
converting the key pair into a PKCS #8 format of a public key cryptography standard, acquiring the OID of the key, and storing the PKCS #8 format of the public key cryptography standard to the local in a file form;
and judging the type of the national cryptographic algorithm according to the OID, and storing a private key of the national cryptographic algorithm in a security object storage module.
8. The hardware security module software implementation method based on the cryptographic key of claim 7, wherein the specific implementation steps of the derivation operation include:
the ID of the key to be derived is transmitted in;
exporting and decrypting the key to be exported by adopting a PKCS #11 interface of a public key cryptography standard through a built-in AES key;
and writing the decryption result into a local file.
9. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method steps of any one of claims 1 to 8.
10. A cryptographic hardware security module arrangement comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the method steps of any of claims 1 to 8 when executing the computer program.
CN202110721356.4A 2021-06-28 2021-06-28 Hardware security module software implementation method based on state password, storage medium and device Active CN113452522B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110721356.4A CN113452522B (en) 2021-06-28 2021-06-28 Hardware security module software implementation method based on state password, storage medium and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110721356.4A CN113452522B (en) 2021-06-28 2021-06-28 Hardware security module software implementation method based on state password, storage medium and device

Publications (2)

Publication Number Publication Date
CN113452522A CN113452522A (en) 2021-09-28
CN113452522B true CN113452522B (en) 2022-09-13

Family

ID=77813538

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110721356.4A Active CN113452522B (en) 2021-06-28 2021-06-28 Hardware security module software implementation method based on state password, storage medium and device

Country Status (1)

Country Link
CN (1) CN113452522B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114661524B (en) * 2022-03-21 2023-06-02 重庆市规划和自然资源信息中心 Method for realizing real estate registration data backup technology based on log analysis
CN114996724B (en) * 2022-04-25 2024-05-03 麒麟软件有限公司 Safe operating system based on cryptographic algorithm module

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394179A (en) * 2014-12-18 2015-03-04 山东中创软件工程股份有限公司 Secure socket layer protocol extension method supporting domestic cipher algorithm
CN106921638A (en) * 2015-12-28 2017-07-04 航天信息股份有限公司 A kind of safety device based on asymmetric encryption
CN110505050A (en) * 2019-08-27 2019-11-26 北京电子科技学院 A kind of Android information encryption system and method based on national secret algorithm
CN111259364A (en) * 2020-01-09 2020-06-09 奇安信科技集团股份有限公司 Method, device, equipment and storage medium for using national secret encryption card
CN111865995A (en) * 2020-07-24 2020-10-30 芯河半导体科技(无锡)有限公司 Communication mode using hardware cryptographic algorithm in TR069
CN112398826A (en) * 2020-11-03 2021-02-23 北京天融信网络安全技术有限公司 Data processing method and device based on state password, storage medium and electronic equipment
CN112653672A (en) * 2020-12-11 2021-04-13 苏州浪潮智能科技有限公司 Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104394179A (en) * 2014-12-18 2015-03-04 山东中创软件工程股份有限公司 Secure socket layer protocol extension method supporting domestic cipher algorithm
CN106921638A (en) * 2015-12-28 2017-07-04 航天信息股份有限公司 A kind of safety device based on asymmetric encryption
CN110505050A (en) * 2019-08-27 2019-11-26 北京电子科技学院 A kind of Android information encryption system and method based on national secret algorithm
CN111259364A (en) * 2020-01-09 2020-06-09 奇安信科技集团股份有限公司 Method, device, equipment and storage medium for using national secret encryption card
CN111865995A (en) * 2020-07-24 2020-10-30 芯河半导体科技(无锡)有限公司 Communication mode using hardware cryptographic algorithm in TR069
CN112398826A (en) * 2020-11-03 2021-02-23 北京天融信网络安全技术有限公司 Data processing method and device based on state password, storage medium and electronic equipment
CN112653672A (en) * 2020-12-11 2021-04-13 苏州浪潮智能科技有限公司 Two-way authentication method, device, equipment and readable medium based on cryptographic algorithm

Also Published As

Publication number Publication date
CN113452522A (en) 2021-09-28

Similar Documents

Publication Publication Date Title
JP7119040B2 (en) Data transmission method, device and system
CA2772136C (en) System and method for providing credentials
CN102111265B (en) Method for encrypting secure chip of power system acquisition terminal
WO2019184924A1 (en) Identity management method, equipment, communication network, and storage medium
CN104170312B (en) For using the method and apparatus that hardware security engine is securely communicated by network
US7979707B2 (en) Secure seed generation protocol
CN113452522B (en) Hardware security module software implementation method based on state password, storage medium and device
CN109478214B (en) Apparatus and method for certificate registration
WO2011120421A1 (en) Method for implementing encryption engine
WO2009115017A1 (en) Network certifying service system and method
US20240121108A1 (en) Combined Digital Signature Algorithms for Security Against Quantum Computers
JP2010514000A (en) Method for securely storing program state data in an electronic device
Yang et al. DAA-TZ: an efficient DAA scheme for mobile devices using ARM TrustZone
CN115801223A (en) CA certificate-based identification key system and PKI system compatible method
CN114629646A (en) Safe transmission method and system based on mixed quantum key encapsulation and negotiation
CN116132043B (en) Session key negotiation method, device and equipment
US20130283363A1 (en) Secure data transfer over an arbitrary public or private transport
CN111859314A (en) SM2 encryption method, system, terminal and storage medium based on encryption software
CN114710289B (en) Internet of things terminal security registration and access method and system
KR20040013966A (en) Authentication and key agreement scheme for mobile network
CN115499118A (en) Message key generation method, message key generation device, file encryption method, message key decryption method, file encryption device, file decryption device and medium
CN113382398B (en) Server, bluetooth headset terminal and Bluetooth headset firmware updating processing system
KR20010092521A (en) Advanced apparatus for securing user's information and method thereof in mobile communication system over plural connecting with internet
CN115694997B (en) Intelligent gateway system of Internet of things
KR101007359B1 (en) Security platform mounted on smart card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant