CN114866409B - Password acceleration method and device based on password acceleration hardware - Google Patents
Password acceleration method and device based on password acceleration hardware Download PDFInfo
- Publication number
- CN114866409B CN114866409B CN202210457729.6A CN202210457729A CN114866409B CN 114866409 B CN114866409 B CN 114866409B CN 202210457729 A CN202210457729 A CN 202210457729A CN 114866409 B CN114866409 B CN 114866409B
- Authority
- CN
- China
- Prior art keywords
- information
- password
- client
- server
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000001133 acceleration Effects 0.000 title claims abstract description 119
- 238000000034 method Methods 0.000 title claims abstract description 73
- 238000012795 verification Methods 0.000 claims abstract description 51
- 230000005540 biological transmission Effects 0.000 claims abstract description 35
- 230000008569 process Effects 0.000 claims abstract description 25
- 230000015654 memory Effects 0.000 claims description 53
- 239000002184 metal Substances 0.000 claims description 11
- 238000012545 processing Methods 0.000 claims description 9
- 230000002093 peripheral effect Effects 0.000 claims description 3
- 210000001503 joint Anatomy 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0889—Techniques to speed-up the configuration process
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
One or more embodiments of the present disclosure provide a password acceleration method and apparatus based on password acceleration hardware. The method comprises the following steps: responding to a remote verification request sent by a client, and sending the certification information to the client so that the client performs validity verification on the certification information; after the certification information passes the validity verification, the password information transmitted by the client through a secure transmission channel with the client is received; and sending the password information to password acceleration hardware so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of computer technologies, and in particular, to a password acceleration method and device based on password acceleration hardware.
Background
The cloud server is a simple, efficient, safe and reliable computing server with elastically scalable processing capacity. The management mode is simpler and more efficient than that of a physical server. A user can quickly create or release any plurality of cloud servers without purchasing hardware in advance. In the cloud service scenario, in order to improve security, encryption protection is often required for data on a network transmission link. In order to improve the efficiency of decrypting data by the cloud server, the cloud server is often provided with password acceleration hardware for encrypting/decrypting the data. The data security problem is particularly important when the data is encrypted/decrypted by using the password acceleration hardware provided by the cloud server.
Disclosure of Invention
In view of the foregoing, one or more embodiments of the present disclosure provide a password acceleration method and apparatus based on password acceleration hardware to solve the problems in the related art.
In order to achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, a cryptographic acceleration method based on cryptographic acceleration hardware is provided, and the cryptographic acceleration method is applied to a cloud server, where the cloud server includes cryptographic acceleration hardware, and a secure memory on the cryptographic acceleration hardware stores certification information, where the certification information is used to certify validity of an operating environment of the cloud server; the method comprises the following steps:
responding to a remote verification request sent by a client, and sending the certification information to the client so that the client performs validity verification on the certification information;
after the certification information passes the validity verification, the password information transmitted by the client through a secure transmission channel with the client is received;
and sending the password information to the password acceleration hardware so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
According to a second aspect of one or more embodiments of the present specification, there is provided a cryptographic acceleration apparatus based on cryptographic acceleration hardware, comprising:
a data issuing unit: the remote verification system is used for responding to a remote verification request sent by a client, and sending the certification information to the client so that the client can perform validity verification on the certification information;
an information transmission unit: the password information is used for receiving the password information transmitted by the client through a secure transmission channel between the client and the client after the certification information passes the validity verification;
acceleration processing unit: and the password information is issued to the password acceleration hardware, so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
According to a third aspect of one or more embodiments of the present specification, there is provided a cryptographic co-process comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of the first aspect by executing the executable instructions.
According to a fourth aspect of one or more embodiments of the present description, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method as described in the first aspect.
The beneficial effects of this application:
according to the method and the device, a mechanism for remotely verifying the legality of the operation environment of the cloud server is introduced into the cloud server carrying the password acceleration hardware, and before a user remotely issues the password information to the password acceleration hardware of the cloud server, the legality of the operation environment of the cloud server can be initiated in advance to carry out remote verification. After the validity is proved, the password information to be encrypted/decrypted is transmitted through the secure transmission channel, so that the password leakage is avoided, and the data security problem in the cloud service scene can be effectively solved.
Drawings
Fig. 1 is a schematic system architecture diagram of a cryptographic acceleration method based on cryptographic acceleration hardware according to an exemplary embodiment.
FIG. 2 is a schematic diagram of cryptographic acceleration hardware provided by an exemplary embodiment.
FIG. 3 is a flowchart of a cryptographic acceleration method based on cryptographic acceleration hardware, as provided by an exemplary embodiment.
Fig. 4 is a flowchart of a cryptographic acceleration method based on cryptographic acceleration hardware according to an exemplary embodiment.
Fig. 5 is a schematic structural diagram of a cloud server according to an exemplary embodiment.
Fig. 6 is a block diagram of a cryptographic acceleration apparatus based on cryptographic acceleration hardware, provided by an example embodiment.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with aspects of one or more embodiments of the present description as detailed in the accompanying claims.
It should be noted that: in other embodiments, the steps of the corresponding method are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than described in this specification. Furthermore, individual steps described in this specification, in other embodiments, may be described as being split into multiple steps; while various steps described in this specification may be combined into a single step in other embodiments.
Conventional elastic cloud servers, users typically rent computing resources to the servers, which are typically not physical resources, but virtual resources. Since virtual resources, virtualizing computing resources tends to introduce performance delays for some tasks with high performance requirements (e.g., high performance operations). Moreover, there is a performance penalty if dense input-output operations occur. Meanwhile, since computing resources of the traditional elastic cloud server are generally distributed to multiple tenants, when the tenants burst high load, other combinations are still affected, and therefore, for applications with very high performance and stability requirements, the traditional elastic cloud server cannot meet the requirements.
The bare metal server has the advantages of an elastic cloud server and has high performance like a physical machine. For bare metal servers, most of the service providers only provide single-tenant services, and a single tenant can solely share the resources of a physical server, and can simultaneously communicate and cooperate with the existing virtualized server of the user. Therefore, the bare metal server has the characteristic of exclusive computing resources, so that the bare metal server is very suitable for scenes with higher requirements on safety isolation; for example, it is well suited to the deployment of industry-related tasks such as banking, finance, securities, etc. Moreover, the method is also very suitable for scenes with high requirements on the performance of the cloud server; such as supercomputing, aerospace, and other scientific research scenarios.
Since users often need to remotely process sensitive information such as keys, passwords, etc., data security becomes particularly important in bare metal scenarios of cloud services. For security reasons, it is often necessary to encrypt data in storage media such as memories, hard disks, and on network transmission links. In addition, the cloud server is generally provided with a password acceleration hardware (for example, a password coprocessor), and the password acceleration hardware can be used for accelerating the encryption and decryption process of data, so that the efficiency and the speed of encrypting and decrypting the data are improved.
In practical application, when a user accesses the cloud server remotely, the encryption and decryption process is accelerated by using the password acceleration hardware provided by the cloud server, and a key for encrypting data is often required to be issued to the cloud server remotely. In this process, confidential information such as keys is at risk of leakage.
In view of this, the present description proposes a technical solution that introduces a remote attestation mechanism for a cloud server carrying password acceleration hardware, and then transmits and processes a password after remotely verifying the validity of the cloud server operating environment.
In the implementation, the cloud server is provided with password acceleration hardware, wherein the password acceleration hardware is provided with a safety memory, the safety memory is used for storing proving information, and the proving information is used for proving the legality of the running environment of the cloud server. The cloud server responds to a remote verification request sent by the client and sends the certification information to the client so that the client can perform validity verification on the certification information; after the client performs validity verification on the verification information, the cloud server receives the password information through the secure transmission channel; and then the cloud server accelerates the encryption/decryption process of the password information through password acceleration hardware.
Fig. 1 is a schematic system architecture diagram of a cryptographic acceleration method based on cryptographic acceleration hardware according to an exemplary embodiment. As shown in fig. 1, the system may include a cloud server 102, a third party attestation server 104, a client 106, and a network 108.
The cloud server 102 may include a bare metal server or a flexible cloud server, which is equipped with password acceleration hardware for accelerating the password information encryption/decryption process. The third validation server 104 may include a certificate server for issuing digital certificates. The client 106 may include a client provided by an electronic device such as a notebook computer, a mobile phone, a tablet device, etc., which is not limited in this regard. The network 108 may include various types of wired or wireless networks.
In an embodiment, taking a cloud server as a bare metal server, a third party proving server as a certificate server, and a client provided by a client for a notebook computer used by a user as an example. A user can remotely access the bare metal server through a client, then based on the password acceleration method based on the password acceleration hardware provided by the specification, remotely prove the legality of the running environment of the bare metal server through a certificate server, then receive the password information transmitted by the client through a secure transmission channel, send the password information to the password acceleration hardware, and then finish the encryption/decryption process of the password information to accelerate.
Referring to fig. 2, fig. 2 is a schematic diagram of a cryptographic acceleration hardware according to an exemplary embodiment.
As shown in fig. 2, the above-mentioned cryptographic acceleration hardware may specifically include a secure memory, an operation unit, a certification information management subsystem, and a key management subsystem. The secure memory, the arithmetic unit as a hardware unit is marked with a solid line in the figure, and the certification information management subsystem and the key management subsystem as software units are marked with a broken line in the figure. The cryptographic acceleration hardware may or may not have one or more of the attestation information management subsystem and/or the key management subsystem, and the present invention is not limited thereto.
The secure memory may be used to store information such as device information, attestation information, security keys, etc. The secure memory may include programmable memory that restricts access to hardware and/or software other than the cryptographic acceleration hardware, and may include cryptographically secured secure memory. The certification information management subsystem in the password acceleration hardware can be used for managing the certification information issued by the third party certification server and supporting the functions of importing, exporting and the like of the certification information. The key management subsystem described above may be used to manage security keys generated during remote attestation. The operation unit may be composed of a cryptographic algorithm acceleration engine, a DMA, etc. module for accelerating the encryption/decryption process for the cryptographic information.
In one embodiment, the cryptographic acceleration hardware may be a cryptographic coprocessor. The cryptographic coprocessor may be a cryptographic coprocessor integrated on a processor mounted on the cloud server, or may be a cryptographic coprocessor peripheral interfacing with a processor mounted on the cloud server, which is not limited in the present invention.
The password acceleration method based on the password acceleration hardware of the present specification is described in detail below with reference to the accompanying drawings.
FIG. 3 is a flowchart of a cryptographic acceleration method based on cryptographic acceleration hardware, as provided by an exemplary embodiment. As shown in fig. 2, the method may be applied to a cloud server on which the password acceleration hardware as described in fig. 2 is mounted, and the method may include the following steps:
step 302, responding to a remote proving request sent by a client, and sending the proving information to the client so that the client can perform validity verification on the proving information;
in the present embodiment, the secure memory in the password acceleration hardware shown in fig. 2 stores certification information for verifying the validity of the cloud server operating environment, wherein the specific form of the certification information is not particularly limited in this specification. For example, it may be in the form of a digital certificate, or may be in other forms than a digital certificate, such as a password for verifying validity, an electronic certificate, or the like.
In one embodiment shown, the attestation information may be generated by a third party attestation server. The third party certification server can provide a service for digitally signing the certification information and a service for verifying the validity of the certification information. And the third party proving server generates proving information based on the equipment information of the cloud server, receives and transmits the proving information to a safety memory carried by the password acceleration hardware for storage through a safety transmission channel. The device information of the cloud server may be a unique feature code of the cloud server, or may be other feature information used for representing the cloud server, such as a serial number of the cloud server, factory information, and the like.
For example, taking the certification information as a certificate, the third party certification server may receive the unique feature code sent by the cloud server in advance, and the certification server generates a certification key according to the unique feature code, where the certification key pair includes a certification public key and a certification private key. The certification server generates a certification certificate for verifying the legality of the running environment according to the certification public key and the equipment information, and issues the certification certificate to the cloud server, so that the password acceleration hardware carried by the cloud service is stored in a secure memory, and the certification certificate is managed by a certification information management subsystem of the password acceleration hardware.
To further ensure security, the attestation server may further encrypt the attestation certificate. The attestation server also has a seed key for generating a root key, wherein the root key includes a private key and a public key. After the certificate server generates the certificate, the certificate may be digitally signed with a private key. The data signature may then be verified based on the public key to which the private key corresponds to complete the verification of the legitimacy of the certificate of authenticity.
In another embodiment shown, the attestation information may also be generated locally by a cloud server. For example, taking the certification information as a certificate, the secure memory of the password acceleration hardware carried by the cloud service stores a unique feature code of the cloud server, and the key management subsystem of the password acceleration hardware may generate a certification key according to the unique feature code, where the certification key pair includes a certification public key and a certification private key. The proving information management subsystem of the cloud server can generate a proving certificate for verifying the legality of the running environment according to the proving public key and the equipment information, and send the proving certificate to the safe storage, and the proving information management subsystem is used for managing the proving certificate.
In order to further ensure security, the cloud server may further encrypt the certificate. The cloud server further has a seed key for generating a root key, wherein the root key comprises a private key and a public key. After the cloud server generates the certificate, the certificate may be digitally signed by a private key. The data signature may then be verified based on the public key to which the private key corresponds to complete the verification of the legitimacy of the certificate of authenticity.
In this embodiment, the user may send the cryptographic information held by the individual to the cryptographic acceleration hardware installed in the cloud server through the client, and the cryptographic acceleration hardware accelerates the encryption/decryption process based on the cryptographic information. In order to avoid leakage of the password information, a mechanism for remotely verifying the validity of the operation environment of the cloud server can be introduced into the client, so that a user can initiate the validity of the operation environment of the cloud server in advance to carry out remote verification through the client before remotely issuing the user password to the password acceleration hardware of the cloud server through the client.
For example, an option on the client that may provide remote attestation, such as a button that may be remote attestation; the user may trigger this option by clicking or the like. And the client initiates remote proof of validity of the cloud server running environment after monitoring the triggering operation of the user for the option.
After a user initiates a remote proof for the validity of the cloud server operating environment through the client, the client may send a remote verification request to the cloud server. After receiving the remote verification request, the cloud server can respond to the remote verification request of the client and send the stored verification information in the secure storage hardware to the client through a verification information management subsystem carried by the password acceleration hardware. And after receiving the certification information, the client may initiate a validity verification for the certification information.
The process of initiating validity verification for the certification information generally corresponds to the generation process of the certification information. Remote verification of the certification information can be completed through remote certification interaction with a third party certification server, and validity verification of the certification information can also be completed locally.
In an embodiment, if the attestation information is generated by a third party server, the attestation client may send the attestation information to the third party attestation server for verification. Taking the certification information as a certificate for example, if the certification certificate carries a digital signature, the third party server can use the public key in the root key to verify the signature of the certification certificate, and if the digital signature verification is successful, the certification certificate is legal.
In another embodiment, if the attestation information is generated locally by the cloud server, the attestation client may send the attestation information to the cloud server for verification. Taking the certification information as a certificate for example, if the certification certificate carries a digital signature, the cloud server can use the public key in the root key to verify the signature of the certification certificate, and if the digital signature verification is successful, the certification certificate is legal.
Step 304, receiving the password information transmitted by the client through a secure transmission channel between the client and the client after the certification information passes the validity verification;
and the client receives the verification result of the certification server aiming at the certification information, and if the certification information passes the verification, the cloud server transmits the password information through a secure transmission channel with the client. The secure transmission channel is used for transmitting a secure key, password information for accelerating password acceleration hardware, and the like. The secure transmission channel may be established in advance, or may be established after the certification information passes the validity verification, which is not limited in the present invention.
In an embodiment, the cloud server and the client may negotiate a negotiation key for establishing a secure channel in advance, and then establish the secure channel with the client based on the negotiation key.
Specifically, the secure memory of the above-mentioned password acceleration hardware may further store a seed key for generating a negotiation key, and the key management subsystem of the above-mentioned password acceleration hardware may generate the negotiation key according to the seed key, where the negotiation key pair may include a negotiation public key and a negotiation private key. The cloud server may generate a first negotiation certificate according to a negotiation public key in a negotiation key pair, where the first negotiation certificate is used to negotiate a key with a client. The cloud server generates a first negotiation certificate and sends the first negotiation certificate to the client; and generating a negotiation key pair for negotiation by the client according to the seed key locally, generating a second negotiation certificate and sending the second negotiation certificate to the cloud server. The cloud server calculates a negotiation key for establishing the secure transmission channel according to the local first negotiation certificate and the second negotiation certificate sent by the client, and correspondingly, the client calculates the negotiation key according to the local second negotiation certificate and the local first negotiation certificate. The client and the cloud server can use the negotiation key to carry out encrypted data transmission, so that encrypted data transmission is ensured, and sensitive information leakage such as passwords and the like is avoided.
And 306, issuing the password information to the password acceleration hardware so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
After the validity verification of the proof information aiming at the cloud server is passed, the client can send the password information to the password acceleration hardware through the secure transmission channel to carry out acceleration processing of the encryption/decryption process.
The process of encrypting/decrypting the password information by the password acceleration hardware can refer to the related technology of the related password acceleration hardware for processing the password information, and the invention is not repeated.
The above-described password acceleration method based on password acceleration hardware is further explained by a specific embodiment in conjunction with fig. 4.
Fig. 4 is a flowchart of a cryptographic acceleration method based on cryptographic acceleration hardware according to an exemplary embodiment. As shown in fig. 4, the cloud server is equipped with password acceleration hardware having a secure memory for storing certification information, key information, and device information. The cloud server may send the device information to the attestation server in advance to generate attestation information based on the device information in advance by the attestation server and issue the attestation information to the cloud server (402), and the cloud server may also generate locally generated attestation information based on the device information. The cloud server can store the proving information into a secure memory of the password acceleration hardware for secure storage, and the proving information is managed by a corresponding proving information management subsystem. The certification server may generate certification information in advance and issue the certification information to the cloud server (402), where the certification information may be a certification certificate generated based on a hardware unique feature identification code of the cloud server, and the cloud server may store the certification information in a secure memory in password acceleration hardware carried by the cloud server. When the client needs to prove the validity of the cloud server running environment, a remote proving request can be initiated to the cloud server (404), after the cloud server receives the remote proving request, proving information can be issued to the client so that the client can verify the proving information (406), the client receives the proving information, and the proving server can initiate verification of the proving information (408) and the cloud server. When the client initiates verification of the certification information to the certification server, the certification server can verify the certification information and issue a certification result to the client. When the client initiates verification of the certification information to the cloud server, the cloud can verify the certification information, and issue a verification result until the client passes the validity verification, and the client can transmit corresponding password information through the secure transmission channel to perform encryption/decryption processing (410).
Fig. 5 is a schematic structural diagram of a cloud server according to an exemplary embodiment. Referring to fig. 5, at the hardware level, the device includes a processor 502, an internal bus 504, a network interface 506, a memory 508, and a non-volatile storage 510, although other tasks may be performed by the device. One or more embodiments of the present description may be implemented in a software-based manner, such as by the processor 502 reading a corresponding computer program from the non-volatile storage 510 into the memory 508 and then running. Of course, in addition to software implementation, one or more embodiments of the present disclosure do not exclude other implementation manners, such as a logic device or a combination of software and hardware, etc., that is, the execution subject of the following processing flow is not limited to each logic unit, but may also be hardware or a logic device.
Referring to fig. 6, fig. 6 is a block diagram of a cryptographic acceleration apparatus based on cryptographic acceleration hardware according to an exemplary embodiment.
Data issuing unit 602: the remote verification system is used for responding to a remote verification request sent by a client, and sending the certification information to the client so that the client can perform validity verification on the certification information;
information transmission unit 604: the password information is used for receiving the password information transmitted by the client through a secure transmission channel between the client and the client after the certification information passes the validity verification;
acceleration processing unit 606: and the password information is issued to the password acceleration hardware, so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
Optionally, the cryptographic acceleration hardware includes a cryptographic coprocessor.
Optionally, the cryptographic coprocessor is a cryptographic coprocessor integrated on a processor carried by the cloud server; or the password coprocessor is a password coprocessor peripheral which is in butt joint with the processor carried by the cloud server.
Optionally, the secure memory comprises a programmable memory that restricts access by hardware and/or software other than the cryptographic acceleration hardware.
Optionally, the secure memory comprises a cryptographically secured secure memory.
Optionally, the password acceleration device based on the password acceleration hardware may further have a certificate generation unit, specifically configured to transmit the device information to the proving server through a secure transmission channel with a third party proving server, so that the proving server generates the proving information based on the device information; receiving the proving information transmitted by the proving server through the safety transmission channel, and transmitting the proving information to a safety memory carried by the password acceleration hardware for storage; or, the certification information is generated locally based on the device information, and the generated certification information is stored in a secure memory mounted on the password acceleration hardware.
Optionally, the device information includes a unique feature code of the cloud server.
Optionally, the password acceleration device based on the password acceleration hardware may further have a key negotiation unit for negotiating a negotiation key for establishing a secure channel with the client;
and establishing a secure transmission channel between the client and the client based on the negotiation key.
Optionally, the secure memory further stores a seed key for generating the negotiation key pair; the negotiation key pair comprises a negotiation public key and a negotiation private key; the key negotiation unit is further used for generating a first negotiation certificate according to the negotiation public key, and transmitting the first negotiation certificate to the client so that the client transmits a locally generated second negotiation certificate;
and calculating a negotiation key for establishing a secure channel according to the first negotiation certificate and the second negotiation certificate.
Optionally, the attestation information includes an attestation certificate generated based on a public key of a key pair created by the device information.
Optionally, the cloud server comprises a bare metal server.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. A typical implementation device is a computer, which may be in the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, read only compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by the computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The terminology used in the one or more embodiments of the specification is for the purpose of describing particular embodiments only and is not intended to be limiting of the one or more embodiments of the specification. As used in this specification, one or more embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any or all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used in one or more embodiments of the present description to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
The foregoing description of the preferred embodiment(s) is (are) merely intended to illustrate the embodiment(s) of the present invention, and it is not intended to limit the embodiment(s) of the present invention to the particular embodiment(s) described.
Claims (14)
1. The password acceleration method based on the password acceleration hardware is applied to a cloud server, the cloud server comprises the password acceleration hardware, and a safety memory on the password acceleration hardware stores proving information and equipment information of the cloud server, wherein the proving information is used for proving the legality of an operation environment of the cloud server; the device information is used for generating the proving information, and the method comprises the following steps:
transmitting the device information to a third party proving server through a secure transmission channel between the device information and the third party proving server, so that the proving server generates the proving information based on the device information; receiving the proving information transmitted by the proving server through the secure transmission channel, and transmitting the proving information to a secure memory on the password acceleration hardware for storage;
responding to a remote verification request sent by a client, and sending the certification information to the client so that the client sends the certification information to a third party certification server to verify the legality of the certification information by the third party certification server;
after the certification information passes the validity verification, the password information transmitted by the client through a secure transmission channel with the client is received;
and sending the password information to the password acceleration hardware so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
2. The method of claim 1, the cryptographic acceleration hardware comprising a cryptographic coprocessor.
3. The method of claim 2, the cryptographic coprocessor being a cryptographic coprocessor integrated on a processor hosted by the cloud server; or the password coprocessor is a password coprocessor peripheral which is in butt joint with the processor carried by the cloud server.
4. The method of claim 1, the secure memory comprising programmable memory that restricts access by hardware and/or software other than the cryptographic acceleration hardware.
5. The method of claim 1, the secure memory comprising cryptographically secured secure memory.
6. The method of claim 1, the method further comprising:
and generating the proving information locally based on the equipment information, and storing the generated proving information in a secure memory on the password acceleration hardware.
7. The method of claim 1, the device information comprising a unique feature code of the cloud server.
8. The method of claim 1, the method further comprising:
negotiating a negotiation key for establishing a secure channel with the client;
and establishing a secure transmission channel between the client and the client based on the negotiation key.
9. The method of claim 8, the secure memory further storing a seed key for generating a negotiation key pair; the negotiation key pair comprises a negotiation public key and a negotiation private key;
negotiating a negotiation key for establishing a secure channel with the client, comprising:
generating a first negotiation certificate according to the negotiation public key, and transmitting the first negotiation certificate to the client so that the client transmits a locally generated second negotiation certificate;
and calculating a negotiation key for establishing a secure channel according to the first negotiation certificate and the second negotiation certificate.
10. The method of claim 1, the attestation information comprising an attestation certificate generated based on a public key of a key pair created by the device information.
11. The method of any of claims 1-10, the cloud server comprising a bare metal server.
12. The password acceleration device based on the password acceleration hardware is applied to a cloud server, the cloud server comprises the password acceleration hardware, and a safety memory on the password acceleration hardware stores proving information and equipment information of the cloud server, wherein the proving information is used for proving the legality of an operation environment of the cloud server; the device information is used for generating the proving information, and the apparatus comprises:
a certification information generation unit: for transmitting the device information to a third party attestation server through a secure transmission channel with the attestation server to cause the attestation server to generate the attestation information based on the device information;
a certification information transmission unit: the secure transmission channel is used for receiving the certification information transmitted by the certification server and transmitting the certification information to the secure memory on the password acceleration hardware for storage;
a data issuing unit: the remote verification server is used for responding to a remote verification request sent by a client, sending the certification information to the client, and enabling the client to send the certification information to a third party certification server so as to verify the legality of the certification information by the third party certification server;
an information transmission unit: the password information is used for receiving the password information transmitted by the client through a secure transmission channel between the client and the client after the certification information passes the validity verification;
acceleration processing unit: and the password information is issued to the password acceleration hardware, so that the password acceleration hardware accelerates the encryption/decryption process based on the password information.
13. A cryptographic coprocessor, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to implement the method of any of claims 1-11 by executing the executable instructions.
14. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method of any of claims 1-11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210457729.6A CN114866409B (en) | 2022-04-27 | 2022-04-27 | Password acceleration method and device based on password acceleration hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210457729.6A CN114866409B (en) | 2022-04-27 | 2022-04-27 | Password acceleration method and device based on password acceleration hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114866409A CN114866409A (en) | 2022-08-05 |
| CN114866409B true CN114866409B (en) | 2024-03-26 |
Family
ID=82634046
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210457729.6A Active CN114866409B (en) | 2022-04-27 | 2022-04-27 | Password acceleration method and device based on password acceleration hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114866409B (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104811450A (en) * | 2015-04-22 | 2015-07-29 | 电子科技大学 | Data storage method based on identity in cloud computing and integrity verification method based on identity in cloud computing |
| CN106454528A (en) * | 2015-08-07 | 2017-02-22 | 阿里巴巴集团控股有限公司 | Service processing method based on trusted execution environment and client side |
| CN110581829A (en) * | 2018-06-08 | 2019-12-17 | 中国移动通信集团有限公司 | Communication method and device |
| CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN113098833A (en) * | 2020-01-08 | 2021-07-09 | 北京新能源汽车股份有限公司 | Information safety control method of vehicle, client device and server device |
| CN113204760A (en) * | 2021-05-20 | 2021-08-03 | 郑州信大捷安信息技术股份有限公司 | Method and system for establishing secure channel for software cryptographic module |
| WO2021227879A1 (en) * | 2020-05-09 | 2021-11-18 | 杭州海康威视数字技术股份有限公司 | Password recovery method and system, and cloud server and electronic device |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021113034A1 (en) * | 2019-12-05 | 2021-06-10 | Identité, Inc. | Full-duplex password-less authentication |
-
2022
- 2022-04-27 CN CN202210457729.6A patent/CN114866409B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104811450A (en) * | 2015-04-22 | 2015-07-29 | 电子科技大学 | Data storage method based on identity in cloud computing and integrity verification method based on identity in cloud computing |
| CN106454528A (en) * | 2015-08-07 | 2017-02-22 | 阿里巴巴集团控股有限公司 | Service processing method based on trusted execution environment and client side |
| CN110581829A (en) * | 2018-06-08 | 2019-12-17 | 中国移动通信集团有限公司 | Communication method and device |
| CN113098833A (en) * | 2020-01-08 | 2021-07-09 | 北京新能源汽车股份有限公司 | Information safety control method of vehicle, client device and server device |
| CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
| WO2021227879A1 (en) * | 2020-05-09 | 2021-11-18 | 杭州海康威视数字技术股份有限公司 | Password recovery method and system, and cloud server and electronic device |
| CN111800378A (en) * | 2020-05-21 | 2020-10-20 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN113204760A (en) * | 2021-05-20 | 2021-08-03 | 郑州信大捷安信息技术股份有限公司 | Method and system for establishing secure channel for software cryptographic module |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114866409A (en) | 2022-08-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113221169B (en) | Method and device for inquiring block chain private data | |
| CN111541785B (en) | Block chain data processing method and device based on cloud computing | |
| CN110580414B (en) | Private data query method and device based on block chain account | |
| CN110580418B (en) | Private data query method and device based on block chain account | |
| CN110992027B (en) | Efficient transaction method and device for realizing privacy protection in block chain | |
| CN110580262B (en) | Private data query method and device based on intelligent contract | |
| WO2021184973A1 (en) | External data accessing method and device | |
| CN110580413B (en) | Private data query method and device based on down-link authorization | |
| CN110580412B (en) | Permission query configuration method and device based on chain codes | |
| CN110580245B (en) | Private data sharing method and device | |
| CN110580417B (en) | Private data query method and device based on intelligent contract | |
| CN110264192B (en) | Receipt storage method and node based on transaction type | |
| CN113285802B (en) | Key agreement method and device based on FPGA | |
| CN110580411B (en) | Permission query configuration method and device based on intelligent contract | |
| CN110716728B (en) | Credible updating method and device for FPGA (field programmable Gate array) logic | |
| EP4245015A1 (en) | Secure digital signing | |
| CN110716724B (en) | Method and device for realizing privacy block chain based on FPGA | |
| CN112927077B (en) | Method and device for realizing contract calling based on FPGA | |
| CN114866409B (en) | Password acceleration method and device based on password acceleration hardware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |