CN113949551A - Virtualization cloud password service system based on channel isolation and implementation method thereof - Google Patents
Virtualization cloud password service system based on channel isolation and implementation method thereof Download PDFInfo
- Publication number
- CN113949551A CN113949551A CN202111187841.4A CN202111187841A CN113949551A CN 113949551 A CN113949551 A CN 113949551A CN 202111187841 A CN202111187841 A CN 202111187841A CN 113949551 A CN113949551 A CN 113949551A
- Authority
- CN
- China
- Prior art keywords
- password
- virtual
- machine
- cloud
- card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 title claims abstract description 10
- 238000004364 calculation method Methods 0.000 claims abstract description 5
- 238000005516 engineering process Methods 0.000 claims abstract description 4
- 238000007726 management method Methods 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The invention discloses a virtualization cloud password service system based on channel isolation and an implementation method thereof, belongs to the field of password engineering, and is used for solving the problem of using common password equipment in a cloud computing environment. The main point of the invention is that DMA of the PCI-E physical password card is isolated into a plurality of independent channels, each channel corresponds to a character device of a driving layer, and the character devices are configured on a virtual password machine through the Linux device mounting technology. The virtual cipher machine calls a cipher card through character equipment to realize key access and cipher calculation, and provides safe and isolated cipher operation service for tenants. The invention realizes the virtualized physical password card based on the channel isolation, pools password resources, enables the password resources to be more efficiently used, also enables an administrator to be easier to manage, and simultaneously ensures the secret key security isolation of tenants through an isolation mechanism which is realized by combining a plurality of measures, thereby ensuring that the password service call obtains the highest security.
Description
Technical Field
The invention relates to the field of password engineering, in particular to a virtualized cloud password service system based on channel isolation and an implementation method thereof.
Background
With the development of cloud computing technology, more and more traditional applications migrate to the cloud. By utilizing the special high reliability and high flexibility of the cloud computing environment, the centralized data management and the efficient utilization of hardware resources are realized.
The traditional application guarantees the information security of the application by means of hardware devices such as a cipher machine, but the use of the common cipher device in the cloud computing environment has many problems, such as the use mode of the common cipher device is not in line with the cloud environment, the isolation security of tenants cannot be guaranteed, the operation and maintenance of the device are difficult, and the like.
In order to solve the problem of using common password equipment in a cloud computing environment and meet the requirements of dynamic expansion of password computing capacity, elastic configuration of tenant password computing capacity, mass tenant key support and the like, a cloud password service system is developed and provides functions of unified password equipment management, unified password resource scheduling, password service load balancing, a virtual password machine based on channel isolation and the like for an application system.
Disclosure of Invention
The invention aims to provide a virtualized cloud password service system based on channel isolation and an implementation method thereof.
In order to achieve the purpose, the technical scheme adopted by the invention is as follows:
a virtualization cloud password service system based on channel isolation comprises a cloud password service subsystem and a cloud password management subsystem.
The cloud password service subsystem is a virtual password resource pool based on channel isolation and comprises a physical password card, a character device based on a channel and a virtual password machine.
The physical password card is a password device which is provided with a PCI-E interface and realizes key storage and password calculation.
The channel-based character device is a character device which isolates the DMA of the PCI-E physical password card into a plurality of independent channels, each channel corresponds to one character device of a driving layer, and the character device is configured on the virtual password machine through a Linux device mounting technology.
The virtual cipher machine calls a cipher card through the mounted character equipment to realize key access and cipher calculation, and provides safe and isolated cipher operation service for tenants.
The cloud password management subsystem provides password equipment and resource management service for a system administrator and provides elastic configuration service of the virtual password machine for a tenant administrator.
Based on the structure, the invention also discloses a method for realizing the virtualized cloud password service system based on channel isolation, which comprises the following steps:
(1) the cloud password management subsystem sends a physical password card initialization instruction, initializes the physical password card, performs identity verification on an administrator of the physical password card, and generates an equipment key of the physical password card to enable the physical password card to enter a working state;
(2) the cloud password management subsystem sends an initialization instruction of the cloud password service system, initializes the cloud password service system, performs identity authentication on an administrator of the system, and generates a user key of the system to enable the system to enter a working state;
(3) the cloud password management subsystem sends a virtual password machine creating instruction, creates a virtual password machine, corresponds a specific channel to character equipment of a driving layer by using the cloud password service subsystem, and then mounts the character equipment onto the virtual password machine;
(4) the cloud password management subsystem sends out a virtual password machine initialization instruction, initializes the virtual password machine, performs identity authentication on an administrator of the virtual password machine, and generates an equipment key of the virtual password machine to enable the virtual password machine to enter a working state;
(5) the virtual cipher machine is configured with a user key, the user key of the virtual cipher machine is generated by operating a physical cipher card through character equipment, and the user key is stored in an encrypted mode according to tenant safety.
(6) The virtual cipher machine provides cipher service for tenants or applications after configuring the user key;
compared with the prior art, the invention has the following beneficial effects:
(1) the cloud password service system adopts a unique channel-based virtualization and isolation mechanism, realizes user key hardware isolation and simultaneously guarantees service performance;
(2) the invention provides a virtualized cloud password service system based on channel isolation, which can create at most 128 virtual password machines under the support of a high-performance physical password card;
(3) the cloud password service system has the advantages that the independence of the physical password card and the hardware platform is achieved creatively, the cloud password service system is more suitable for a distributed deployment mode on the cloud, and the adaptability is stronger;
(4) the cloud password service system adopts a container-based lightweight security isolation mechanism, and the isolation mechanism ensures that tenants cannot illegally access through multiple measures;
(5) the cloud password service system provides the ability of a manager to remotely manage the physical password card and the virtual password machine, and realizes efficient password resource management;
(6) the invention fully supports the domestic cryptographic algorithm and the domestic hardware platform and follows the relevant industrial standard of China.
Drawings
Fig. 1 is a flowchart of a cloud password service system implementation method of the present invention;
fig. 2 is a structural diagram of a cloud password service system of the present invention;
Detailed Description
The present invention will be further described with reference to the following description and examples, which include but are not limited to the following examples.
As shown in fig. 1, the method for implementing a virtualized cloud cryptographic service system based on channel isolation disclosed in the present invention includes the following steps:
step 1: the cloud password management subsystem sends a physical password card initialization instruction, initializes the physical password card, performs identity verification on an administrator of the physical password card, and generates an equipment key of the physical password card to enable the physical password card to enter a working state;
step 2: the cloud password management subsystem sends an initialization instruction of the cloud password service system, initializes the cloud password service system, performs identity authentication on an administrator of the system, and generates a user key of the system to enable the system to enter a working state;
and step 3: the cloud password management subsystem sends a virtual password machine creating instruction, creates a virtual password machine, corresponds a specific channel to character equipment of a driving layer by using the cloud password service subsystem, and then mounts the character equipment onto the virtual password machine;
and 4, step 4: the cloud password management subsystem sends out a virtual password machine initialization instruction, initializes the virtual password machine, performs identity authentication on an administrator of the virtual password machine, and generates an equipment key of the virtual password machine to enable the virtual password machine to enter a working state;
and 5: the virtual cipher machine is configured with a user key, the user key of the virtual cipher machine is generated by operating a physical cipher card through character equipment, and the user key is stored in an encrypted mode according to tenant safety.
Step 6: the virtual cipher machine provides cipher service for tenants or applications after configuring the user key;
the invention realizes the virtualized physical password card based on the channel isolation, pools password resources, enables the password resources to be more efficiently used, also enables an administrator to be easier to manage, and simultaneously ensures the secret key security isolation of tenants through an isolation mechanism which is realized by combining a plurality of measures, thereby ensuring that the password service call obtains the highest security.
Claims (2)
1. A virtualized cloud password service system based on channel isolation and an implementation method thereof are characterized by comprising a cloud password service subsystem and a cloud password management subsystem; the cloud password service subsystem is a virtual password resource pool based on channel isolation and comprises a physical password card, a character device based on a channel and a virtual password machine; the physical password card is password equipment which is provided with a PCI-E interface and realizes key storage and password calculation; the channel-based character equipment isolates the DMA of the PCI-E physical password card into a plurality of independent channels, each channel corresponds to one character equipment of a driving layer, and the character equipment is configured on the virtual password machine through a Linux equipment mounting technology; the virtual cipher machine calls a cipher card through the mounted character equipment to realize key access and cipher calculation, and provides safe and isolated cipher operation service for tenants; the cloud password management subsystem provides password equipment and resource management service for a system administrator and provides elastic configuration service of the virtual password machine for a tenant administrator.
2. The method for implementing the virtualized cloud password service system based on channel isolation according to claim 1, comprising the following steps, step 1: the cloud password management subsystem sends a physical password card initialization instruction, initializes the physical password card, performs identity verification on an administrator of the physical password card, and generates an equipment key of the physical password card to enable the physical password card to enter a working state; step 2: the cloud password management subsystem sends an initialization instruction of the cloud password service system, initializes the cloud password service system, performs identity authentication on an administrator of the system, and generates a user key of the system to enable the system to enter a working state; and step 3: the cloud password management subsystem sends a virtual password machine creating instruction, creates a virtual password machine, corresponds a specific channel to character equipment of a driving layer by using the cloud password service subsystem, and then mounts the character equipment onto the virtual password machine; and 4, step 4: the cloud password management subsystem sends out a virtual password machine initialization instruction, initializes the virtual password machine, performs identity authentication on an administrator of the virtual password machine, and generates an equipment key of the virtual password machine to enable the virtual password machine to enter a working state; and 5: the virtual cipher machine is configured with a user key, the user key of the virtual cipher machine is generated by operating a physical cipher card through character equipment, and the user key is stored in an encrypted mode according to tenant safety. Step 6: the virtual crypto machine provides cryptographic services to tenants or applications after configuring the user key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111187841.4A CN113949551A (en) | 2021-10-12 | 2021-10-12 | Virtualization cloud password service system based on channel isolation and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111187841.4A CN113949551A (en) | 2021-10-12 | 2021-10-12 | Virtualization cloud password service system based on channel isolation and implementation method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113949551A true CN113949551A (en) | 2022-01-18 |
Family
ID=79330215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111187841.4A Pending CN113949551A (en) | 2021-10-12 | 2021-10-12 | Virtualization cloud password service system based on channel isolation and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113949551A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866346A (en) * | 2022-07-06 | 2022-08-05 | 北京神州安付科技股份有限公司 | Password service platform based on decentralization |
| CN115189896A (en) * | 2022-09-13 | 2022-10-14 | 中安网脉(北京)技术股份有限公司 | Virtual cloud password service system and method |
| CN117319212A (en) * | 2023-11-29 | 2023-12-29 | 中安网脉(北京)技术股份有限公司 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070245386A1 (en) * | 1998-05-08 | 2007-10-18 | Qualcomm Incorporated | Apparatus and method for decoding digital image and audio signals |
| CN101290569A (en) * | 2008-05-06 | 2008-10-22 | 国网南京自动化研究院 | Method for parallel data processing adopting multi- password chip |
| CN105678156A (en) * | 2016-01-04 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Cloud cipher service platform based on virtualization technology and working process of platform |
| CN105871540A (en) * | 2016-03-24 | 2016-08-17 | 北京江南天安科技有限公司 | Cipher machine and cryptogrammic operation implementation method based on host machine |
| CN106130864A (en) * | 2016-07-06 | 2016-11-16 | 北京国电通网络技术有限公司 | A kind of privately owned cloud access method and apparatus based on VPN |
| US20170005990A1 (en) * | 2015-07-01 | 2017-01-05 | Ari Birger | Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments |
| WO2017092671A1 (en) * | 2015-12-04 | 2017-06-08 | 华为技术有限公司 | Method of managing virtual machine, device and system |
| US20170177854A1 (en) * | 2014-05-15 | 2017-06-22 | Carnegie Mellon University | Method and Apparatus for On-Demand Isolated I/O Channels for Secure Applications |
| CN108228316A (en) * | 2017-12-26 | 2018-06-29 | 成都卫士通信息产业股份有限公司 | A kind of method and apparatus of encryption device virtualization |
| CN108306972A (en) * | 2018-02-06 | 2018-07-20 | 山东渔翁信息技术股份有限公司 | A kind of cloud cryptographic service method, platform, system and computer readable storage medium |
| CN109361517A (en) * | 2018-08-21 | 2019-02-19 | 西安得安信息技术有限公司 | A kind of virtualization cloud cipher machine system and its implementation based on cloud computing |
| CN110086751A (en) * | 2018-01-26 | 2019-08-02 | 北京数盾信息科技有限公司 | A kind of 1,100,000,000 network cryptographic machine encipher-decipher methods of high speed, low time delay |
-
2021
- 2021-10-12 CN CN202111187841.4A patent/CN113949551A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070245386A1 (en) * | 1998-05-08 | 2007-10-18 | Qualcomm Incorporated | Apparatus and method for decoding digital image and audio signals |
| CN101290569A (en) * | 2008-05-06 | 2008-10-22 | 国网南京自动化研究院 | Method for parallel data processing adopting multi- password chip |
| US20170177854A1 (en) * | 2014-05-15 | 2017-06-22 | Carnegie Mellon University | Method and Apparatus for On-Demand Isolated I/O Channels for Secure Applications |
| US20170005990A1 (en) * | 2015-07-01 | 2017-01-05 | Ari Birger | Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments |
| WO2017092671A1 (en) * | 2015-12-04 | 2017-06-08 | 华为技术有限公司 | Method of managing virtual machine, device and system |
| CN105678156A (en) * | 2016-01-04 | 2016-06-15 | 成都卫士通信息产业股份有限公司 | Cloud cipher service platform based on virtualization technology and working process of platform |
| CN105871540A (en) * | 2016-03-24 | 2016-08-17 | 北京江南天安科技有限公司 | Cipher machine and cryptogrammic operation implementation method based on host machine |
| CN106130864A (en) * | 2016-07-06 | 2016-11-16 | 北京国电通网络技术有限公司 | A kind of privately owned cloud access method and apparatus based on VPN |
| CN108228316A (en) * | 2017-12-26 | 2018-06-29 | 成都卫士通信息产业股份有限公司 | A kind of method and apparatus of encryption device virtualization |
| CN110086751A (en) * | 2018-01-26 | 2019-08-02 | 北京数盾信息科技有限公司 | A kind of 1,100,000,000 network cryptographic machine encipher-decipher methods of high speed, low time delay |
| CN108306972A (en) * | 2018-02-06 | 2018-07-20 | 山东渔翁信息技术股份有限公司 | A kind of cloud cryptographic service method, platform, system and computer readable storage medium |
| CN109361517A (en) * | 2018-08-21 | 2019-02-19 | 西安得安信息技术有限公司 | A kind of virtualization cloud cipher machine system and its implementation based on cloud computing |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114866346A (en) * | 2022-07-06 | 2022-08-05 | 北京神州安付科技股份有限公司 | Password service platform based on decentralization |
| CN114866346B (en) * | 2022-07-06 | 2022-09-13 | 北京神州安付科技股份有限公司 | Password service platform based on decentralization |
| CN115189896A (en) * | 2022-09-13 | 2022-10-14 | 中安网脉(北京)技术股份有限公司 | Virtual cloud password service system and method |
| CN117319212A (en) * | 2023-11-29 | 2023-12-29 | 中安网脉(北京)技术股份有限公司 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
| CN117319212B (en) * | 2023-11-29 | 2024-02-02 | 中安网脉(北京)技术股份有限公司 | Multi-tenant isolated password resource automatic scheduling system and method in cloud environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113949551A (en) | Virtualization cloud password service system based on channel isolation and implementation method thereof | |
| CN108228316B (en) | Method and device for virtualizing password device | |
| CN107864217B (en) | Cloud desktop intelligent pushing system | |
| CN103139221A (en) | Dependable virtual platform and construction method thereof, data migration method among platforms | |
| CN109361517A (en) | A kind of virtualization cloud cipher machine system and its implementation based on cloud computing | |
| CN115189896B (en) | Virtual cloud password service system and method | |
| KR101213984B1 (en) | A Hybrid Cloud with Multi-Factor Authentication System | |
| CN104202421A (en) | Cloud computing based password service system | |
| CN103038746A (en) | Method and apparatus for trusted execution in infrastructure as a service cloud environments | |
| Rashid et al. | Virtualization and its role in cloud computing environment | |
| CN102650950A (en) | Platform architecture supporting multi-GPU (Graphics Processing Unit) virtualization and work method of platform architecture | |
| CN105700945A (en) | Clean room environment-based safe virtual machine migration method | |
| CN105243321A (en) | Container virtualization technology based cipher machine, implementation method and working method therefor | |
| WO2016107394A1 (en) | Depth proof method of virtual machine, computing device and computer system | |
| CN104598294A (en) | Efficient and safe virtualization method for mobile equipment and equipment thereof | |
| CN103118030A (en) | Desktop cloud based identity authentication method | |
| CN105306576A (en) | Scheduling method and system for password arithmetic units | |
| CN102801636A (en) | Method for limiting bandwidth of cloud hosting network of cloud computing platform | |
| CN203135901U (en) | Encryption equipment management device | |
| CN103501295B (en) | A kind of remote access method based on virtual machine (vm) migration and equipment | |
| CN110012074A (en) | A kind of credible context management method of cloud environment | |
| Omar et al. | Biometric encryption to enhance confidentiality in Cloud computing | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| CN108418856A (en) | A kind of government affairs cloud cipher application platform construction method based on cloud computing technology | |
| CN104636960B (en) | Electronic invoice security middleware construction method based on cloud computing technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |