CN115544583B - Data processing method and device of server cipher machine - Google Patents
Data processing method and device of server cipher machine Download PDFInfo
- Publication number
- CN115544583B CN115544583B CN202211221429.4A CN202211221429A CN115544583B CN 115544583 B CN115544583 B CN 115544583B CN 202211221429 A CN202211221429 A CN 202211221429A CN 115544583 B CN115544583 B CN 115544583B
- Authority
- CN
- China
- Prior art keywords
- key
- data
- encryption
- decryption
- judging whether
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000003672 processing method Methods 0.000 title claims description 18
- 238000000034 method Methods 0.000 claims abstract description 21
- 238000012217 deletion Methods 0.000 claims abstract description 13
- 230000037430 deletion Effects 0.000 claims abstract description 13
- 230000002194 synthesizing effect Effects 0.000 claims abstract description 10
- 238000013475 authorization Methods 0.000 claims abstract description 9
- 230000008676 import Effects 0.000 claims description 20
- 238000001514 detection method Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 17
- 238000012360 testing method Methods 0.000 claims description 12
- 239000000306 component Substances 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 210000001503 joint Anatomy 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000008358 core component Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The method comprises the steps of carrying out random number and algorithm self-checking, carrying out integrity check successfully before operation, reading key protection, and sending a key component file into an algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication; judging the key management category, if the key is deleted, executing a key deletion flow; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow; receiving a user encryption and decryption operation request: judging whether the key is an internal key, if so, acquiring a key index number, judging whether the key belongs to an asymmetric key, if so, judging whether the key is encrypted, and if so, acquiring a private key authorization code and decrypting the data. The invention can independently or parallelly provide password service and key management for a plurality of application entities, and ensure the authentication of business entities, the confidentiality, the integrity and the non-repudiation of data.
Description
Technical Field
The invention belongs to the technical field of computer security, and particularly relates to a data processing method and device of a server cipher machine.
Background
The server cipher machine is a server-side cipher operation type device and provides general cipher service functions such as key generation, digital signature, signature verification, data encryption, data decryption and the like. The device can independently or parallelly provide functions such as cipher operation and key management for a plurality of application entities.
The server cipher machine can provide asymmetric/symmetric data encryption and decryption operation, integrity check, true random number generation, key generation, management and other services for various applications, and ensures confidentiality, authenticity, integrity and validity of user data. The cipher machine can independently provide high-performance data encryption/decryption service for application systems, can also be used as main cipher equipment and core components of systems such as an identity authentication system, a key management system and the like, and has wide system application potential.
The cryptographic algorithm is based on a key, and realizes a plaintext encryption or ciphertext decryption process. Conventional generic cryptographic algorithms, while rich and diverse and capable of generating a variety of keys, do not implement integrity and unified management of privacy checksums for keys. Conventional cryptographic algorithms are limited in key management and random number, and most of the cryptographic algorithms are soft algorithms based on software implementation, with a significant bottleneck in performance. How to realize the integrity, privacy check and unified management of the secret key has practical significance.
Disclosure of Invention
Therefore, the invention provides a data processing method and device for the server cipher machine, which can realize the verification of the privacy and the integrity of the secret key and fully ensure the safety of the equipment and the system data.
In order to achieve the above object, the present invention provides the following technical solutions: a data processing method of a server crypto-engine, comprising:
performing random number and algorithm self-checking, if the random number and algorithm self-checking is successful, performing integrity detection before operation, and if the integrity detection before operation is successful, reading key protection and sending a key component file into an algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
receiving a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, and if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data.
As a preferred scheme of the data processing method of the server cipher machine, in the key deleting process, the key type and the key index are acquired, and the key file is rewritten by using all 0 s or all 1 s, so that the key file is deleted.
In the key generation process, a key type and a key index are acquired, whether the key is an asymmetric key is judged, if the key is the asymmetric key, pairing consistency check is carried out, and if the pairing consistency check is passed, the key is generated and stored in an encrypted mode; and if the pairing consistency test is not passed, returning to generate failure information.
In the key import flow, the key type and the key index are acquired, the key protection file is acquired and decrypted, and if the decryption is successful, the key is generated and encrypted for storage; if the decryption fails, the import failure information is returned.
As a preferred embodiment of the data processing method of the server crypto-engine, the step a) further includes: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data.
As a preferred embodiment of the data processing method of the server crypto-engine, the step b) further includes: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data;
step b 1) further includes: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
The invention also provides a data processing device of the server cipher machine, which comprises:
the startup authentication self-checking module is used for carrying out random number and algorithm self-checking, carrying out integrity detection before operation if the random number and algorithm self-checking are successful, and reading the key protection and sending the key component file into the algorithm card if the integrity detection before operation is successful; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
the key management module is used for judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
the data encryption and decryption module is used for receiving a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, and if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data.
As a preferable mode of the data processing device of the server cipher machine, the key deleting in the key management module comprises obtaining the key type and the key index, and using all 0 or all 1 to overwrite the key file and delete the key file.
The key generation in the key management module comprises obtaining the key type and the key index, judging whether the key is an asymmetric key, if so, carrying out pairing consistency check, and if the pairing consistency check is passed, generating the key and encrypting and storing; and if the pairing consistency test is not passed, returning to generate failure information.
As the data processing device of the server cipher machine, the key import in the key management module includes, obtain key type and key index, obtain the key and protect the file and decrypt, if decrypt successfully, produce the key and encrypt and store; if the decryption fails, the import failure information is returned.
As a preferred embodiment of the data processing apparatus of the server crypto apparatus, the a) of the data encryption/decryption module further includes: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data.
As a preferred embodiment of the data processing apparatus of the server crypto apparatus, b) of the data encryption/decryption module further includes: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data;
the b 1) of the data encryption and decryption module further comprises: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
The invention has the following advantages: the random number and algorithm self-checking is carried out, if the random number and algorithm self-checking is successful, the integrity detection before operation is carried out, and if the integrity detection before operation is successful, the key protection is read, and the key component file is sent to the algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication; judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow; receiving a user encryption and decryption operation request: judging whether the key is an internal key, if not, judging whether the key is an asymmetric key, if so, acquiring public key information, and encrypting the data; if the key is an internal key, acquiring a key index number, judging whether the key belongs to an asymmetric key, if the key belongs to the asymmetric key, judging whether the key is encrypted, and if the key belongs to encrypted data, acquiring a private key authorization code and decrypting the data. The invention can independently or parallelly provide the password service and the key management function for a plurality of application entities, and ensure the entity authentication of key business, the confidentiality, the integrity and the non-repudiation of data; the key is protected by adopting a layered protection mechanism, and the generation of the key is not interfered by any one of a designer, an operator and a user; the product safety can be fundamentally ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It will be apparent to those skilled in the art from this disclosure that the drawings described below are merely exemplary and that other embodiments may be derived from the drawings provided without undue effort.
The structures, proportions, sizes, etc. shown in the present specification are shown only for the purposes of illustration and description, and are not intended to limit the scope of the invention, which is defined by the claims, so that any structural modifications, changes in proportions, or adjustments of sizes, which do not affect the efficacy or the achievement of the present invention, should fall within the scope of the invention.
FIG. 1 is a schematic flow chart of a data processing method of a server cryptographic engine according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a boot authentication self-test in a data processing method of a server cryptographic engine according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of key generation management in a data processing method of a server cryptographic engine according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of data encryption and decryption in a data processing method of a server cryptographic engine according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a data processing apparatus of a server cryptographic engine according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a hardware architecture of a data processing device of a server cryptographic engine according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of a software architecture of a data processing apparatus of a server cryptographic engine according to an embodiment of the present invention;
fig. 8 is an application scenario of a data processing apparatus of a server cryptographic engine according to an embodiment of the present invention.
Detailed Description
Other advantages and advantages of the present invention will become apparent to those skilled in the art from the following detailed description, which, by way of illustration, is to be read in connection with certain specific embodiments, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The cryptographic algorithm is key-based and can implement a plaintext encryption or ciphertext decryption process. Conventional generic cryptographic algorithms, while rich and diverse and capable of generating a variety of keys, do not implement integrity and unified management of privacy checksums for keys. Conventional cryptographic algorithms are limited in key management and random number, and most of the cryptographic algorithms are soft algorithms based on software implementation, which is a significant bottleneck in performance.
In view of the above, the embodiments of the present invention provide a data processing method and apparatus for a server cryptographic engine, so as to provide a key management function for generating, checking and encrypting a key, and finally realize checking of privacy and integrity of the key; and a unified chip-level hardware encryption and decryption algorithm interface is provided, so that the performance of the cryptographic algorithm is improved.
Referring to fig. 1, 2, 3 and 4, the present embodiment provides a data processing method of a server crypto-engine, which specifically includes the following steps:
s1, carrying out random number and algorithm self-checking, if the random number and algorithm self-checking are successful, carrying out integrity detection before operation, and if the integrity detection before operation is successful, reading a key protection and sending a key component file into an algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
s2, judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
s3, receiving a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, and if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data.
And (2) after the equipment is powered on, carrying out random number and algorithm self-checking, carrying out pre-operation integrity checking after the self-checking is successful, reading a key protection and key component file and sending the key protection and key component file into an algorithm card after the pre-operation integrity checking is successful, then synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication. If the random number and the algorithm fail self-checking, or the integrity detection before operation fails, or the startup user authentication fails, the device enters an error state and does not work, and only if the random number and the algorithm fail self-checking, the integrity detection before operation and the startup user authentication succeed, the device starts working.
The random number and algorithm self-checking, integrity checking before operation has related technology, and key protection and key components are common concepts in the technical field of passwords.
In the key deletion process, in the embodiment, the key type and the key index are acquired, and the key file is overwritten by all 0 s or all 1 s, so as to delete the key file. In the key generation flow, a key type and a key index are acquired, whether the key type and the key index are asymmetric keys is judged, if the key type and the key index are asymmetric keys, pairing consistency check is carried out, and if the pairing consistency check is passed, the key is generated and stored in an encrypted mode; and if the pairing consistency test is not passed, returning to generate failure information. In the key import flow, acquiring a key type and a key index, acquiring a key protection file, decrypting, generating a key and encrypting and storing if the decryption is successful; if the decryption fails, the import failure information is returned.
In the embodiment, in addition to fig. 4, step a) further includes: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data. Step b) further comprises: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data; step b 1) further includes: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
In summary, the present application performs the random number and algorithm self-checking, if the random number and algorithm self-checking is successful, performs the integrity detection before operation, and if the integrity detection before operation is successful, reads the key protection and sends the key component file to the algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication; judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow; receiving a user encryption and decryption operation request: judging whether the key is an internal key, if not, judging whether the key is an asymmetric key, if so, acquiring public key information, and encrypting the data; if the key is an internal key, acquiring a key index number, judging whether the key belongs to an asymmetric key, if the key belongs to the asymmetric key, judging whether the key is encrypted, and if the key belongs to encrypted data, acquiring a private key authorization code and decrypting the data. In the key deleting process, the key type and the key index are acquired, and the key file is rewritten by using all 0 s or all 1 s to delete the key file. In the key generation flow, a key type and a key index are acquired, whether the key type and the key index are asymmetric keys is judged, if the key type and the key index are asymmetric keys, pairing consistency check is carried out, and if the pairing consistency check is passed, the key is generated and stored in an encrypted mode; and if the pairing consistency test is not passed, returning to generate failure information. In the key import flow, acquiring a key type and a key index, acquiring a key protection file, decrypting, generating a key and encrypting and storing if the decryption is successful; if the decryption fails, the import failure information is returned. The invention can independently or parallelly provide the password service and the key management function for a plurality of application entities, and ensure the entity authentication of key business, the confidentiality, the integrity and the non-repudiation of data; the key is protected by adopting a layered protection mechanism, and the generation of the key is not interfered by any one of a designer, an operator and a user; the product safety can be fundamentally ensured.
Referring to fig. 5, based on the same inventive concept, corresponding to the method of any embodiment, an embodiment of the present application further provides a data processing device of a server crypto machine, including:
the startup authentication self-checking module 1 is used for carrying out random number and algorithm self-checking, carrying out integrity detection before operation if the random number and algorithm self-checking is successful, and reading a key protection and a key component file to send into an algorithm card if the integrity detection before operation is successful; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
a key management module 2, configured to determine a key management class, where the key management class includes key deletion, key generation, and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
the data encryption and decryption module 3 is configured to receive a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, and if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data.
In this embodiment, the key deletion in the key management module 2 includes obtaining the key type and the key index, and overwriting the key file with all 0 s or all 1 s to delete the key file. The key generation in the key management module 2 comprises the steps of obtaining a key type and a key index, judging whether the key is an asymmetric key, if the key is the asymmetric key, carrying out pairing consistency test, and if the pairing consistency test is passed, generating the key and encrypting and storing the key; and if the pairing consistency test is not passed, returning to generate failure information. The key management module 2 comprises the steps of obtaining a key type and a key index, obtaining a key protection file, decrypting, generating a key if the decryption is successful, encrypting and storing; if the decryption fails, the import failure information is returned.
In this embodiment, a) of the data encryption and decryption module 3 further includes: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data. The b) of the data encryption and decryption module 3 further includes: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data; b 1) of the data encryption and decryption module 3 further includes: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the present application.
The device of the foregoing embodiment is configured to implement the data processing method of the server crypto apparatus in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Referring to fig. 6, in the hardware of the embodiment of the present invention, a unified and standardized COMe bus standard and protocol are adopted to perform data interaction, and the hardware platform mainly comprises a CPU core board, an algorithm board and a communication carrier board; the standard design is followed, and the specifications of SM4 grouping key algorithm standard, SM2 digital signature algorithm standard, SM3 cipher hash algorithm standard, randomness detection specification, SM2 cipher algorithm use specification, cipher equipment application interface and the like are followed. The cryptographic service and key management functions can be independently or parallelly provided for a plurality of application entities by supporting SM1, SM2, SM3 and SM4 national cryptographic standard algorithms, and entity authentication and data confidentiality, integrity and non-repudiation of key services are ensured.
The embodiment of the invention fully considers the safety of the system and the equipment, and the safety design in each key link can fully ensure the safety of the equipment and the system data. The server cipher machine adopts cipher algorithm of national cipher standard, and the cipher chip hardware of national cipher certification realizes service encryption autonomously; the generated symmetric keys are all from WNG8 physical noise sources to generate random numbers, so that the randomness of the keys can be ensured to meet the standard requirements. The embodiment of the invention adopts a layered protection mechanism to protect the secret key, and the generation of the secret key is not interfered by any one of a designer, an operator and a user; the safety of the secret key and the key information stored in the system can be effectively protected, the internal stored data can be timely and reliably destroyed in emergency, and the safety of the system is guaranteed while the safety of the system is guaranteed; the operator identity is authenticated through the physical identity medium.
The software and hardware of the embodiment of the invention adopt a domestic design, wherein a host CPU adopts a Loongson 3A3000 processor, a password operation component adopts an SSX1922 security chip, an authentication medium adopts an SJK1568-G intelligent password key, a physical noise source is a WNG8 chip, and a host operating system adopts a winning kylin advanced server operating system software (Loongson 64 bits) V7.0.
Referring to fig. 7, the software of the embodiment of the present invention is hierarchically divided into two main parts: client and server. The client comprises a universal interface library and graphical configuration management software, wherein the universal interface library is used for a user to call the password service, and the configuration management software can realize functions of parameter configuration, key operation, user registration and the like of the password machine. The server side comprises password service software, management service software and an algorithm interface library, wherein the password service software is in butt joint with a client side universal interface library, processes password requests, the management service software is in butt joint with configuration management software, processes equipment management requests, and the algorithm interface library can call an algorithm module through a bottom layer driver to respond to password service operation of upper layer service software.
Referring to fig. 8, the device of the embodiment of the invention can be used as a basic cryptographic device under a Public Key Infrastructure (PKI) security system, can be suitable for high-speed and multi-task parallel processing cryptographic operation performed by various cryptographic security application systems, and can meet the requirements of application system data signature verification, encryption and decryption. One example of the use of an embodiment of the invention is as follows:
after the manager generates the secret key through the management software, the CA, the secret management, the security gateway or other service servers interact with the server cipher machine through the API interface of the client software to complete the cipher operation when the cipher operation is needed.
While the invention has been described in detail in the foregoing general description and specific examples, it will be apparent to those skilled in the art that modifications and improvements can be made thereto. Accordingly, such modifications or improvements may be made without departing from the spirit of the invention and are intended to be within the scope of the invention as claimed.
Claims (6)
1. A data processing method of a server crypto-engine, comprising:
performing random number and algorithm self-checking, if the random number and algorithm self-checking is successful, performing integrity detection before operation, and if the integrity detection before operation is successful, reading key protection and sending a key component file into an algorithm card; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
receiving a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
the step a) further comprises: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data;
step b) further comprises: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data;
step b 1) further includes: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
2. The method according to claim 1, wherein in the key deletion process, the key type and the key index are acquired, and the key file is overwritten with all 0 s or all 1 s, so that the key file is deleted.
3. The data processing method of a server cryptographic engine according to claim 1, wherein in the key generation flow, a key type and a key index are obtained, whether an asymmetric key is determined, if the asymmetric key is subjected to pairing consistency check, if the pairing consistency check is passed, the key is generated and stored in an encrypted manner; and if the pairing consistency test is not passed, returning to generate failure information.
4. The data processing method of a server cryptographic engine according to claim 1, wherein in the key import flow, a key type and a key index are obtained, a key protection file is obtained and decrypted, and if decryption is successful, a key is generated and stored in an encrypted manner; if the decryption fails, the import failure information is returned.
5. A data processing apparatus for a server cryptographic engine, comprising:
the startup authentication self-checking module is used for carrying out random number and algorithm self-checking, carrying out integrity detection before operation if the random number and algorithm self-checking are successful, and reading the key protection and sending the key component file into the algorithm card if the integrity detection before operation is successful; synthesizing a key protection and key decryption file, verifying user ukey information, and executing startup user authentication;
the key management module is used for judging a key management category, wherein the key management category comprises key deletion, key generation and key import; if the key is deleted, executing a key deleting process; if the key generation is performed, executing a key generation flow; if the key is imported, executing a key importing flow;
the data encryption and decryption module is used for receiving a user encryption and decryption operation request:
a) Judging whether the key is an internal key or not, if the key is not the internal key, a 1) judging whether the key is an asymmetric key or not, if the key is the asymmetric key, obtaining public key information, and carrying out encryption processing on the data;
the a) of the data encryption and decryption module further comprises: a2 Judging whether the key is an asymmetric key, if not, generating or importing a session key, acquiring a key handle, and performing encryption and decryption operation on the data;
b) If the key belongs to the internal key, acquiring a key index number, b 1) judging whether the key belongs to the asymmetric key, if the key belongs to the asymmetric key, b 11) judging whether the key is encrypted, if the key belongs to the encrypted data, acquiring a private key authorization code and decrypting the data;
the b) of the data encryption and decryption module further comprises: b2 Judging whether the data belong to an asymmetric key, and if not, performing encryption and decryption operation on the data;
the b 1) of the data encryption and decryption module further comprises: b12 Whether encryption is carried out or not is judged, and if the encryption is not carried out, the encryption operation is carried out on the data.
6. The data processing apparatus of claim 5, wherein the key deletion in the key management module comprises obtaining a key type and a key index, overwriting the key file with all 0 s or all 1 s, and deleting the key file;
the key generation in the key management module comprises the steps of obtaining a key type and a key index, judging whether the key is an asymmetric key, if so, carrying out pairing consistency test, and if the pairing consistency test passes, generating the key and encrypting and storing the key; if the pairing consistency test is not passed, returning generation failure information;
the key management module is used for importing the key, comprising the steps of obtaining the key type and the key index, obtaining a key protection file, decrypting, generating a key and encrypting and storing if the decryption is successful; if the decryption fails, the import failure information is returned.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211221429.4A CN115544583B (en) | 2022-10-08 | 2022-10-08 | Data processing method and device of server cipher machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211221429.4A CN115544583B (en) | 2022-10-08 | 2022-10-08 | Data processing method and device of server cipher machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115544583A CN115544583A (en) | 2022-12-30 |
| CN115544583B true CN115544583B (en) | 2023-05-05 |
Family
ID=84731382
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211221429.4A Active CN115544583B (en) | 2022-10-08 | 2022-10-08 | Data processing method and device of server cipher machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115544583B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110765438A (en) * | 2019-10-24 | 2020-02-07 | 江苏云涌电子科技股份有限公司 | High-performance password card and working method thereof |
| CN112000975A (en) * | 2020-10-28 | 2020-11-27 | 湖南天琛信息科技有限公司 | Key management system |
| CN114372242A (en) * | 2021-12-22 | 2022-04-19 | 金蝶软件(中国)有限公司 | Ciphertext data processing method, authority management server and decryption server |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111585749B (en) * | 2016-10-26 | 2023-04-07 | 创新先进技术有限公司 | Data transmission method, device, system and equipment |
-
2022
- 2022-10-08 CN CN202211221429.4A patent/CN115544583B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110765438A (en) * | 2019-10-24 | 2020-02-07 | 江苏云涌电子科技股份有限公司 | High-performance password card and working method thereof |
| CN112000975A (en) * | 2020-10-28 | 2020-11-27 | 湖南天琛信息科技有限公司 | Key management system |
| CN114372242A (en) * | 2021-12-22 | 2022-04-19 | 金蝶软件(中国)有限公司 | Ciphertext data processing method, authority management server and decryption server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115544583A (en) | 2022-12-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108345806B (en) | Hardware encryption card and encryption method | |
| US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
| CN109361668A (en) | A kind of data trusted transmission method | |
| CN113691502B (en) | Communication method, device, gateway server, client and storage medium | |
| US7095859B2 (en) | Managing private keys in a free seating environment | |
| US20140006806A1 (en) | Effective data protection for mobile devices | |
| CN104618096B (en) | Protect method, equipment and the TPM key administrative center of key authorization data | |
| CN113541935B (en) | Encryption cloud storage method, system, equipment and terminal supporting key escrow | |
| KR102676616B1 (en) | Method and apparatus, computer device, and storage medium for authenticating biometric payment devices | |
| CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
| CN110225014B (en) | Internet of things equipment identity authentication method based on fingerprint centralized issuing mode | |
| CN110233729B (en) | Encrypted solid-state disk key management method based on PUF | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN114357492A (en) | Medical data privacy fusion method and device based on block chain | |
| CN114244508B (en) | Data encryption method, device, equipment and storage medium | |
| CN112865965B (en) | Train service data processing method and system based on quantum key | |
| TWI476629B (en) | Data security and security systems and methods | |
| CN114826702B (en) | Database access password encryption method and device and computer equipment | |
| CN115455497A (en) | Computer hard disk data encryption system and method | |
| CN117294484A (en) | Method, apparatus, device, medium and product for data interaction | |
| CN114553557B (en) | Key calling method, device, computer equipment and storage medium | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| US20240193255A1 (en) | Systems and methods of protecting secrets in use with containerized applications | |
| CN115544583B (en) | Data processing method and device of server cipher machine | |
| CN114679299A (en) | Communication protocol encryption method, device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information |
Inventor after: Bai Hongxia Inventor before: Jia Lei Inventor before: Bai Hongxia Inventor before: Ma Na Inventor before: Wang Haiyang |
|
| CB03 | Change of inventor or designer information |