CN117061221A - Method and device for realizing cloud password service - Google Patents
Method and device for realizing cloud password service Download PDFInfo
- Publication number
- CN117061221A CN117061221A CN202311163238.1A CN202311163238A CN117061221A CN 117061221 A CN117061221 A CN 117061221A CN 202311163238 A CN202311163238 A CN 202311163238A CN 117061221 A CN117061221 A CN 117061221A
- Authority
- CN
- China
- Prior art keywords
- password
- service
- cryptographic
- services
- resource pool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 102
- 238000003032 molecular docking Methods 0.000 claims abstract description 39
- 238000005516 engineering process Methods 0.000 claims abstract description 33
- 230000008569 process Effects 0.000 claims description 19
- 238000011161 development Methods 0.000 claims description 16
- 230000004044 response Effects 0.000 claims description 13
- 230000006978 adaptation Effects 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004806 packaging method and process Methods 0.000 claims description 9
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000009960 carding Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 23
- 238000012795 verification Methods 0.000 description 23
- 238000007726 management method Methods 0.000 description 21
- 238000012545 processing Methods 0.000 description 16
- 238000004891 communication Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000004364 calculation method Methods 0.000 description 8
- 238000011176 pooling Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 4
- 230000010354 integration Effects 0.000 description 3
- 210000001503 joint Anatomy 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application discloses a method and a device for realizing cloud password service. One embodiment of the method comprises the following steps: docking a plurality of cryptographic devices providing a plurality of cryptographic services; based on various password devices, a container virtualization technology is adopted to generate a password resource pool for providing various password services; and providing the password service for the user through the password resource pool. The application provides a method for realizing cloud password service, which realizes cloud deployment and management of the password service by constructing a password resource pool.
Description
Technical Field
The embodiment of the application relates to the technical field of computers, in particular to the technical field of cloud computing, and particularly relates to a method and a device for realizing cloud password service, a method and a device for providing cloud password service, a computer readable medium and electronic equipment.
Background
In the development of the current cloud computing, security becomes the biggest constraint factor. With the increasing degree of social networking and informatization, the value of data assets is higher and higher, and even in the traditional network information system, the network security problem is a high-scale magic-top one-size, and always faces new problems. In cloud computing environments, network security faces more serious challenges because the network environment in the cloud is more complex. Facing the network security challenges of cloud computing, the security industry recognizes the deficiencies of traditional network security methods and techniques, and technology upgrades and innovations are underway. It is a common consensus that traditional network boundary based security protection policies and techniques face challenges in cloud computing and cannot be taken as the main protection concept anymore.
Disclosure of Invention
The embodiment of the application provides a method and a device for realizing cloud password service, a method and a device for providing cloud password service, a computer readable medium and electronic equipment.
In a first aspect, an embodiment of the present application provides a method for implementing a cloud cryptographic service, including: docking a plurality of cryptographic devices providing a plurality of cryptographic services; based on various password devices, a container virtualization technology is adopted to generate a password resource pool for providing various password services; and providing the password service for the user through the password resource pool.
In some examples, the interfacing provides a plurality of cryptographic devices of a plurality of cryptographic services, including: docking a plurality of password devices belonging to different password service providers and different models through a preset docking standard; and in response to successful docking, combing the plurality of cryptographic services provided by the plurality of cryptographic devices so that service parameters of the plurality of cryptographic devices adapt to parameter standards of the cryptographic service integrator.
In some examples, the foregoing carding the plurality of cryptographic services provided by the plurality of cryptographic devices in response to a successful docking includes: classifying a plurality of cryptographic services provided by the plurality of cryptographic devices in response to successful docking; and combing the classified multiple password services so that the service parameters of the multiple password devices adapt to the parameter standards of the password service integrator.
In some examples, the generating a cryptographic resource pool for providing a plurality of cryptographic services using a container virtualization technique based on a plurality of cryptographic devices includes: each of the plurality of cryptographic services is subjected to modularized packaging to obtain a plurality of modularized cryptographic services; a container virtualization technology is adopted, and a password resource pool for providing a plurality of password services is generated based on the plurality of modularized password services.
In some examples, providing the cryptographic service to the user through the cryptographic resource pool includes: generating unified password service middleware for a user aiming at each password service of a plurality of password services; and providing password service for the user through the password resource pool by adopting the password service middleware.
In some examples, the above-mentioned employing the cryptographic service middleware provides a cryptographic service for a user through a cryptographic resource pool, including: according to the password service corresponding to the password service middleware, carrying out adaptation development between a user and a password service integrating party on the password service middleware; and providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
In some examples, providing the cryptographic service to the user through the cryptographic resource pool includes: in the process of providing the password service for the user through the password resource pool, monitoring the password service computing power of the password service corresponding to the user; and dynamically expanding or shrinking the volume of the password service of the user according to the calculation power of the password service.
In some examples, the above method further comprises: and according to the received service customizing operation, distributing customized password service for the user corresponding to the service customizing operation from the password resource pool.
In a second aspect, an embodiment of the present application provides a method for providing a cloud cryptographic service, including: determining a password service type according to the received password service request; determining a target container for providing the password service under the password service type from the password resource pool according to the password service type, wherein different password services are deployed in the container in the password resource pool; the desired cryptographic service is provided by the target container.
In a third aspect, an embodiment of the present application provides an implementation apparatus for a cloud cryptographic service, including: a docking unit configured to dock a plurality of cryptographic devices providing a plurality of cryptographic services; a generation unit configured to generate a cryptographic resource pool providing a plurality of cryptographic services using a container virtualization technique based on a plurality of cryptographic devices; and the service unit is configured to provide a password service for the user through the password resource pool.
In some examples, the docking unit described above is further configured to: docking a plurality of password devices belonging to different password service providers and different models through a preset docking standard; and in response to successful docking, combing the plurality of cryptographic services provided by the plurality of cryptographic devices so that service parameters of the plurality of cryptographic devices adapt to parameter standards of the cryptographic service integrator.
In some examples, the docking unit described above is further configured to: classifying a plurality of cryptographic services provided by the plurality of cryptographic devices in response to successful docking; and combing the classified multiple password services so that the service parameters of the multiple password devices adapt to the parameter standards of the password service integrator.
In some examples, the generating unit is further configured to: each of the plurality of cryptographic services is subjected to modularized packaging to obtain a plurality of modularized cryptographic services; a container virtualization technology is adopted, and a password resource pool for providing a plurality of password services is generated based on the plurality of modularized password services.
In some examples, the service unit is further configured to: generating unified password service middleware for a user aiming at each password service of a plurality of password services; and providing password service for the user through the password resource pool by adopting the password service middleware.
In some examples, the service unit is further configured to: according to the password service corresponding to the password service middleware, carrying out adaptation development between a user and a password service integrating party on the password service middleware; and providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
In some examples, the service unit is further configured to: in the process of providing the password service for the user through the password resource pool, monitoring the password service computing power of the password service corresponding to the user; and dynamically expanding or shrinking the volume of the password service of the user according to the calculation power of the password service.
In some examples, the apparatus further comprises: a customizing unit configured to: and according to the received service customizing operation, distributing customized password service for the user corresponding to the service customizing operation from the password resource pool.
In a fourth aspect, an embodiment of the present application provides an apparatus for providing a cloud cryptographic service, including: a first determining unit configured to determine a cryptographic service type according to the received cryptographic service request; a second determining unit configured to determine, from the cryptographic resource pool, a target container that provides a cryptographic service under the cryptographic service type according to the cryptographic service type, wherein different cryptographic services are deployed in containers in the cryptographic resource pool; and a service providing unit configured to provide the cryptographic service desired by the cryptographic service request through the target container.
In a fifth aspect, embodiments of the present application provide a computer readable medium having a computer program stored thereon, wherein the program when executed by a processor implements a method as described in any of the implementations of the first and second aspects.
In a sixth aspect, an embodiment of the present application provides an electronic device, including: one or more processors; and a storage device having one or more programs stored thereon, which when executed by the one or more processors, cause the one or more processors to implement the method as described in any of the implementations of the first and second aspects.
The implementation method and the implementation device for the cloud password service provided by the embodiment of the application are used for providing various password devices of various password services through butt joint; based on various password devices, a container virtualization technology is adopted to generate a password resource pool for providing various password services; the password resource pool is used for providing the password service for the user, so that the cloud password service realization method is provided, and the cloud deployment and management of the password service are realized by constructing the password resource pool.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is an exemplary system architecture diagram in which an embodiment of the present application may be applied;
FIG. 2 is a flow chart of one embodiment of a method of implementing a cloud cryptographic service in accordance with the present application;
FIG. 3 is a system schematic diagram corresponding to a method of implementing a cloud cryptographic service according to the present application;
fig. 4 is a schematic diagram of an exemplary authentication flow of a method for implementing a cloud cryptographic service according to the present embodiment;
fig. 5 is a schematic diagram of a typical data encryption flow of an implementation method of the cloud cryptographic service according to the present embodiment;
fig. 6 is a schematic structural diagram of a cryptographic service platform of a method for implementing a cloud cryptographic service according to this embodiment.
Fig. 7 is a schematic diagram of an application scenario of an implementation method of the cloud cryptographic service according to the present embodiment;
fig. 8 is a schematic diagram of a cryptographic service customization flow of a method for implementing a cloud cryptographic service according to the present embodiment;
fig. 9 is a schematic diagram of a deployment mode of an implementation method of the cloud cryptographic service according to the present embodiment;
FIG. 10 is a flow chart of yet another embodiment of a method of implementing a cloud cryptographic service in accordance with the present application;
FIG. 11 is a flow chart of one embodiment of a method for providing cloud cryptographic services in accordance with the present application;
FIG. 12 is a flow chart of the processing of a data encryption request;
FIG. 13 is a flow chart of a process of a data decryption request;
FIG. 14 is a flow chart of a process of signing a service request;
FIG. 15 is a flow chart of a process of signing a service request;
FIG. 16 is a block diagram of one embodiment of an implementation of a cloud cryptographic service in accordance with the present application;
FIG. 17 is a block diagram of one embodiment of an apparatus for providing cloud cryptographic services in accordance with the present application;
FIG. 18 is a schematic diagram of a computer system suitable for use in implementing embodiments of the present application.
Detailed Description
The application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be noted that, for convenience of description, only the portions related to the present application are shown in the drawings.
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
It should be noted that, in the technical solution of the present disclosure, the related aspects of collecting, updating, analyzing, processing, using, transmitting, storing, etc. of the personal information of the user all conform to the rules of the related laws and regulations, and are used for legal purposes without violating the public order colloquial. Necessary measures are taken for the personal information of the user, illegal access to the personal information data of the user is prevented, and the personal information security, network security and national security of the user are maintained.
Fig. 1 illustrates an exemplary architecture 100 of an implementation method and apparatus of a cloud cryptographic service to which the present application may be applied.
As shown in fig. 1, a system architecture 100 may include terminal devices 101, 102, 103, a network 104, and a server 105. The communication connection between the terminal devices 101, 102, 103 constitutes a topology network, the network 104 being the medium for providing the communication link between the terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
The terminal devices 101, 102, 103 may interact with the server 105 through the network 104 to receive or transmit data or the like. The terminal devices 101, 102, 103 may be hardware devices or software supporting network connections for data interaction and data processing. When the terminal device 101, 102, 103 is hardware, it may be various electronic devices supporting network connection, information acquisition, interaction, display, processing, etc., including but not limited to smartphones, tablet computers, electronic book readers, laptop and desktop computers, etc. When the terminal devices 101, 102, 103 are software, they can be installed in the above-listed electronic devices. It may be implemented as a plurality of software or software modules, for example, for providing distributed services, or as a single software or software module. The present application is not particularly limited herein.
The server 105 may be a server that provides various cryptographic services, for example, a plurality of cryptographic devices such as the docking terminal devices 101, 102, 103, and a background processing server that provides a cryptographic resource pool is generated using a container virtualization technique based on the plurality of cryptographic services of the plurality of cryptographic devices. For another example, a background processing server that receives a cryptographic service request from the terminal device 101, 102, 103 and provides a corresponding cryptographic service through a cryptographic resource pool. As an example, the server 105 may be a cloud server.
The server may be hardware or software. When the server is hardware, the server may be implemented as a distributed server cluster formed by a plurality of servers, or may be implemented as a single server. When the server is software, it may be implemented as a plurality of software or software modules (e.g., software or software modules for providing distributed services), or as a single software or software module. The present application is not particularly limited herein.
It should be further noted that, the implementation method of the cloud password service and the method for providing the cloud password service provided by the embodiments of the present application may be executed by a server, may be executed by a terminal device, or may be executed by the server and the terminal device in cooperation with each other. Accordingly, the implementation device of the cloud password service and each part (for example, each unit) included in the device for providing the cloud password service may be all arranged in the server, all arranged in the terminal device, or all arranged in the server and the terminal device.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation. When the implementation method of the cloud password service and the electronic device on which the method for providing the cloud password service is operated do not need to perform data transmission with other electronic devices, the system architecture may include only the implementation method of the cloud password service and the electronic device (e.g., a server or a terminal device) on which the method for providing the cloud password service is operated.
With continued reference to fig. 2, a flow 200 of one embodiment of a method of implementing a cloud cryptographic service is shown, comprising the steps of:
step 201, docking a plurality of cryptographic devices providing a plurality of cryptographic services.
In this embodiment, an execution body (for example, a terminal device or a server in fig. 1) of the implementation method of the cloud cryptographic service may interface with a plurality of cryptographic devices that provide a plurality of cryptographic services through a wired network connection manner or a wireless network connection manner.
The variety of cryptographic devices includes cryptographic hardware products, cryptographic software products, and cryptographic kits. The password hardware product comprises an authentication gateway VPN (Virtual Private Network ), a server password machine, a password chip module and the like; the password software product comprises a signature verification system, a time stamp system, a digital certificate system, a key management system and the like; the cryptographic support facilities include network resource devices, computing resource devices, storage resource devices, and the like.
The various cryptographic services include, but are not limited to, data encryption services, data decryption services, signature verification services, and the like. The data encryption service includes a data storage encryption service and a data transmission encryption service, and the data decryption service includes a data storage decryption service and a data transmission decryption service.
The aim is to cover the national main cipher product service by interfacing a plurality of cipher devices providing a plurality of cipher services, and the related cipher product service has commercial cipher authentication certificates issued by a cipher administration, sales permission certificates of public security authorities and other related security test certificates.
Step 202, based on a plurality of cryptographic devices, a cryptographic resource pool providing a plurality of cryptographic services is generated using a container virtualization technique.
In this embodiment, the execution body may generate the cryptographic resource pool for providing the plurality of cryptographic services by using the container virtualization technology based on the plurality of cryptographic devices.
As an example, for a plurality of cryptographic services provided by a plurality of cryptographic devices, packaging an application program corresponding to the cryptographic service and its dependent items in a container in a cryptographic resource pool; in the process of pooling management of the password resource pool, the container can be reused, so that the cost of creating and destroying the container is reduced, and the resource utilization rate of various password services is improved.
Specifically, the execution body may implement the containerization of the cryptographic service in the following manner: first, a cryptographic resource pool is created: it is necessary to create a certain number of containers in which cryptographic services and dependencies of cryptographic services are deployed and store the containers in one cryptographic resource pool for reuse. Then, the resources are allocated: when a cryptographic service in a container needs to be used, a container object is allocated from the cryptographic resource pool to the requester. Then, the resources are recovered: when the requester has finished using, the allocated container object needs to be returned to the cryptographic resource pool for reuse. There is a need to manage container resources in a cryptographic resource pool, such as available, in use, expired, etc., in providing cryptographic services.
With continued reference to fig. 3, a schematic diagram of a cloud password service system corresponding to the implementation method of the cloud password service of the present application is shown.
The cloud password service system 300 comprises a password service platform 301 and a password resource pool 302, and aims to form a set of high-performance loosely coupled password service platform by converging a set of completed password resource pools, wherein seven main password security dimensions are provided, such as service physical environment security, network communication security, equipment calculation security, application data security, management system planning, professional training, password emergency treatment and the like. Meanwhile, in combination with a proprietary cloud technology architecture of a cloud service provider, the cloud service provider builds a cryptographic resource pool solution on the cloud through K8S (kubernetes) orchestration practical experience accumulated on a large-scale and ultra-large-scale container cluster (for example, the container cluster scale of approximately 300 ten thousand of a certain cloud service provider).
The password resource pool aggregation comprises password hardware products, password software products and password matched facilities, and covers the national main password product service. The password service platform is used as a core, password software and hardware products are integrated through standard interface butt joint, basic password services such as encryption and decryption services, certificate services, key services and the like are formed, and upper-layer applications can integrate password service capability in an API (Application Programming Interface, application program interface) or SDK (Software Development Kit ) mode, so that data security protection is realized. The cryptographic service platform may be a platform providing a protection function of the full data lifecycle, such as AKS (Authentication Key Management System ).
Step 203, providing a password service for the user through the password resource pool.
In this embodiment, the execution body may provide the user with the cryptographic service through the cryptographic resource pool.
As an example, when a user's cryptographic service request is accepted, a target container capable of satisfying the cryptographic service indicated by the cryptographic service request is determined from a cryptographic resource pool, data carried in the cryptographic service request is processed through the cryptographic service provided by the cryptographic container, and the processed data is fed back to the user.
With continued reference to fig. 4, a schematic diagram of an exemplary authentication flow of a method for implementing a cloud cryptographic service according to the present application is shown. A browser under a B/S (browser/server) structure, a client under a C/S (client/server) structure may log in the cloud platform 402 through a Virtual Private Cloud (VPC) 401; the cloud platform 402 interfaces with the cryptographic resource pool 404 through the cryptographic service platform 403, so that the cryptographic resource pool 404 can provide an authentication service to a browser and a client through an API or SDK.
With continued reference to fig. 5, a schematic diagram of an exemplary data encryption flow of a method of implementing a cloud cryptographic service according to the present application is shown. Similarly, a browser under a B/S (browser/server) structure, a client under a C/S (client/server) structure may log in to the cloud platform 502 through the virtual private cloud VPC 501; the cloud platform 502 interfaces with the cryptographic resource pool 504 through the cryptographic service platform 503, so that the cryptographic resource pool 504 can provide data encryption services to the browser and clients in the form of an API or SDK.
With continued reference to fig. 6, a schematic diagram of the cryptographic services platform is shown. The cryptographic services platform includes a device layer 601, a system component layer 602, and an interface layer 603.
The device layer 601 comprises a server cipher machine, a signature verification server, a timestamp server, a collaborative signature server and other cipher devices, and provides basic encryption and decryption, signature verification, timestamp, key generation, cipher calculation and other cipher services for an application system.
The system component layer 602 is configured to unify standards and protocols of cryptographic services provided by various cryptographic devices in the cloud cryptographic service bottom layer, so as to facilitate unified takeover on the bottom layer device. Specifically, firstly, the password service platform is used for butting various password devices through national standards such as GMT 0018-2012 password device application interface Specification, GMT 0020-2012 certificate application comprehensive service interface Specification, GMT 0019-2012 general password service interface Specification and the like, and classifying and managing the password devices of various brands and models after the password devices are successfully butted, so as to construct a device cluster. Then, the encryption system utilizes java, go and other development languages to comb the password service, including symmetric encryption and decryption, asymmetric encryption and decryption, signature verification, digest operation service and the like.
The interface layer (universal cryptographic middleware layer) 603 is used for developing through java, C and other development languages to form a unified cryptographic service interface, and the content of the interface includes cryptographic interface services such as configuration file encryption, secure channel protection, signature verification and the like. And meanwhile, an externally unified interface document is formed, and an SDK using method (comprising adding SDK dependence, initializing the SDK and the like), an interface description (comprising interface description, call examples, parameter description and the like) and the like are defined in the document.
For the cloud computing service capability, aiming at various cryptographic services formed by the encryption system, the cryptographic computing power is subjected to containerization management arrangement by utilizing the virtualization characteristic of cloud computing, and the containerized cryptographic computing power is deployed and monitored through K8S, K S. And monitoring the computing power of the password service by using a technical starting mode such as cloud computing starting simulation and the like, and setting a response threshold. When the system memory or CPU (Central Processing Unit ) reaches the threshold area, the bottom layer cipher calculation is automatically expanded to complete the elastic expansion. The cloud computing and the K8S technology are all basic technologies that are common in open source, and are not described herein.
The password service platform is based on domestic password technology, combines upper application modes and application scenes through password technology application practice and accumulation for a plurality of years, performs modularized high-level encapsulation on password services needed by most service systems, provides differentiated password service capability (a traditional mode is a localized non-cloud mode) based on cloud technology, reduces password service integration difficulty, and forms password service center platform service which is easy to integrate, transparent, efficient, flexible and easy to use.
With continued reference to fig. 7, fig. 7 is a schematic diagram 700 of an application scenario of a method for implementing a cloud cryptographic service according to this embodiment. In the application scenario of fig. 7, a variety of cryptographic devices that provide a variety of cryptographic services, including, but not limited to, data encryption services, data decryption services, signature verification services, etc., are interfaced through the cryptographic service platform 701. Based on the multiple cryptographic devices, a container virtualization technique is employed to generate a cryptographic resource pool 702 that provides multiple cryptographic services; the user is provided with cryptographic services through a cryptographic resource pool 702.
The method provided by the embodiment of the application is characterized in that a plurality of password devices for providing a plurality of password services are connected; based on various password devices, a container virtualization technology is adopted to generate a password resource pool for providing various password services; the password resource pool is used for providing the password service for the user, so that the cloud password service realization method is provided, and the cloud deployment and management of the password service are realized by constructing the password resource pool.
In some optional implementations of this embodiment, the executing body may execute the step 201 as follows:
first, a plurality of kinds of password devices belonging to different password service providers and different models are docked through preset docking standards.
In this implementation, the models between the various cryptographic devices are different and may belong to different cryptographic service providers. The preset docking standard is, for example, a national standard such as GMT 0018-2012 cryptographic device application interface specification, GMT 0020-2012 certificate application integrated service interface specification, GMT 0019-2012 general cryptographic service interface specification.
Second, in response to successful docking, the plurality of cryptographic services provided by the plurality of cryptographic devices are combed such that service parameters of the plurality of cryptographic devices adapt to parameter criteria of the cryptographic service integrator.
Because a plurality of password devices belong to different password service providers and different models, the parameter standards of the service providers corresponding to the password devices are different. Therefore, various cryptographic services can be combed by using java, go and other development languages, so that the service parameters of the various cryptographic services adapt to the parameter standards of the cryptographic service integrator (the executor corresponding to the execution body).
In the implementation manner, the multiple kinds of password equipment can be equipment belonging to different password service providers and different models, so that the richness of the password service in the password resource pool generated based on the multiple kinds of password equipment is improved; and for the password equipment with different parameter standards, the uniformity and the reliability of the password service are ensured on the basis of improving the richness of the password service by combing the same parameter standard.
In some optional implementations of this embodiment, the executing body may execute the second step by: firstly, responding to successful butt joint, classifying a plurality of password services provided by a plurality of password devices; the classified plurality of cryptographic services are then combed such that the service parameters of the plurality of cryptographic devices adapt to the parameter criteria of the cryptographic service integrator.
In this implementation manner, the executing body may classify multiple cryptographic services provided by multiple cryptographic devices according to functions corresponding to the cryptographic services, for example, obtain multiple types of data encryption services, data decryption services, signature verification services, and the like.
After the classification result is obtained, the classified cryptographic services can be carded according to the classification result by taking each type as a unit, so that the service parameters of the classified cryptographic equipment adapt to the parameter standards of the cryptographic service integrator.
In the implementation mode, the password service is classified firstly and then is combed by taking the type of the password service as a unit, so that the efficiency of the combing process is improved.
In some optional implementations of this embodiment, the executing body may execute the step 202 as follows:
first, each of a plurality of cryptographic services is modularly packaged, and a plurality of modularized cryptographic services are obtained.
In the implementation manner, each kind of modularized password service can be provided with higher independence by modularized packaging.
Second, a pool of cryptographic resources is generated that provides a plurality of cryptographic services based on the plurality of modular cryptographic services using a container virtualization technique.
Currently, cloud computing emphasizes sharing and on-demand use of information resources, and adopts technologies such as virtualization, distributed storage and the like to realize sharing and on-demand allocation of computing resources and storage resources, and even networks in cloud computing realize virtualization and dynamic allocation through technologies such as NFV (Network Functions Virtualization, network function virtualization), SDN (Software Defined Network ) and the like. Sharing increases the utilization of resources, but increases the complexity of management, especially blurring the boundaries between different information systems. The blurring of the boundary makes many network security technologies based on boundary protection face embarrassment, such as traditional firewall technology, intrusion detection technology and the like, and although there are simple isolation technologies such as VLAN and the like, the security strength is insufficient, so that the security management and control of the user on the information on the cloud are difficult to realize.
In the implementation mode, the password service is subjected to modularized high-level encapsulation, so that differentiated password service capability (a traditional mode is a localized non-cloud mode) based on a cloud technology is provided, the password service integration difficulty is reduced, and the password service center platform service which is easy to integrate, transparent, efficient, flexible and easy to use is formed.
In some optional implementations of this embodiment, the executing body may execute the step 203 as follows:
first, a unified cryptographic service middleware is generated for a user for each of a plurality of cryptographic services.
In this implementation manner, the execution body may generate the unified cryptographic service middleware for the user through an interface layer in the cryptographic service platform as shown in fig. 6.
Secondly, the password service middleware is adopted, and password service is provided for the user through the password resource pool.
The cryptographic service middleware may be characterized in terms of an API or SDK, through which a user may access a cryptographic service deployed in a container in a cryptographic resource pool.
In the implementation mode, through the integrated design of the password service platform, unified resource management and unified service interface, standardized componentization service capability is provided, and the password service capability and efficiency of a password resource pool for users are improved.
In some optional implementations of this embodiment, the executing body may execute the second step by: firstly, according to the password service corresponding to the password service middleware, carrying out adaptation development between a user and a password service integrating party on the password service middleware; and then, providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
In this implementation manner, for each cryptographic service type in the data encryption service, the data decryption service, the signature service, and the signature verification service, the cryptographic service middleware corresponding to the cryptographic service type needs to explicitly configure the cryptographic interface services such as file encryption, secure channel protection, signature verification, and the like according to the cryptographic service type. And meanwhile, an externally unified interface document is formed, and an SDK using method (comprising adding SDK dependence, initializing the SDK and the like), an interface description (comprising interface description, calling examples, parameter description and the like) and the like are defined in the document, so that reliable and stable communication can be realized between the equipment of the user and the equipment of the password service integrator.
In some optional implementations of this embodiment, the executing body may execute the second step by: firstly, in the process of providing password service for a user through a password resource pool, monitoring the password service computing power of the password service corresponding to the user; and then, dynamically expanding or shrinking the volume of the password service of the user according to the calculation power of the password service.
As an example, the execution body may monitor, in real time, a cryptographic service computing power of a cryptographic service corresponding to a user, and when a first cryptographic service computing power provided by the cryptographic service corresponding to the user is smaller than a second cryptographic service computing power required by the user, expand a cryptographic service corresponding to the user; and when the first password service computing power provided by the password service corresponding to the user is obviously larger than the second password service computing power required by the user (for example, the part of the first password service computing power exceeding the second password service computing power exceeds a preset threshold), the password service corresponding to the user is contracted.
In the implementation mode, on the basis of supporting dynamic expansion and contraction capacity, unified operation and maintenance monitoring of all the password equipment is supported, the operation state and the alarm information can be detected in real time, and the working intensity and difficulty of operation and maintenance personnel are reduced.
In some optional implementations of this embodiment, the foregoing execution body may further perform the following operations: and according to the received service customizing operation, distributing customized password service for the user corresponding to the service customizing operation from the password resource pool.
With continued reference to fig. 8, a flow diagram of a customized cryptographic service is shown. The customized cryptographic service comprises the following steps:
1. the user logs in the cloud service platform, and the cloud service platform jumps to the password service platform through the single sign-on technology.
2. On the password service platform, cloud users develop platform-side password resource customization through selection services (including encryption services, decryption services, key services and the like) of a visual interface.
3. After successful customization, the password service platform manages and distributes password resources through national standard interface specifications such as GMT 0018-2012 password equipment application interface specifications, GMT 0020-2012 certificate application comprehensive service interface specifications, GMT 0019-2012 general password service interface specifications and the like.
4. After the customization is completed, the password service platform outputs the universal password service middleware (comprising SDK using methods, interface descriptions and the like), so that the password service deployed in the container in the password resource pool is accessed through the universal password service middleware.
In the implementation mode, the user can customize the password service required by the user through the visual interface, so that convenience and experience of the user operation process are improved.
To further illustrate the implementation of the cloud cryptographic service, with continued reference to fig. 9, a deployment mode diagram of an implementation method according to the cloud cryptographic service is shown.
And deploying a password service platform, a cloud server password machine, a collaborative signature system, a signature verification system, a time stamp system and other hardware equipment or software systems at the service end to form a password resource pool. The password service platform uniformly manages the password resource pool and provides a high-packaging interface for each application system to call.
And (3) deploying VPN comprehensive security gateway in operation and maintenance, internal and public user communication links to provide access user identity authentication and national security SSL (Secure Socket Layer ) secure transmission channel service to ensure confidentiality and integrity of data transmission.
And establishing a national password HTTPS channel access system through a digital certificate of a national password algorithm by matching with a national password browser and an intelligent password key.
In summary, the above embodiments describe the outstanding features of the implementation method of the cloud password service as follows:
1. cloud services, resource integration
By constructing the password resource pool, cloud deployment and management of password service are realized, and tenant-oriented management and tenant self-management are supported; the cryptographic equipment capabilities of different manufacturers and different models are integrated to realize equipment multiplexing and utilization and protect the existing investment; and supporting the unified management of the password service under the mixed multi-cloud scene participated by various cloud manufacturers.
2. Calling as required, elastic expansion
Adopting a container virtualization technology to realize the on-demand distribution of service instances; virtualization of cloud cryptographic services supports elastic extensions.
3. Intensive energization and one-station management
Through the integrated design of the surface service platform, unified password resource management and unified service interface, standardized assembly service capability is provided; the method supports unified operation, management and monitoring of the password equipment and visualization of the running states of the password equipment and the password service.
4. Flexible deployment and convenient delivery
And the cloud platform is used for deploying resources, so that the quick docking and quick online of the user application are supported.
With continued reference to fig. 10, there is shown a schematic flow 1000 of a further embodiment of a method of implementing a cloud cryptographic service according to the application, comprising the steps of:
in step 1001, multiple kinds of cryptographic devices belonging to different cryptographic service providers and different models are docked by a preset docking standard.
In response to successful docking, the plurality of cryptographic services provided by the plurality of cryptographic devices are classified 1002.
Step 1003, combing the classified multiple cryptographic services to adapt the service parameters of the multiple cryptographic devices to the parameter standards of the cryptographic service integrator.
And step 1004, performing modularized packaging on each of the plurality of password services to obtain a plurality of modularized password services.
In step 1005, a cryptographic resource pool is generated that provides a plurality of cryptographic services based on the plurality of modular cryptographic services using a container virtualization technique.
Step 1006, for each of the plurality of cryptographic services, generates a unified cryptographic service middleware for the user.
Step 1007, according to the cryptographic service corresponding to the cryptographic service middleware, performing adaptation development between the user and the cryptographic service integrator on the cryptographic service middleware.
And step 1008, providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
As can be seen from this embodiment, compared with the embodiment corresponding to fig. 2, the process 1000 of the implementation method of the cloud cryptographic service in this embodiment specifically illustrates a process of interfacing multiple cryptographic devices, a process of generating a cryptographic resource pool, and a process of providing a cryptographic service based on the cryptographic resource pool, and by constructing the cryptographic resource pool, clouding deployment and management of the cryptographic service are implemented.
With continued reference to fig. 11, there is shown a schematic flow chart 1100 of one embodiment of a method for providing cloud cryptographic services in accordance with the present application, including the steps of:
step 1101, determining a cryptographic service type according to the received cryptographic service request.
In this embodiment, an execution body (e.g., a terminal device or a server in fig. 1) of the method for providing cloud cryptographic service may receive a cryptographic service request of a user, and determine a cryptographic service type according to the received cryptographic service request.
The cryptographic service request may be a request for requesting a cryptographic service type such as a data encryption service, a data decryption service, a signature service, or a signature verification service, and the requested cryptographic service type may be determined by parsing the cryptographic service request.
In step 1102, a target container for providing the cryptographic service under the cryptographic service type is determined from the cryptographic resource pool according to the cryptographic service type.
In this embodiment, the executing body may determine, according to the cryptographic service type, a target container for providing the cryptographic service under the cryptographic service type from the cryptographic resource pool. Wherein different cryptographic services are deployed in containers in the cryptographic resource pool, which can be obtained by the above-described embodiments 200, 1000.
As an example, the execution entity may determine a cryptographic service deployed in a container in a cryptographic resource pool, thereby determining whether the container may be a target container for providing a cryptographic service under a cryptographic service type.
In step 1103, the desired cryptographic service is provided by the target container.
In this embodiment, the execution subject may provide the cryptographic service desired by the cryptographic service request through the target container.
With continued reference to fig. 12, a flow chart of the processing of a data encryption request is shown.
The processing flow of the data encryption request comprises the following steps:
and step 1, the business application calls an encryption interface of the password service platform and simultaneously transmits the identity parameters.
And 2, the password service platform performs pooling management on the password service provided by the password equipment in advance by utilizing a cloud technology, and encapsulates an interface communicated with a user.
And 3, the password service platform spreads ciphertext operation by using the pooled password calculation force.
And 4, returning the ciphertext to the service application by the password service platform.
And 5, storing the ciphertext data to a database server by the service application.
And 6, the database server returns a ciphertext storage result to the service application.
With continued reference to fig. 13, a flow chart of the processing of a data decryption request is shown.
The processing flow of the data decryption request comprises the following steps:
and step 1, inquiring ciphertext by the service application through a database server.
And 2, returning a ciphertext query result to the service application by the database server.
And step 3, the business application pushes the ciphertext to the password service platform.
And 4, encapsulating the password equipment by the password service platform through a cloud technology in advance to form interface service, and managing the password equipment in a pooling way.
And 5, the password service platform spreads ciphertext decryption operation by using the pooled password computing power.
And 6, returning the operation result (the plaintext obtained by decryption) to the service application by the password service platform.
With continued reference to fig. 14, a flow chart of a process for signing a service request is shown.
The processing flow of the signature service request comprises the following steps:
and step 1, the business application invokes ciphertext data to the database server.
And 2, the business application requests to the password service platform to invoke the digital signature service.
And 3, the password service platform encapsulates the signature verification device in advance through a cloud technology to form an interface, and the signature verification device is managed in a pooling mode.
And 4, the password service platform generates a signature value for the ciphertext data through the pooling password service.
And step 5, the cipher service platform returns the cipher text data and the signature value to the service application.
And 6, the business application returns the ciphertext data and the signature value to the database server.
With continued reference to fig. 15, a flow chart of the processing of the verification of the signing service request is shown.
The processing flow of the signature verification service request comprises the following steps:
step 1, a user logs in a service system through a USBKEY.
And 2, the business system invokes the signature service flow.
And 3, the service system returns a signature value and fills the signature value into the USBKEY.
And 4, forming an identity digital certificate by using the USBKEY aiming at the signature value, and invoking a password service platform to check the signature service by the service system through the USBKEY.
And 5, packaging the signature verification equipment by the password service platform through a cloud technology to form an interface, and pooling the management signature verification equipment.
And 6, the password service platform returns a signature verification result through the pool signature verification service to verify the digital certificate.
If the signature verification passes the permission of expanding the subsequent business flow, recording the signature verification result to the database server. If the verification sign does not pass, the subsequent business process is refused to be unfolded.
With continued reference to fig. 16, as an implementation of the method shown in the foregoing drawings, the present application provides an embodiment of an implementation apparatus of a cloud cryptographic service, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 2, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 16, an implementation apparatus 1600 of a cloud cryptographic service includes: a docking unit 1601 configured to dock a plurality of cryptographic devices providing a plurality of cryptographic services; a generation unit 1602 configured to generate a cryptographic resource pool providing a plurality of cryptographic services using a container virtualization technique based on a plurality of cryptographic devices; a service unit 1603 configured to provide cryptographic services to users via a cryptographic resource pool.
In some optional implementations of this embodiment, the docking unit 1601 is further configured to: docking a plurality of password devices belonging to different password service providers and different models through a preset docking standard; and in response to successful docking, combing the plurality of cryptographic services provided by the plurality of cryptographic devices so that service parameters of the plurality of cryptographic devices adapt to parameter standards of the cryptographic service integrator.
In some optional implementations of this embodiment, the docking unit 1601 is further configured to: classifying a plurality of cryptographic services provided by the plurality of cryptographic devices in response to successful docking; and combing the classified multiple password services so that the service parameters of the multiple password devices adapt to the parameter standards of the password service integrator.
In some optional implementations of this embodiment, the generating unit 1602 is further configured to: each of the plurality of cryptographic services is subjected to modularized packaging to obtain a plurality of modularized cryptographic services; a container virtualization technology is adopted, and a password resource pool for providing a plurality of password services is generated based on the plurality of modularized password services.
In some optional implementations of this embodiment, the service unit 1603 is further configured to: generating unified password service middleware for a user aiming at each password service of a plurality of password services; and providing password service for the user through the password resource pool by adopting the password service middleware.
In some optional implementations of this embodiment, the service unit 1603 is further configured to: according to the password service corresponding to the password service middleware, carrying out adaptation development between a user and a password service integrating party on the password service middleware; and providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
In some optional implementations of this embodiment, the service unit 1603 is further configured to: in the process of providing the password service for the user through the password resource pool, monitoring the password service computing power of the password service corresponding to the user; and dynamically expanding or shrinking the volume of the password service of the user according to the calculation power of the password service.
In some optional implementations of this embodiment, the apparatus further includes: a customizing unit (not shown in the figure) configured to: and according to the received service customizing operation, distributing customized password service for the user corresponding to the service customizing operation from the password resource pool.
In this embodiment, a docking unit in an implementation apparatus of a cloud cryptographic service docks a plurality of cryptographic devices that provide a plurality of cryptographic services; the generation unit generates a password resource pool for providing a plurality of password services by adopting a container virtualization technology based on a plurality of password devices; the service unit provides the password service for the user through the password resource pool, so that the cloud password service realization device is provided, and cloud deployment and management of the password service are realized through constructing the password resource pool.
With continued reference to fig. 17, as an implementation of the method shown in the foregoing figures, the present application provides an embodiment of an apparatus for providing a cloud cryptographic service, where the embodiment of the apparatus corresponds to the embodiment of the method shown in fig. 10, and the apparatus may be specifically applied to various electronic devices.
As shown in fig. 17, an apparatus 1700 for providing a cloud cryptographic service includes: a first determining unit 1701 configured to determine a cryptographic service type according to the received cryptographic service request; a second determining unit 1702 configured to determine, according to the cryptographic service type, a target container that provides a cryptographic service under the cryptographic service type from a cryptographic resource pool, where different cryptographic services are deployed in containers in the cryptographic resource pool; the service providing unit 1703 is configured to provide a cryptographic service desired by the cryptographic service request through the target container.
Referring now to FIG. 18, there is illustrated a schematic diagram of a computer system 1800 suitable for use with devices (e.g., devices 101, 102, 103, 105 shown in FIG. 1) implementing embodiments of the present application. The apparatus shown in fig. 18 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present application.
As shown in fig. 18, the computer system 1800 includes a processor (e.g., CPU, central processing unit) 1801, which can perform various appropriate actions and processes in accordance with programs stored in a Read Only Memory (ROM) 1802 or programs loaded from a storage portion 1808 into a Random Access Memory (RAM) 1803. In the RAM1803, various programs and data required for the operation of the system 1800 are also stored. The processor 1801, ROM1802, and RAM1803 are connected to each other by a bus 1804. An input/output (I/O) interface 1805 is also connected to the bus 1804.
The following components are connected to the I/O interface 1805: an input section 1806 including a keyboard, a mouse, and the like; an output portion 1807 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage section 1808 including a hard disk or the like; and a communication section 1809 including a network interface card such as a LAN card, a modem, or the like. The communication section 1809 performs communication processing via a network such as the internet. The drive 1810 is also connected to the I/O interface 1805 as needed. Removable media 1811, such as magnetic disks, optical disks, magneto-optical disks, semiconductor memory, and the like, is installed as needed on drive 1810 so that a computer program read therefrom is installed as needed into storage portion 1808.
In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such embodiments, the computer program may be downloaded and installed from a network via the communication portion 1809, and/or installed from the removable medium 1811. The above-described functions defined in the method of the present application are performed when the computer program is executed by the processor 1801.
The computer readable medium of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the client computer, partly on the client computer, as a stand-alone software package, partly on the client computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the client computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present application may be implemented in software or in hardware. The described units may also be provided in a processor, for example, described as: a processor includes a docking unit, a generating unit, and a service unit. As another example, it can be described as: a processor includes a first determination unit, a second determination unit, and a service providing unit. Where the names of these units do not constitute a limitation on the unit itself in some cases, for example, the generation unit may also be described as "a unit that generates a cryptographic resource pool that provides a plurality of cryptographic services using a container virtualization technique based on a plurality of cryptographic devices".
As another aspect, the present application also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be present alone without being fitted into the device. The computer readable medium carries one or more programs which, when executed by the apparatus, cause the computer device to: docking a plurality of cryptographic devices providing a plurality of cryptographic services; based on various password devices, a container virtualization technology is adopted to generate a password resource pool for providing various password services; and providing the password service for the user through the password resource pool. The computer device may also be caused to: determining a password service type according to the received password service request; determining a target container for providing the password service under the password service type from the password resource pool according to the password service type, wherein different password services are deployed in the container in the password resource pool; the desired cryptographic service is provided by the target container.
The above description is only illustrative of the preferred embodiments of the present application and of the principles of the technology employed. It will be appreciated by persons skilled in the art that the scope of the application referred to in the present application is not limited to the specific combinations of the technical features described above, but also covers other technical features formed by any combination of the technical features described above or their equivalents without departing from the inventive concept described above. Such as the above-mentioned features and the technical features disclosed in the present application (but not limited to) having similar functions are replaced with each other.
Claims (13)
1. A method for realizing cloud password service comprises the following steps:
docking a plurality of cryptographic devices providing a plurality of cryptographic services;
based on the multiple password devices, generating a password resource pool for providing the multiple password services by adopting a container virtualization technology;
and providing password service for the user through the password resource pool.
2. The method of claim 1, wherein the interfacing a plurality of cryptographic devices providing a plurality of cryptographic services comprises:
docking a plurality of password devices belonging to different password service providers and different models through a preset docking standard;
And combing a plurality of password services provided by the plurality of password devices in response to successful docking so that service parameters of the plurality of password devices adapt to parameter standards of a password service integrator.
3. The method of claim 1, wherein the carding the plurality of cryptographic services provided by the plurality of cryptographic devices in response to a successful docking comprises:
classifying a plurality of cryptographic services provided by the plurality of cryptographic devices in response to successful docking;
and combing the classified multiple password services so that the service parameters of the multiple password devices adapt to the parameter standards of the password service integrator.
4. The method of claim 1, wherein the generating, based on the plurality of cryptographic devices, a cryptographic resource pool that provides the plurality of cryptographic services using a container virtualization technique comprises:
each of the plurality of password services is subjected to modularized packaging to obtain a plurality of modularized password services;
and generating a password resource pool for providing the plurality of password services based on the plurality of modularized password services by adopting a container virtualization technology.
5. The method of claim 1, wherein the providing the cryptographic service to the user through the cryptographic resource pool comprises:
Generating unified password service middleware for a user aiming at each password service of the plurality of password services;
and providing the password service for the user through the password resource pool by adopting the password service middleware.
6. The method of claim 5, wherein said employing the cryptographic services middleware to provide cryptographic services to the user through the cryptographic resource pool comprises:
according to the password service corresponding to the password service middleware, carrying out adaptation development between the user and the password service integrating party on the password service middleware;
and providing the password service for the user through the password resource pool by adopting the password service middleware after the adaptation development.
7. The method of claim 1 or 5, wherein the providing the cryptographic service to the user through the cryptographic resource pool comprises:
monitoring the cryptographic service computing power of the cryptographic service corresponding to the user in the process of providing the cryptographic service for the user through the cryptographic resource pool;
and dynamically expanding or shrinking the volume of the password service of the user according to the password service computing power.
8. The method of claim 1, further comprising:
And according to the received service customization operation, customized password service is distributed for the user corresponding to the service customization operation from the password resource pool.
9. A method for providing cloud cryptographic services, comprising:
determining a password service type according to the received password service request;
determining a target container for providing the password service under the password service type from a password resource pool according to the password service type, wherein different password services are deployed in the containers in the password resource pool;
providing the cryptographic service desired by the cryptographic service request through the target container.
10. An implementation device of cloud password service, comprising:
a docking unit configured to dock a plurality of cryptographic devices providing a plurality of cryptographic services;
a generation unit configured to generate a cryptographic resource pool providing the plurality of cryptographic services using a container virtualization technique based on the plurality of cryptographic devices;
and the service unit is configured to provide a password service for the user through the password resource pool.
11. An apparatus for providing cloud cryptographic services, comprising:
a first determining unit configured to determine a cryptographic service type according to the received cryptographic service request;
A second determining unit configured to determine, according to the cryptographic service type, a target container for providing a cryptographic service under the cryptographic service type from a cryptographic resource pool, wherein different cryptographic services are deployed in containers in the cryptographic resource pool;
a service providing unit configured to provide a cryptographic service desired by the cryptographic service request through the target container.
12. A computer readable medium having stored thereon a computer program, wherein the program when executed by a processor implements the method of any of claims 1-9.
13. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, causes the one or more processors to implement the method of any of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311163238.1A CN117061221A (en) | 2023-09-11 | 2023-09-11 | Method and device for realizing cloud password service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311163238.1A CN117061221A (en) | 2023-09-11 | 2023-09-11 | Method and device for realizing cloud password service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117061221A true CN117061221A (en) | 2023-11-14 |
Family
ID=88660905
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311163238.1A Pending CN117061221A (en) | 2023-09-11 | 2023-09-11 | Method and device for realizing cloud password service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117061221A (en) |
-
2023
- 2023-09-11 CN CN202311163238.1A patent/CN117061221A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11044305B2 (en) | Cloud federation as a service | |
| US10142326B2 (en) | Attribute-based access control | |
| US10721293B2 (en) | Hybrid cloud applications | |
| US10230710B2 (en) | Token based network service among IoT applications | |
| EP3484125B1 (en) | Method and device for scheduling interface of hybrid cloud | |
| US9503447B2 (en) | Secure communication between processes in cloud | |
| US8726349B2 (en) | Optimizing interactions between co-located processes | |
| US11082413B2 (en) | Secure network connections | |
| US9948631B2 (en) | Implementing single sign-on in a transaction processing system | |
| CN111131412B (en) | Method, system, mobile terminal and cloud server for realizing 5G mobile terminal calculation | |
| CN111199037B (en) | Login method, system and device | |
| US11487851B2 (en) | Using blockchain for flexible application licensing | |
| US20190386968A1 (en) | Method to securely broker trusted distributed task contracts | |
| EP4350556A1 (en) | Information verification method and apparatus | |
| CN113811873A (en) | Distribution of security credentials | |
| CN114584381A (en) | Security authentication method and device based on gateway, electronic equipment and storage medium | |
| CN112541828B (en) | System, method, device, processor and storage medium for realizing open securities management and open securities API access control | |
| US20100030805A1 (en) | Propagating information from a trust chain processing | |
| CN114428661A (en) | Mirror image management method and device | |
| CN115801317A (en) | Service providing method, system, device, storage medium and electronic equipment | |
| US20190327222A1 (en) | Secure authentication in tls sessions | |
| CN117061221A (en) | Method and device for realizing cloud password service | |
| CN112929453A (en) | Method and device for sharing session data | |
| CN111598544A (en) | Method and apparatus for processing information | |
| CN110659476A (en) | Method and apparatus for resetting password |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |