CN113656229A - Method and device for detecting computer system password module and storage medium - Google Patents

Method and device for detecting computer system password module and storage medium Download PDF

Info

Publication number
CN113656229A
CN113656229A CN202110944118.XA CN202110944118A CN113656229A CN 113656229 A CN113656229 A CN 113656229A CN 202110944118 A CN202110944118 A CN 202110944118A CN 113656229 A CN113656229 A CN 113656229A
Authority
CN
China
Prior art keywords
module
password module
operating system
password
cryptographic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110944118.XA
Other languages
Chinese (zh)
Other versions
CN113656229B (en
Inventor
马瑶瑶
张大健
彭大千
崔颖超
石宗育
姚乾
夏立宁
赵红
骆炜
纪崇廉
曹中全
李华英
王晓影
方兴园
王恩奇
孙思桐
宋鑫磊
郭哲
丁衍
许盛晨
曹博远
李军
庞帅
刘莘
王波
沈敏鑫
刘哲
王宏铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Financial Certification Authority Co ltd
Original Assignee
China Financial Certification Authority Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Financial Certification Authority Co ltd filed Critical China Financial Certification Authority Co ltd
Priority to CN202110944118.XA priority Critical patent/CN113656229B/en
Publication of CN113656229A publication Critical patent/CN113656229A/en
Application granted granted Critical
Publication of CN113656229B publication Critical patent/CN113656229B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2236Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/505Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method, a device and a storage medium for detecting a computer system password module, comprising the following steps: the following steps are performed sequentially: calling a basic hardware password module to detect the basic hardware password module according to the encryption and decryption results of the basic hardware password module on the verification file; calling an operating system password module to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file; calling a middleware password module to detect the middleware password module according to the encryption and decryption results of the middleware password module on the verification file; and calling the application layer password module to detect the application layer password module according to the encryption and decryption results of the application layer password module on the verification file. The technical scheme of the invention effectively solves the problem that the discretely distributed password modules in the computer system can not be effectively detected. Meanwhile, the detection efficiency is effectively improved.

Description

Method and device for detecting computer system password module and storage medium
Technical Field
The present invention relates generally to the field of computer security. More particularly, the invention relates to a method and a device for detecting a cloud operating system encryption module, and a storage medium.
Background
Because the CPU of the traditional computer system is not internally provided with a password module, the main memory, the bus and the input and output equipment of the traditional computer system cannot be sufficiently encrypted and protected in the hot running process. The computer system framework is shown in fig. 1.
With the increasing severity of information security situation, China proposes a scheme of embedding a password module into a CPU (central processing unit) to perform integral encryption on a bus data set. A cryptographic module is added between the CPU bus and the input/output interface of the computer system, so that the data of the hardware device below the operating system layer is protected by the cryptographic module. A typical CPU framework with cryptographic modules is shown in fig. 2, 3, 4. FIG. 2 is a block diagram showing a single CPU architecture with a cryptographic module; FIG. 3 is a block diagram showing a master-slave dual CPU architecture with a cryptographic module; fig. 4 is a framework diagram illustrating a multi-CPU cluster architecture with cryptographic modules. The CPU with the password module is assisted by an original bus password machine, an operating system password dynamic library, a password middleware and a cloud computing password module to form a five-bit integrated password product system, and the framework of the password product system is shown in figure 5.
The five-bit integrated password product system enables the password modules to be distributed and deployed in a computer system in a discrete and distributed mode, and partially solves the problem that bottom equipment below a traditional operating system layer is lack of protection. However, such computer systems with discretely distributed cryptographic modules present challenges to testing efforts. For example, a general test method can only test the cryptographic modules of the operating system and application layers. However, when the general testing method is applied to a computer system with discretely distributed cryptographic modules, since it can only test the cryptographic modules of the operating system and the application layer, it is not able to perform a comprehensive test on a five-in-one cryptographic product system. Furthermore, the prior art also lacks a mature testing protocol.
One possible test scenario is: according to the traditional method for testing the computer system cryptographic modules, all programs in the computer system are tested, and meanwhile, each cryptographic module is called in the program running process. However, since the programs in the computer system are very numerous and complex, the amount of programs that the test solution needs to detect is too large to complete in a short time. And not all tests of the program are meaningful. That is, the efficiency of the test scheme is extremely low, and the final test result does not necessarily reflect the real problem of the computer system. Therefore, the traditional and internationally universal testing method for the complete machine and the operating system is not suitable for the computer system with the discretely distributed cryptographic modules. Meanwhile, in the prior art, the testing of the CPU crypto module and the bus crypto device (including the bus crypto machine and the bus crypto module) of the computer system with discretely distributed crypto modules can only be realized by depending on the software of the operating system, and cannot directly detect the CPU crypto module and the bus crypto device.
Disclosure of Invention
In order to solve at least the above problems, the present invention provides a method for detecting a cryptographic module of a computer system, which sequentially calls cryptographic modules of an operating system kernel, an operating system, middleware and an application layer in the computer system from a bottom layer to an upper layer, so as to realize comprehensive detection of the cryptographic modules discretely distributed in the computer system and improve detection efficiency.
In a first aspect, the present invention provides a method for detecting a cryptographic module of a computer system, comprising: the following steps are performed sequentially: calling a basic hardware password module to detect the basic hardware password module according to the encryption and decryption results of the basic hardware password module on the verification file; calling an operating system password module to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file; calling a middleware password module to detect the middleware password module according to the encryption and decryption results of the middleware password module on the verification file; and calling the application layer password module to detect the application layer password module according to the encryption and decryption results of the application layer password module on the verification file.
In one embodiment, the basic hardware cryptographic module comprises: a kernel cryptographic module, a CPU cryptographic module and/or a bus cryptographic module.
In one embodiment, further comprising: after the application layer password module is detected, the communication password module is called in a network communication program so as to detect the communication password module according to the encryption and decryption results of the verification file by the communication password module.
In one embodiment, further comprising: and outputting the detection result of the computer system password module after responding to the detection of the application layer password module or the communication password module.
In one embodiment, further comprising: and responding to the detection of the kernel code module to finish, and starting a stress test to execute subsequent test steps under the preset CPU stress level.
In one embodiment, the initiating the stress test comprises initiating a plurality of virtual processes, wherein a load occupancy of the plurality of virtual processes is equal to the preset CPU stress level.
In one embodiment, said invoking the operating system cryptographic module to detect the operating system cryptographic module comprises: and in the compiling link program, calling an operating system password module to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file.
In one embodiment, said invoking the operating system cryptographic module to detect the operating system cryptographic module further comprises: and calling the operating system password module at the language support layer so as to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file.
In a second aspect, the present invention provides a detection system for a cryptographic module of a computer system, the detection system comprising: one or more processors; storage means for storing one or more programs; when executed by the one or more processors, cause the one or more processors to implement a method according to any one of the above-described first aspect and its embodiments.
In a third aspect, the invention provides a computer readable storage medium comprising computer program instructions for a method of detection of a cryptographic module of a computer system, which when executed by one or more processors, cause performance of the method according to the first aspect of the claims and any one of its embodiments.
Compared with the traditional method for detecting the cryptographic module of the computer system, the technical scheme of the invention sequentially verifies the cryptographic module of the core module in the computer system from the bottom layer to the upper layer. The core module comprises basic hardware, an operating system, middleware and an application layer. Because the basic hardware, the operating system, the middleware and the application layer relate to the core program of the computer, the problems of the cryptographic module can be directly reflected, and the coupling relation among the layers and the influence of the coupling relation on the cryptographic module can be reflected by sequentially executing the steps of the invention. It is chosen to achieve a comprehensive detection of the cryptographic modules of the entire computer system by the detection of the cryptographic modules of the core module. The problem that the discretely distributed password modules in the computer system cannot be effectively detected is effectively solved. Meanwhile, most subprograms in the computer system do not need to be verified, so that the detection efficiency is effectively improved.
Furthermore, the CPU password module and the bus password device can be called by the kernel of the operating system to detect the correctness and the validity of the CPU password module and the bus password device, so that the CPU password module and the bus password device are detected without depending on software of the operating system.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present invention will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
FIG. 1 is a block diagram illustrating a conventional computer system;
FIG. 2 is a block diagram showing the structure of a single CPU with a cryptographic module;
FIG. 3 is a block diagram showing the architecture of a dual CPU with cryptographic modules;
FIG. 4 is a block diagram showing the structural framework of a multi-CPU cluster with cryptographic modules;
FIG. 5 is a block diagram illustrating a prior art computer system with a five-in-one cryptographic product architecture;
FIG. 6 is a flow diagram illustrating a method for detection of a computer system cryptographic module, according to an embodiment of the present invention;
fig. 7 is a frame diagram illustrating a cloud cluster provided with a communication cryptographic module detection apparatus according to an embodiment of the present invention;
fig. 8 is a frame diagram illustrating another cloud cluster provided with a communication cryptographic module detection apparatus according to an embodiment of the present invention;
fig. 9 is a frame diagram illustrating another cloud cluster provided with a communication cryptographic module detection apparatus according to an embodiment of the present invention;
fig. 10 is a frame diagram illustrating another cloud cluster provided with a communication cryptographic module detection apparatus according to an embodiment of the present invention; and
FIG. 11 is a detection system illustrating a computer system cryptographic module, according to an embodiment of the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. It should be understood that the embodiments described herein are only some of the embodiments of the invention provided to facilitate a clear understanding of the concepts and legal requirements, and that not all embodiments of the invention may be practiced. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed in the present specification without inventive step, are within the scope of the present invention.
FIG. 6 is a flow chart illustrating a method of detection of a computer system cryptographic module in accordance with the present invention.
As shown in fig. 6, the method 200 for detecting a cryptographic module of a computer system calls and detects the cryptographic modules of the detected objects in sequence from bottom to top in the architecture of the computer system. The detected object comprises basic hardware, an operating system, middleware and an application layer. In one implementation scenario, invoking the cryptographic module of the detected object may include the steps of: firstly, encrypting any file in a detected object through a password module of the detected object to obtain an encrypted file; then, calling a password module of the detected object to decrypt the encrypted file to obtain a decrypted file; and finally, comparing the file before encryption with the decrypted file, and judging the correctness of the encryption algorithm and/or the decryption algorithm according to the comparison result, thereby verifying the correctness and the validity of the cryptographic module of the detected object.
In another implementation scenario, the aforementioned invoking the cryptographic module of the detected object may further include the following steps: firstly, encrypting any file in a detected object through a password module of the detected object to obtain an encrypted file; then, processing the encrypted file by any program running in the detected object to obtain a processed encrypted file; then, calling a password module of the detected object to decrypt the processed encrypted file to obtain a decrypted file; and finally, comparing the file before encryption with the decrypted file, and judging the running correctness of any program and the correctness and the validity of the cryptographic module of the detected object according to the comparison result. The steps of the method 200 for detecting a cryptographic module in a computer system according to the present invention will be described in detail below.
At step S201, a basic hardware cryptographic module is called to detect the basic hardware cryptographic module according to the encryption and decryption results of the verification file by the basic hardware cryptographic module. In one embodiment, the basic hardware cryptographic module may include: a kernel cryptographic module, a CPU cryptographic module and/or a bus cryptographic module. In an implementation scenario, when a detection object is an operating system kernel, a kernel cryptographic module verification module is added to an interface called by a kernel system, the kernel cryptographic module verification module exists in the form of a kernel module, an independent memory is opened in a kernel space, and the kernel cryptographic module is repeatedly called by taking a kernel time sequence as a reference. Comparing the file before encryption with the decrypted file in a kernel mode memory, and if the comparison result is consistent, feeding correct information back to a user mode; if an operation error occurs, an interrupt is generated, the interrupt is displayed in a kernel log as a highest priority error, and the operation of the whole computer operating system is suspended.
Based on the kernel of the operating system, the CPU and the bus password equipment are connected with the user layer, the middle layer and the upper layer of the operating system in series to form a total link. Therefore, the CPU password module and the bus password device can be called by the kernel of the operating system, so that the correctness and the effectiveness of the CPU password module and the bus password device can be detected. For example, the CPU cryptographic module includes a register encryption module, and the CPU issues an instruction "sm 4 eax 0001" which means to encrypt the original data in the eax register with a 128-bit key to obtain encrypted data, and then to move the encrypted data back into the eax register via the buffer. The instruction "a" (kmalloc (eax,64) "means that the encrypted data in the eax register is moved to the memory, but needs to be decrypted by an sm4 algorithm before being moved to the memory, that is, the instruction" b "(decryption _ sm4 (a)" is executed, after the kernel executes the instruction sent by the CPU, the decrypted data obtained after decryption is compared with the original data to be encrypted of the register, and if the decrypted data and the original data are consistent, the instruction set given by the CPU is correct.
Similarly, the bus encryption machine also provides an interface for the kernel to call the cryptographic module. For example, a certain block of address in the memory is encrypted, the instruction is "encrypt _ sm4(0000x, FFFF x, 128)", and the instruction means that original data is taken from an address 128 bits after the 0000 address, the original data is encrypted by using an sm4 algorithm to obtain encrypted data, the encrypted data is moved to an FFFF address, the encrypted data of the FFFF address is read in the kernel, and then the encrypted data is decrypted by using an sm4 algorithm to obtain decrypted data. After the kernel executes the instruction, the decrypted data is compared with the original data stored 128 bits from the 0000 address, if the decrypted data and the original data are consistent, the encryption algorithm and the decryption algorithm are correct, and the execution of the instruction is also correct.
In one implementation scenario, the kernel cryptographic module is invoked to detect not only the basic hardware cryptographic module, but also the correctness and validity of the encryption of non-bus, non-CPU-invoked data, such as: the encryption of the kernel network, the kernel protocol stack, the stack data, the memory cache data, etc. In another implementation scenario, nested encryption of stream data can also be detected by invoking the kernel encryption module, and the correctness and validity of the stream data, the bus data nested encryption and the hierarchical decryption are cached by the CPU. In addition, the time period of the CPU password module is 10 to 12 seconds, and the time period of the bus password device is 10 to 8 seconds. Therefore, in one embodiment, timing adjustment and device interrupt management of the CPU cryptographic module and the bus cryptographic device may also be implemented by the operating system kernel.
In one embodiment, after the kernel cryptography module detects the end, a stress test may be initiated to perform subsequent test steps at a predetermined CPU stress level. The pressure test can virtualize at least two verification processes in a container mode according to the current CPU occupancy rate in a virtualization mode, so that the total CPU occupancy rate of each verification process is higher than 60% and lower than 80%; the memory occupancy rate is higher than 40% and lower than 80%. If the threshold of CPU occupancy or memory occupancy is exceeded, the last process is killed. The minimum pressure test time is more than or equal to the cluster number, the average number of servers in the cluster, the average number of CPUs in the servers, the average number of single CPUs, and 2 hours.
Next, at step S202, an operating system cryptographic module is invoked to detect the operating system cryptographic module based on the encryption and decryption results of the authentication file by the operating system cryptographic module. In one embodiment, the application layer cryptographic algorithm dynamic link library within the operating system cryptographic module may be invoked in a compiler and/or linker. And the C language interface of the dynamic link library of the application layer encryption algorithm is referred by a C language compiler and a linker, and then the test code is compiled into a binary executable program so as to verify the running correctness of the program and the correctness of the encryption and decryption algorithms of the operating system password support library in the operating system password module. Calling the operating system password support library in the compiling and/or linking program can verify the correctness of instructions of the CPU password module and the bus password device called in the C/C + + language and the assembler program, and can also verify the correctness of a dynamic link library and an executable file formed by compiling and linking. Furthermore, the correctness of the operating system password support library in the C/C + + language and the assembler and the correctness of the C language calling interface of the operating system password module can be verified.
In another embodiment, the operating system cryptographic module may be invoked at the language support layer to detect the operating system cryptographic module based on the encryption and decryption results of the authentication file by the operating system cryptographic module. Calling an application layer national cryptographic algorithm dynamic link library in an operating system password module through languages such as Java, Python, Golang, Shell and Perl, quoting a corresponding interface of the application layer national cryptographic algorithm dynamic link library to execute an encryption algorithm, and verifying the running correctness of a program and the correctness of the encryption algorithm. Meanwhile, the correctness of the operating system password support library in the operating system password module to the calling of each mainstream language and the compatibility of each mainstream language can be verified.
Then, at step S203, the middleware crypto module is called to detect the middleware crypto module according to the encryption and decryption results of the verification file by the middleware crypto module. And the packaged middleware password module is quoted by calling a middleware mode, so that the running correctness of the program and the correctness of the encryption and decryption algorithms are verified. The method can verify the validity of function encapsulation and also can verify the compatibility of the middleware password module and other modules of the middleware layer.
Finally, at step S204, the application layer cryptographic module is invoked to detect the application layer cryptographic module according to the encryption and decryption results of the application layer cryptographic module on the authentication file. In one embodiment, through the application layer framework, for example: and the PHP, the JSP and the like call the packaged application layer cryptographic module to verify the correctness of program operation and the correctness of encryption and decryption algorithms.
The steps of the detection method of the cryptographic module of the computer system according to the present invention are exemplarily described above with reference to fig. 6, and it can be seen that the detection method shown in fig. 6 is suitable for verifying the correctness, real-time performance and robustness of the operation of the cryptographic module in a single computer. The following describes an exemplary method for detecting a communication cryptographic module between a plurality of computers communicating with each other with reference to fig. 7 to 10.
Fig. 7, 8, 9, 10 respectively show frame diagrams of different types of cloud clusters provided with communication cryptographic module detection means. In one embodiment, when communication is required between a plurality of computer systems, after the application layer cryptographic module is detected, the communication cryptographic module is called by a communication cryptographic module detection device arranged between any two or more computer systems in the network communication program so as to detect the communication cryptographic module according to the encryption and decryption results of the authentication file by the communication cryptographic module. The communication cryptographic module detection device is a virtual device. In one embodiment, when a plurality of computer systems form a cloud cluster, whether the encryption and decryption of the communication between the single computers in the cloud cluster adopting the encryption algorithm of the communication cryptographic module are correct or not can be verified by intercepting the communication message between the single computers in the cloud cluster.
As shown in fig. 7, the stand-alone a and the stand-alone B constitute a cloud cluster for point-to-point direct connection type cryptographic communication, and a communication cryptographic module detection device may be provided between the stand-alone a and the stand-alone B that communicate with each other. As shown in fig. 8, the single computer C, the single computer D, and the single computer E constitute a cloud cluster of chain-like cryptographic communication, and a communication cryptographic module detection device may be provided between any two single computers that directly communicate with each other, for example, between the single computer C and the single computer D. As shown in fig. 9, for the cloud cluster of the ring-shaped cryptographic communication, a communication cryptographic module detection device may be disposed between any two single computers that directly communicate with each other, for example, between the single computer F and the single computer G, to obtain the communication packet traffic between any two communication nodes thereof, and analyze the correctness of the operation of the communication cryptographic module. As shown in fig. 10, for the cloud cluster of graph communication, the communication cryptographic module detection apparatus is disposed between any two or more single computers, such as the single computer H, the single computer I, the single computer J, and the single computer K, which are in direct communication with each other, to obtain the communication message traffic and analyze the correctness of the operation of the encryption/decryption cryptographic module.
While the above description of the detection method for a communication cryptographic module between a plurality of intercommunicating computers is provided with reference to fig. 7, 8, 9 and 10, it will be understood by those skilled in the art that the frame diagrams of the cloud clusters shown in fig. 7, 8, 9 and 10 are exemplary and not limiting, and that the frame of the cloud clusters can be adjusted as needed by those skilled in the art.
In one embodiment, the method for detecting a cryptographic module of a computer system further includes: and after the application layer password module is detected or the communication password module is detected, outputting a detection result of the password module of the computer system. So as to visually know and record the running condition of the computer system password module and simultaneously facilitate the analysis of the problems of the computer system password module in the running process.
In yet another embodiment, the invention also provides a computer-readable storage medium comprising computer program instructions for a method of detection of a cryptographic module of a computer system, which when executed by one or more processors, cause the method according to the first aspect of the claims and any of its embodiments to be carried out. The method can detect the correctness, the safety and the robustness of the cryptographic module on the computer system, and provides test basis, data support and safety guarantee for the correctness, the safety and the robustness of the cryptographic module on the computer system.
A detection system for a computer system cryptographic module according to an embodiment of the present invention is described below with reference to fig. 11. The configuration shown in fig. 11 is merely an example, which should not bring any limitation to the function and the scope of use of the embodiment of the present invention. As shown in FIG. 11, the detection system is in the form of a general purpose computing device, including but not limited to: at least one processor, at least one memory, a communication bus connecting different system components. The communication bus represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. The memory may include readable media in the form of volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may further include Read Only Memory (ROM). The memory may also include program modules, including but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
It is noted that for the sake of brevity, this application describes some methods and embodiments thereof as a series of acts and combinations thereof, but those skilled in the art will appreciate that the aspects of the application are not limited by the order of the acts described. Accordingly, one of ordinary skill in the art will appreciate that certain steps may be performed in other sequences or simultaneously, in accordance with the disclosure or teachings herein. Further, those skilled in the art will appreciate that the embodiments described herein are capable of alternative embodiments, i.e., acts or modules referred to herein are not necessarily required for the implementation of the solution or solutions described herein. In addition, the description of some embodiments of the present application is also focused on different schemes. In view of the above, those skilled in the art will understand that portions that are not described in detail in one embodiment of the present application may also be referred to in the related description of other embodiments.
It should be noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this is not intended to require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in the specification and claims of this application, the singular form of "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the term "and/or" as used in the specification and claims of this specification refers to any and all possible combinations of one or more of the associated listed items and includes such combinations.
Although the embodiments of the present invention are described above, the descriptions are only examples for facilitating understanding of the present invention, and are not intended to limit the scope and application scenarios of the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (10)

1. A method for detecting a cryptographic module of a computer system, comprising: the following steps are performed sequentially:
calling a basic hardware password module to detect the basic hardware password module according to the encryption and decryption results of the basic hardware password module on the verification file;
calling an operating system password module to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file;
calling a middleware password module to detect the middleware password module according to the encryption and decryption results of the middleware password module on the verification file; and
and calling the application layer password module to detect the application layer password module according to the encryption and decryption results of the application layer password module on the verification file.
2. The detection method according to claim 1, wherein the basic hardware cryptographic module comprises: a kernel cryptographic module, a CPU cryptographic module and/or a bus cryptographic module.
3. The detection method according to claim 2, further comprising:
after the application layer password module is detected, the communication password module is called to detect the communication password module according to the encryption and decryption results of the communication password module on the verification file.
4. The detection method according to claim 3, further comprising:
and outputting the detection result of the computer system password module after responding to the detection of the application layer password module or the communication password module.
5. The detection method according to any one of claims 1 to 4, further comprising:
and responding to the detection of the kernel code module to finish, and starting a stress test to execute subsequent test steps under the preset CPU stress level.
6. The detection method according to claim 5, wherein the initiating a stress test comprises initiating a plurality of virtual processes, wherein the load occupancy of the plurality of virtual processes is equal to the preset CPU stress level.
7. The method of claim 1, wherein invoking the operating system cryptographic module to detect the operating system cryptographic module comprises:
and in the compiling link program, calling an operating system password module to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file.
8. The detection method according to claim 7,
the invoking the operating system cryptographic module to detect the operating system cryptographic module further comprises:
and calling the operating system password module at the language support layer so as to detect the operating system password module according to the encryption and decryption results of the operating system password module on the verification file.
9. A detection system for a cryptographic module of a computer system, the detection system comprising: one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 1-8.
10. A computer-readable storage medium, characterized in that it comprises computer program instructions of a method of detection of a cryptographic module of a computer system, which when executed by one or more processors, cause the method according to any one of claims 1-8 to be carried out.
CN202110944118.XA 2021-08-17 2021-08-17 Method, device and storage medium for detecting cryptographic module of computer system Active CN113656229B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110944118.XA CN113656229B (en) 2021-08-17 2021-08-17 Method, device and storage medium for detecting cryptographic module of computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110944118.XA CN113656229B (en) 2021-08-17 2021-08-17 Method, device and storage medium for detecting cryptographic module of computer system

Publications (2)

Publication Number Publication Date
CN113656229A true CN113656229A (en) 2021-11-16
CN113656229B CN113656229B (en) 2024-02-20

Family

ID=78491744

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110944118.XA Active CN113656229B (en) 2021-08-17 2021-08-17 Method, device and storage medium for detecting cryptographic module of computer system

Country Status (1)

Country Link
CN (1) CN113656229B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285584A (en) * 2021-12-22 2022-04-05 北京正奇盾数据安全技术有限公司 Encryption algorithm experimental system
CN116166402A (en) * 2023-02-20 2023-05-26 广州万协通信息技术有限公司 Data security processing method, system, security chip and electronic equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553349A (en) * 2003-05-29 2004-12-08 联想(北京)有限公司 Safety chip and information safety processor and processing method
CN102523335A (en) * 2011-11-28 2012-06-27 苏州英福迈升信息技术有限公司 Mobile terminal middleware system oriented to virtual community application
WO2014044152A1 (en) * 2012-09-19 2014-03-27 Tencent Technology (Shenzhen) Company Limited Method and apparatus for encryption
CN103812649A (en) * 2012-11-07 2014-05-21 中国电信股份有限公司 Method and system for safety access control of machine-card interface, and handset terminal
CN106452753A (en) * 2016-10-26 2017-02-22 泰山医学院 Method for constructing terminal credible platform in cloud computing environment
WO2018057801A1 (en) * 2016-09-23 2018-03-29 Becton, Dickinson And Company Encryption system for medical devices
CN109714344A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on " end-pipe-cloud " joins automobile information security platform

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1553349A (en) * 2003-05-29 2004-12-08 联想(北京)有限公司 Safety chip and information safety processor and processing method
CN102523335A (en) * 2011-11-28 2012-06-27 苏州英福迈升信息技术有限公司 Mobile terminal middleware system oriented to virtual community application
WO2014044152A1 (en) * 2012-09-19 2014-03-27 Tencent Technology (Shenzhen) Company Limited Method and apparatus for encryption
CN103812649A (en) * 2012-11-07 2014-05-21 中国电信股份有限公司 Method and system for safety access control of machine-card interface, and handset terminal
WO2018057801A1 (en) * 2016-09-23 2018-03-29 Becton, Dickinson And Company Encryption system for medical devices
CN106452753A (en) * 2016-10-26 2017-02-22 泰山医学院 Method for constructing terminal credible platform in cloud computing environment
CN109714344A (en) * 2018-12-28 2019-05-03 国汽(北京)智能网联汽车研究院有限公司 Intelligent network based on " end-pipe-cloud " joins automobile information security platform

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285584A (en) * 2021-12-22 2022-04-05 北京正奇盾数据安全技术有限公司 Encryption algorithm experimental system
CN114285584B (en) * 2021-12-22 2024-01-16 北京正奇盾数据安全技术有限公司 Encryption algorithm experiment system
CN116166402A (en) * 2023-02-20 2023-05-26 广州万协通信息技术有限公司 Data security processing method, system, security chip and electronic equipment
CN116166402B (en) * 2023-02-20 2023-11-24 广州万协通信息技术有限公司 Data security processing method, system, security chip and electronic equipment

Also Published As

Publication number Publication date
CN113656229B (en) 2024-02-20

Similar Documents

Publication Publication Date Title
CN113656229B (en) Method, device and storage medium for detecting cryptographic module of computer system
CN109800160B (en) Cluster server fault testing method and related device in machine learning system
MX2010014464A (en) Secure memory management system and method.
KR20170120029A (en) Method and device for preventing manipulation of a data transmission
CN106372497A (en) Application programming interface (API) protection method and device
CN113190877B (en) Model loading method and device, readable storage medium and electronic equipment
CN109376021A (en) The response method and server that interface calls
US9910994B1 (en) System for assuring security of sensitive data on a host
US20230297666A1 (en) Preserving confidentiality of tenants in cloud environment when deploying security services
CN113609514B (en) Cloud hard disk encryption and decryption method, device and system and readable storage medium
CN104639313B (en) A kind of detection method of cryptographic algorithm
CN116070240B (en) Data encryption processing method and device of multi-chip calling mechanism
CN112287357A (en) Control flow verification method and system for embedded bare computer system
CN111367505A (en) JavaScript source code secrecy method, device, equipment and storage medium
CN106548098A (en) For detecting the method and system of fault attacks
CN113946869B (en) Internal security attack detection method and device for federal learning and privacy calculation
US8683452B1 (en) Dynamically obfuscated javascript
US10121008B1 (en) Method and process for automatic discovery of zero-day vulnerabilities and expoits without source code access
WO2018194568A1 (en) Executing processes in sequence
CN116846689B (en) Financial business data transmission method, device, computer equipment and storage medium
Zheng et al. Mean time to security failure of VM-based intrusion tolerant systems
CN108880785A (en) A kind of detection C++ void table is by the method, apparatus, terminal and readable medium of hook
EP4307607A1 (en) System and method of secured interface to a blockchain based network
US11271721B2 (en) Distributed secure array using intra-dice communications to perform data attestation
CN116614275B (en) Method for entrusting acceleration of privacy computing integrated machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant