CN116707806B - Password equipment management method and management platform - Google Patents
Password equipment management method and management platform Download PDFInfo
- Publication number
- CN116707806B CN116707806B CN202310996541.3A CN202310996541A CN116707806B CN 116707806 B CN116707806 B CN 116707806B CN 202310996541 A CN202310996541 A CN 202310996541A CN 116707806 B CN116707806 B CN 116707806B
- Authority
- CN
- China
- Prior art keywords
- secure channel
- message
- protocol
- password
- cryptographic device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000007726 management method Methods 0.000 title claims abstract description 104
- 230000003993 interaction Effects 0.000 claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000012544 monitoring process Methods 0.000 claims abstract description 24
- 230000004044 response Effects 0.000 claims description 26
- 230000005540 biological transmission Effects 0.000 claims description 16
- 230000002452 interceptive effect Effects 0.000 claims description 10
- 238000005538 encapsulation Methods 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000007792 addition Methods 0.000 claims 2
- 238000012217 deletion Methods 0.000 claims 2
- 230000037430 deletion Effects 0.000 claims 2
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 239000000463 material Substances 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a password equipment management method and a management platform, wherein the method comprises the steps of carrying out information interaction with password equipment based on a security channel protocol and a predefined protocol message structure, and establishing a security channel and negotiating a session key; in the validity period of the secure channel, managing and monitoring the state of the managed object attribute corresponding to each cipher device based on the session key and a predefined protocol message structure; the method comprises the steps that a predefined protocol message structure comprises a message header, a message data part and a message signature part which are described by adopting a JSON object, and information packaged by the protocol message structure is management monitoring configuration parameters of the password equipment; the invention predefines the message structure of the REST style password equipment management protocol based on the HTTP protocol, improves the usability and compatibility of the password equipment management method, and meets the safety requirement.
Description
Technical Field
The invention relates to the technical field of password application, in particular to a password equipment management method and a management platform.
Background
GM/T0050-2016 technical Specification for password device management, which is a technical standard for password device management in the field of commercial passwords in China, defines the security message format and the security channel establishment flow of commercial password device management. The security message format of GM/T0050-2016 is based on the traditional TLV (Type/Length/Value) style, which is similar to SNMP (Simple Network Management Protocol ). Most devices and operating systems currently employ HTTP (HyperText Transfer Protocol ) for management and traffic control, which presents a certain difficulty in supporting GM/T0050.
Patent application document with publication number of CN115412242A proposes a realization method for calling an intelligent password key password application by a full browser, solves the problem of cross-domain when calling the intelligent password key and the problem that an HTTPS page is forbidden to load HTTP service resources by the HTTPS service, but the proposal belongs to the local password service call of the browser, and the encapsulated message is a call parameter for the intelligent password key, and the specific format is close to remote function call.
Disclosure of Invention
The technical problem to be solved by the invention is how to provide a REST (Representational State Transfer) -style password equipment management method which is based on the HTTP protocol and accords with the message basic structure and the security attribute defined in GM/T0050-2016 technical Specification for password equipment management.
The invention solves the technical problems by the following technical means:
in one aspect, the present invention provides a method for managing a cryptographic device, where the method includes:
based on a secure channel protocol and a predefined protocol message structure, carrying out information interaction with the password equipment, and establishing a secure channel and negotiating a session key;
in the validity period of the secure channel, managing and monitoring the state of the managed object attribute corresponding to each cipher device based on the session key and a predefined protocol message structure;
the pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment.
Further, the protocol message structure comprises a message header, a message data part payload and a message signature part signature which are described by adopting a JSON object;
the parameters of the message header include a security mode, a message ID number, a receiver identifier, a sender identifier, and an interactive operation type.
Further, the message header also includes a protocol version number, an encryption algorithm, a signature algorithm, and a cryptographic hash algorithm with a key.
Further, the security mode includes three boolean type parameters, respectively representing whether to reply, encrypt, and sign or calculate a hash value;
the parameter value of each boolean type parameter is TRUE or FALSE.
Further, the interactive operation type comprises a secure channel establishment request, a secure channel establishment response, a secure channel data transmission and a secure channel restart notification.
Further, the parameters of the message data portion payload include an initialization vector when an encryption algorithm is adopted, a management application type identifier, an information operation type and a ciphertext.
Further, the management application type identification comprises key management, remote monitoring, parameter configuration, remote maintenance and validity verification.
Further, the ciphertext is represented in a base64 encoding format.
Further, the message signature part signature includes a first digital signature corresponding to the case that the type of the interaction operation is a secure channel establishment request, a second digital signature corresponding to the case that the type of the interaction operation is a secure channel establishment response, a third digital signature corresponding to the case that the type of the interaction operation is a secure channel restart notification, and a fourth digital signature corresponding to the case that the type of the interaction operation is a secure channel data transmission.
Further, the first digital signature is obtained by encrypting a message header and a message data part payload by adopting a private key of the password equipment;
the second digital signature and the third digital signature are obtained by encrypting the message header and the message data part payload by adopting a private key of a password equipment management platform;
the fourth digital signature is a cryptographic hash value of the message header and the message data portion payload calculated using the session key.
Further, the method further comprises:
after the safety channel is established, a counter is used for recording the ID number of the message, and each request message is consistent with the ID of the corresponding response request;
and after the count value of the counter exceeds the maximum value, the counter is cleared and a channel reset request is sent.
Further, the information interaction is performed with the cryptographic device based on the secure channel protocol and the predefined protocol message structure, and the secure channel and the negotiation session key are established, including:
and sending a secure channel establishment request to the password equipment based on the secure channel protocol, receiving a secure channel establishment response returned by the password equipment, and establishing a secure channel and negotiating a session key.
Further, the managing and status monitoring of the managed object attribute corresponding to each cryptographic device based on the session key and the predefined protocol message structure in the validity period of the secure channel includes:
and in the validity period of the security channel, managing and monitoring the attribute of the managed object corresponding to each password device by adopting the message of which the interactive operation type is the security channel data transmission.
Further, when the secure channel is a long connection, designating a secure channel validity period in a secure channel setup message;
and when the secure channel is in short connection, the validity period of the secure channel and the session key is the current request-response process.
Further, before the information interaction is performed with the cryptographic device based on the secure channel protocol and the predefined protocol message structure, the method further comprises:
receiving a registration request sent by the password equipment and a first certificate issued by the password equipment;
and verifying and storing the first certificate, returning the unique identifier of the password equipment and the second certificate issued by the password equipment management platform to the password equipment, and finishing registration.
In addition, the invention also provides a cryptographic equipment management platform, which comprises:
the channel establishing module is used for carrying out information interaction with the password equipment based on a secure channel protocol and a predefined protocol message structure, and establishing a secure channel and negotiating a session key;
the management module is used for managing and monitoring the state of the managed object attribute corresponding to each password device based on the session key and a predefined protocol message structure in the validity period of the secure channel;
the pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment.
The invention has the advantages that:
(1) The invention predefines the message structure of the password equipment management protocol of the JSON/REST style based on the HTTP protocol, the message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment, and adopts the message structure to carry out information interaction when remote network password equipment management is carried out, thereby improving the usability and compatibility of the password equipment management method, and the message structure accords with the message basic structure and the security attribute defined in the technical specification of the password equipment management of GM/T0050-2016, thereby meeting the security requirement.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
FIG. 1 is a flow chart illustrating a method for managing a cryptographic device according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a cryptographic device management platform according to an embodiment of the present invention;
FIG. 3 is a schematic diagram illustrating a connection between a cryptographic device management platform and a cryptographic device according to one embodiment of the invention;
FIG. 4 is a schematic diagram illustrating an interaction flow between a cryptographic device management platform and a cryptographic device according to an embodiment of the invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a first embodiment of the present invention discloses a cryptographic device management method applied to a cryptographic device management platform, the method comprising the steps of:
s10, based on a secure channel protocol and a predefined protocol message structure, carrying out information interaction with password equipment, and establishing a secure channel and negotiating a session key;
s20, managing and monitoring the state of the managed object attribute corresponding to each password device based on the session key and a predefined protocol message structure in the validity period of the secure channel;
the pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment.
The embodiment predefines a message structure of a JSON/REST style password equipment management protocol based on an HTTP protocol, wherein the defined message structure accords with a message basic structure and security attribute defined in GM/T0050-2016 password equipment management technical Specification, and has the advantages of good security and strong compliance based on a password industry standard GM/T0050-2016; compared with the standard GM/T0050-2016 protocol, the JSON/REST style-based method has good compatibility, readability and portability, and is easy to realize; the message structure is described by adopting the JSON object, and the message structure is adopted to carry out information interaction when the password equipment is managed, so that the usability and compatibility of the password equipment management method are improved, and the safety requirement is met.
In one embodiment, the protocol message structure includes a message header described by JSON object, a message data portion payload, and a message signature portion signature, where parameters of the message header include a security mode, a message ID number, a receiver identifier, a sender identifier, and an interaction type.
In an embodiment, the parameters of the header further include a protocol version number, an encryption algorithm, a signature algorithm, and a cryptographic hash algorithm with a key.
In one embodiment, the security mode includes three boolean type parameters, respectively representing whether to reply, encrypt, and sign or calculate a hash value;
the parameter value of each boolean type parameter is TRUE or FALSE.
In one embodiment, the interactive operation types include a secure channel setup request, a secure channel setup response, a secure channel data transmission, and a secure channel restart notification.
Specifically, the parameters of the header employ the "key" of JSON: the "value" form is described as:
"ver": protocol version number, this file is "1.0";
"mode": the security mode is a nested JSON object and comprises three boolean type parameters, namely an "ifresponse" (whether replied), an "ifenc" (whether encrypted) and an "ifsign" (whether signed or calculated MAC), wherein each parameter value is TRUE or FALSE;
"id": the method comprises the steps that a 64-bit counter is maintained in each piece of cipher equipment and in a cipher equipment management platform, a safe channel is established, the counter starts to count from 1, the ID number of each request message of the channel is monotonically increased, the counter is cleared after the count value of the counter exceeds the maximum value, a channel reset request is initiated by the cipher equipment, and the ID of each request message and the ID of a corresponding response request are kept consistent, so that replay attack resistance is realized, and safety is improved;
"receiver": the receiver identifier is a unique identifier of the password equipment acquired from the password equipment management platform during receiver registration;
"sender": the sender identifier is a unique identifier of the password equipment management platform;
"operation": the interactive operation types comprise four types of request-tunnel (security channel establishment request), response-tunnel (security channel establishment response), data-tunnel (security channel data transmission) and restart-tunnel (security channel restart notification);
"alg_enc": the encryption algorithm adopted by the message should support SM4-CBC and the like;
"alg_sig": signature algorithm, which should support SM2 and the like;
"alg_hmac": the cryptographic hash algorithm with the key should support "SM3" and so on.
In one embodiment, the parameters of the message data portion payload include an initialization vector, a management application type identifier, an information operation type, and a ciphertext when an encryption algorithm is used.
Specifically, the data portion payload of the message structure is encrypted and protected by using a session key negotiated between the cryptographic device management platform and the cryptographic device when the secure channel is established, including the following parameters:
"iv": initialization vector when CBC encryption mode is adopted;
"type-app": the management application type identifier currently defines five types of KMS (key management), RMON (remote monitoring), CONF (parameter configuration), MAIN (remote maintenance) and VALID (validity verification);
"type-opr": information operation types including "CREATE" (add), "DELETE" (DELETE), "UPDATE" (modify UPDATE), "READ";
"cipherrtext": the encrypted ciphertext is expressed in a base64 coding format by adopting an alg_enc identification algorithm, and the specific encrypted content and format are described in a 6.2 management interface description and a 7.2 state monitoring interface description.
It should be noted that, the specific information included in the management application type identifier and the information operation type is only illustrated in this embodiment, and those skilled in the art can extend according to actual requirements.
In an embodiment, the message signature part signature includes a first digital signature corresponding to the case where the type of the interaction is a secure channel establishment request, a second digital signature corresponding to the case where the type of the interaction is a secure channel establishment response, a third digital signature corresponding to the case where the type of the interaction is a secure channel restart notification, and a fourth digital signature corresponding to the case where the type of the interaction is a secure channel data transmission.
Further, the first digital signature is obtained by encrypting a message header and a message data part payload by adopting a private key of the password equipment;
the second digital signature and the third digital signature are obtained by encrypting the message header and the message data part payload by adopting a private key of a password equipment management platform;
the fourth digital signature is a cryptographic hash value of the message header and the message data portion payload calculated using the session key.
The values of the first to fourth digital signatures are expressed in a base64 encoding format.
Specifically, the signature part of the message, for a message with an operation type "request-tunnel" (secure channel setup request) in the header, is a digital signature of the device private key on the message header+payload part. For messages with operation types of "response-tunnel" (secure channel setup response) and "restart-tunnel" (secure channel restart notification) in the header, the part is the digital signature of the management center private key on the message header+payload part. For messages with the operation type "data-tunnel" (secure channel data transmission) in the header, the partial value is the cryptographic hash value of the header+payload portion of the message calculated using the secure channel session key.
In an embodiment, after establishing the security notification, the method further comprises the steps of:
after the safety channel is established, a counter is used for recording the ID number of the message, and each request message is consistent with the ID of the corresponding response request;
and after the count value of the counter exceeds the maximum value, the counter is cleared and a channel reset request is sent.
In one embodiment, the step S10: based on a secure channel protocol and a predefined protocol message structure, information interaction is carried out with the password equipment, and a secure channel and a negotiation session key are established, which comprises the following steps:
and sending a secure channel establishment request to the password equipment based on the secure channel protocol, receiving a secure channel establishment response returned by the password equipment, and establishing a secure channel and negotiating a session key.
In one embodiment, the step S20: and in the validity period of the secure channel, managing and monitoring the attribute of the managed object corresponding to each cipher device based on the session key and a predefined protocol message structure, including:
and in the validity period of the security channel, managing and monitoring the attribute of the managed object corresponding to each password device by adopting the message of which the interactive operation type is the security channel data transmission.
Specifically, during the validity period of the secure channel, the cryptographic device management platform and the managed cryptographic device adopt a negotiated session key and the protocol message structure described in this embodiment, and according to the managed object attribute defined by GM/T0050-2016 "technical specification for managing cryptographic device management", the secure transmission of management and status monitoring information is performed by adopting a message of the type "secure channel data transmission".
In an embodiment, when the secure channel is a long connection, designating a secure channel validity period in a secure channel setup message;
and when the secure channel is in short connection, the validity period of the secure channel and the session key is the current request-response process.
Specifically, the connection type needs to be specified in the secure channel setup message, and if the secure channel established between the cryptographic device management platform and the managed cryptographic device is a long connection, the validity period of the secure channel is specified in the secure channel setup message. If the secure channel established between the management center and the managed device is a short connection, the secure channel and session key validity period are limited to only one request-response procedure.
In one embodiment, in the step S10: before the information interaction is carried out with the password equipment based on the secure channel protocol and the predefined protocol message structure, and the secure channel is established and the session key is negotiated, the method further comprises:
receiving a registration request sent by the password equipment and a first certificate issued by the password equipment;
and verifying and storing the first certificate, returning the unique identifier of the password equipment and the second certificate issued by the password equipment management platform to the password equipment, and finishing registration.
In one embodiment, the communication protocol framework adopted between the cryptographic device management platform and the cryptographic device may be divided into 4 layers on the whole framework structure: transport layer, message layer, operation layer, content layer.
(1) Transmission layer: a communication path is provided for message interaction between the cryptographic device management platform and the cryptographic device, using HTTP or HTTPs protocols as bearer protocols.
(2) Message layer: providing a simple request and response mechanism based on the HTTP protocol, and enabling a password device management platform to encapsulate request contents in an HTTP request (request) and send the request contents to a password device; the password equipment encapsulates the request processing result in an http response (response), and returns the request processing result to the password equipment management platform; the message structure is uniformly coded by using base 64.
(3) Operation layer: based on the HTTP POST method and various interface definitions, the RPC operation of various configuration and monitoring data of the password equipment by the password equipment management platform is provided, wherein the POST/interfaces/{ 1.0}/interface_xxx and the interface_xxx are correspondingly defined for a specific management or monitoring interface, namely, the RPC operation of the management platform on the equipment is formed.
(4) Content layer: configuration and monitoring data related between the password device management platform and the password device are described, and the data are combined with RPC definition of an operation layer to form different management interfaces and state monitoring interfaces according to managed object attributes and the following message structures defined by GM/T0050-2016 password device management technical Specification.
The conversion rules from the main data types in GM/T0050-2016 to the corresponding HTTP formats are shown in Table 1:
table 1 rules for converting the main data types GM/T0050-2016 into HTTP format
The embodiment designs a set of REST-style password equipment management protocol which is based on the HTTP protocol and accords with the message basic structure and the security attribute defined in the technical Specification for the management of password equipment of GM/T0050-2016, and the password equipment management protocol is realized on a password equipment management platform and password equipment.
In addition, as shown in fig. 2, a second embodiment of the present invention discloses a cryptographic device management platform, including:
the channel establishing module 10 is configured to perform information interaction with the cryptographic device based on a secure channel protocol and a predefined protocol message structure, and establish a secure channel and negotiate a session key;
a management module 20, configured to manage and monitor a state of a managed object attribute corresponding to each cryptographic device based on the session key and a predefined protocol message structure during a validity period of the secure channel;
the pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment.
It should be noted that, the communication protocol frame and the message structure adopted when the cryptographic equipment management platform performs information interaction with the cryptographic equipment are described in the first embodiment, and are not described herein.
In an embodiment, a counter is maintained in the cryptographic device management platform, and the cryptographic device management platform further includes:
after the safety channel is established, a counter is used for recording the ID number of the message, and each request message is consistent with the ID of the corresponding response request;
the channel reset module is used for resetting the counter and sending a channel reset request after the count value of the counter exceeds the maximum value
In one embodiment, the channel establishment module 10 is specifically configured to: and sending a secure channel establishment request to the password equipment based on the secure channel protocol, receiving a secure channel establishment response returned by the password equipment, and establishing a secure channel and negotiating a session key.
In one embodiment, the management module 20 is specifically configured to: and in the validity period of the security channel, managing and monitoring the attribute of the managed object corresponding to each password device by adopting the message of which the interactive operation type is the security channel data transmission.
In an embodiment, when the secure channel is a long connection, designating a secure channel validity period in a secure channel setup message;
and when the secure channel is in short connection, the validity period of the secure channel and the session key is the current request-response process.
In an embodiment, the cryptographic device management platform further comprises:
the registration request receiving module is used for receiving a registration request sent by the password equipment and a first certificate issued by the password equipment;
and the registration module is used for verifying and storing the first certificate, returning the unique identifier of the password equipment and the second certificate issued by the password equipment management platform to the password equipment, and finishing registration.
It should be noted that, other embodiments of the cryptographic device management platform or the implementation method thereof may refer to the above method embodiments, and are not repeated herein.
In addition, as shown in fig. 3 to 4, the communication flow between the cryptographic device management platform and the cryptographic device is:
(1) Initializing managed password equipment, including generating a public and private key pair of the equipment and issuing a first certificate of the equipment;
(2) Registering the managed password equipment with a password equipment management platform, uploading a first certificate of the equipment, verifying and storing the first certificate of the equipment by the management platform, and returning a unique identifier of the password equipment and a second certificate generated by the management platform;
(3) Verifying and storing a second certificate by the managed password equipment to finish equipment registration;
(4) The managed cryptographic equipment and the management platform carry out the establishment of the secure channel and the negotiation of the session key by adopting the messages of the type of the secure channel establishment request and the secure channel establishment response according to the description of the GM/T0050-2016 annex B secure channel protocol framework and the protocol message structure described above;
(5) And in the validity period of the security channel, the cryptographic equipment management platform and the managed cryptographic equipment adopt a negotiated session key and the protocol message structure described in the embodiment, and the management and the security transfer of the state monitoring information are carried out by adopting a message of a security channel data transmission type according to the attribute of the managed object defined in GM/T0050-2016 technical Specification for the management of the cryptographic equipment.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (12)
1. A cryptographic device management method, applied to a cryptographic device management platform, the method comprising:
based on a secure channel protocol and a predefined protocol message structure, carrying out information interaction with the password equipment, and establishing a secure channel and negotiating a session key;
in the validity period of the secure channel, managing and monitoring the state of the managed object attribute corresponding to each cipher device based on the session key and a predefined protocol message structure;
the method comprises the steps that a pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment, and the protocol message structure comprises a message header, a message data part payload and a message signature part signature which are described by adopting the JSON object;
the parameters of the message header include a security mode, a message ID number, a receiver identifier, a sender identifier, an interactive operation type, a protocol version number, an encryption algorithm, a signature algorithm and a password hash algorithm with a secret key; the parameters of the message data part payload comprise an initialization vector when an encryption algorithm is adopted, a management application type identifier, an information operation type and a ciphertext expressed in a base64 coding format, wherein the information operation type comprises addition, deletion, modification update and READ.
2. The cryptographic device management method of claim 1, wherein the security mode includes three boolean type parameters, respectively representing whether to reply, encrypt and sign or compute a hash value;
the parameter value of each boolean type parameter is TRUE or FALSE.
3. The cryptographic device management method of claim 1, wherein the type of interaction comprises a secure channel setup request, a secure channel setup response, a secure channel data transmission, and a secure channel restart notification.
4. The cryptographic device management method of claim 1, wherein the management application type identification includes key management, remote monitoring, parameter configuration, remote maintenance, and validity verification.
5. The cryptographic device management method of claim 3, wherein the message signature part signature includes a first digital signature corresponding to when the type of the interaction is a secure channel establishment request, a second digital signature corresponding to when the type of the interaction is a secure channel establishment response, a third digital signature corresponding to when the type of the interaction is a secure channel restart notification, and a fourth digital signature corresponding to when the type of the interaction is a secure channel data transmission.
6. The cryptographic device management method of claim 5, wherein the first digital signature is obtained by encrypting a message header and a message data portion payload with a private key of the cryptographic device;
the second digital signature and the third digital signature are obtained by encrypting the message header and the message data part payload by adopting a private key of a password equipment management platform;
the fourth digital signature is a cryptographic hash value of the message header and the message data portion payload calculated using the session key.
7. The cryptographic device management method of claim 1, wherein the method further comprises:
after the safety channel is established, a counter is used for recording the ID number of the message, and each request message is consistent with the ID of the corresponding response request;
and after the count value of the counter exceeds the maximum value, the counter is cleared and a channel reset request is sent.
8. The cryptographic device management method of claim 3, wherein the information interaction with the cryptographic device based on the secure channel protocol and the predefined protocol message structure, the establishing of the secure channel and the negotiating of the session key, comprises:
and sending a secure channel establishment request to the password equipment based on the secure channel protocol, receiving a secure channel establishment response returned by the password equipment, and establishing a secure channel and negotiating a session key.
9. The cryptographic device management method of claim 3, wherein the managing and status monitoring of the managed object attribute corresponding to each cryptographic device based on the session key and a predefined protocol message structure during the validity period of the secure channel includes:
and in the validity period of the security channel, managing and monitoring the attribute of the managed object corresponding to each password device by adopting the message of which the interactive operation type is the security channel data transmission.
10. The cryptographic device management method according to claim 1, wherein when the secure channel is a long connection, a secure channel validity period is specified in a secure channel setup message;
and when the secure channel is in short connection, the validity period of the secure channel and the session key is the current request-response process.
11. The cryptographic device management method of claim 1, wherein prior to the information interaction with the cryptographic device based on the secure channel protocol and the predefined protocol message structure, the method further comprises, prior to establishing the secure channel and negotiating the session key:
receiving a registration request sent by the password equipment and a first certificate issued by the password equipment;
and verifying and storing the first certificate, returning the unique identifier of the password equipment and the second certificate issued by the password equipment management platform to the password equipment, and finishing registration.
12. A cryptographic device management platform, the cryptographic device management platform comprising:
the channel establishing module is used for carrying out information interaction with the password equipment based on a secure channel protocol and a predefined protocol message structure, and establishing a secure channel and negotiating a session key;
the management module is used for managing and monitoring the state of the managed object attribute corresponding to each password device based on the session key and a predefined protocol message structure in the validity period of the secure channel;
the method comprises the steps that a pre-defined protocol message structure adopts JSON object encapsulation to manage and monitor configuration parameters of the password equipment, and the protocol message structure comprises a message header, a message data part payload and a message signature part signature which are described by adopting the JSON object;
the parameters of the message header include a security mode, a message ID number, a receiver identifier, a sender identifier, an interactive operation type, a protocol version number, an encryption algorithm, a signature algorithm and a password hash algorithm with a secret key; the parameters of the message data part payload comprise an initialization vector when an encryption algorithm is adopted, a management application type identifier, an information operation type and a ciphertext expressed in a base64 coding format, wherein the information operation type comprises addition, deletion, modification update and READ.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996541.3A CN116707806B (en) | 2023-08-09 | 2023-08-09 | Password equipment management method and management platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310996541.3A CN116707806B (en) | 2023-08-09 | 2023-08-09 | Password equipment management method and management platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116707806A CN116707806A (en) | 2023-09-05 |
| CN116707806B true CN116707806B (en) | 2023-10-31 |
Family
ID=87831613
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310996541.3A Active CN116707806B (en) | 2023-08-09 | 2023-08-09 | Password equipment management method and management platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116707806B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603565A (en) * | 2016-12-30 | 2017-04-26 | 上海浦东软件园汇智软件发展有限公司 | Data transmission and display method and equipment thereof |
| CN107451435A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | A kind of management-control method of hardware encryption equipment, management and control machine and managing and control system |
| CN108574599A (en) * | 2017-12-14 | 2018-09-25 | 成都卫士通信息产业股份有限公司 | Password resource pool, password resource pool management method, management platform and management system |
| CN108574573A (en) * | 2017-12-14 | 2018-09-25 | 成都卫士通信息产业股份有限公司 | Method, encryption device and the virtual VPN service systems of cryptographic service are provided for virtual VPN |
| WO2018226154A1 (en) * | 2017-06-05 | 2018-12-13 | Arete M Pte. Ltd. | Secure and encrypted heartbeat protocol |
| CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
| CN112187809A (en) * | 2020-09-30 | 2021-01-05 | 郑州信大捷安信息技术股份有限公司 | Method and system for browser to use remote equipment password service |
| CN112436937A (en) * | 2020-11-25 | 2021-03-02 | 公安部交通管理科学研究所 | Radio frequency tag initialization key distribution system and method |
| CN113919003A (en) * | 2021-10-09 | 2022-01-11 | 交控科技股份有限公司 | Information security protection method and system based on urban rail PaaS platform |
| CN114124387A (en) * | 2022-01-27 | 2022-03-01 | 北京天防安全科技有限公司 | Batch encryption changing method and system for video monitoring equipment, intelligent terminal and storage medium |
| CN114157448A (en) * | 2021-10-26 | 2022-03-08 | 苏州浪潮智能科技有限公司 | Method, device, terminal and storage medium for establishing and deploying password service platform |
| CN115412242A (en) * | 2022-09-13 | 2022-11-29 | 三未信安科技股份有限公司 | Method for realizing intelligent password key password calling application of full browser |
| CN115495082A (en) * | 2022-11-21 | 2022-12-20 | 北京天元特通科技有限公司 | TLV format data automatic conversion method and related equipment |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9571482B2 (en) * | 2011-07-21 | 2017-02-14 | Intel Corporation | Secure on-line sign-up and provisioning for Wi-Fi hotspots using a device management protocol |
| US10909250B2 (en) * | 2018-05-02 | 2021-02-02 | Amazon Technologies, Inc. | Key management and hardware security integration |
-
2023
- 2023-08-09 CN CN202310996541.3A patent/CN116707806B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107451435A (en) * | 2016-05-30 | 2017-12-08 | 阿里巴巴集团控股有限公司 | A kind of management-control method of hardware encryption equipment, management and control machine and managing and control system |
| CN106603565A (en) * | 2016-12-30 | 2017-04-26 | 上海浦东软件园汇智软件发展有限公司 | Data transmission and display method and equipment thereof |
| WO2018226154A1 (en) * | 2017-06-05 | 2018-12-13 | Arete M Pte. Ltd. | Secure and encrypted heartbeat protocol |
| CN108574599A (en) * | 2017-12-14 | 2018-09-25 | 成都卫士通信息产业股份有限公司 | Password resource pool, password resource pool management method, management platform and management system |
| CN108574573A (en) * | 2017-12-14 | 2018-09-25 | 成都卫士通信息产业股份有限公司 | Method, encryption device and the virtual VPN service systems of cryptographic service are provided for virtual VPN |
| CN110929252A (en) * | 2019-11-22 | 2020-03-27 | 福建金密网络安全测评技术有限公司 | Algorithm and random number detection system |
| CN112187809A (en) * | 2020-09-30 | 2021-01-05 | 郑州信大捷安信息技术股份有限公司 | Method and system for browser to use remote equipment password service |
| CN112436937A (en) * | 2020-11-25 | 2021-03-02 | 公安部交通管理科学研究所 | Radio frequency tag initialization key distribution system and method |
| CN113919003A (en) * | 2021-10-09 | 2022-01-11 | 交控科技股份有限公司 | Information security protection method and system based on urban rail PaaS platform |
| CN114157448A (en) * | 2021-10-26 | 2022-03-08 | 苏州浪潮智能科技有限公司 | Method, device, terminal and storage medium for establishing and deploying password service platform |
| CN114124387A (en) * | 2022-01-27 | 2022-03-01 | 北京天防安全科技有限公司 | Batch encryption changing method and system for video monitoring equipment, intelligent terminal and storage medium |
| CN115412242A (en) * | 2022-09-13 | 2022-11-29 | 三未信安科技股份有限公司 | Method for realizing intelligent password key password calling application of full browser |
| CN115495082A (en) * | 2022-11-21 | 2022-12-20 | 北京天元特通科技有限公司 | TLV format data automatic conversion method and related equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116707806A (en) | 2023-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| CN111799867B (en) | Mutual trust authentication method and system between charging equipment and charging management platform | |
| US7676041B2 (en) | Method for creating and distributing cryptographic keys in a mobile radio system and corresponding mobile radio system | |
| EP2421293B1 (en) | Method enabling real-time data service realization, real-time data service system and mobile terminal | |
| CN101867530B (en) | Things-internet gateway system based on virtual machine and data interactive method | |
| US20180227294A1 (en) | Dtcp certificate authentication over tls protocol | |
| CN101583083B (en) | Implementation method of real-time data service and real-time data service system | |
| EP2635993B1 (en) | Registration server, gateway apparatus and method for providing a secret value to devices | |
| CN101645883A (en) | Data transmitting method, a data sending method and a data receiving method | |
| WO2007041918A1 (en) | Method and system for obtaining ssh host key of managed device | |
| CN103155512A (en) | System and method for providing secured access to services | |
| CN109714360B (en) | Intelligent gateway and gateway communication processing method | |
| WO2010078755A1 (en) | Method and system for transmitting electronic mail, wlan authentication and privacy infrastructure (wapi) terminal thereof | |
| KR20200003108A (en) | Key generation methods, user equipment, devices, computer readable storage media, and communication systems | |
| CN111970699B (en) | Terminal WIFI login authentication method and system based on IPK | |
| CN101277297B (en) | Conversation control system and method | |
| CN110099072A (en) | A kind of safety protecting method being directed to industrial data transmission of internet of things | |
| CN104753937A (en) | SIP (System In Package)-based security certificate registering method | |
| CN113452660A (en) | Communication method of mesh network and cloud server, mesh network system and node device thereof | |
| CN113507705A (en) | 5G secondary authentication method and system based on EAP-TLS protocol | |
| CN104243146A (en) | Encryption communication method and device and terminal | |
| CN112332986A (en) | Private encryption communication method and system based on authority control | |
| WO2010088812A1 (en) | Transmission method, system and wapi terminal for instant message | |
| CN102006298A (en) | Method and device for realizing load sharing of access gateway | |
| CN116707806B (en) | Password equipment management method and management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |