CN117335986A - Method, system, device, storage medium and electronic equipment for managing cryptographic module - Google Patents
Method, system, device, storage medium and electronic equipment for managing cryptographic module Download PDFInfo
- Publication number
- CN117335986A CN117335986A CN202311563113.8A CN202311563113A CN117335986A CN 117335986 A CN117335986 A CN 117335986A CN 202311563113 A CN202311563113 A CN 202311563113A CN 117335986 A CN117335986 A CN 117335986A
- Authority
- CN
- China
- Prior art keywords
- module
- password
- management system
- registration
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 83
- 238000012795 verification Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 15
- 102000036364 Cullin Ring E3 Ligases Human genes 0.000 claims description 12
- 108091007045 Cullin Ring E3 Ligases Proteins 0.000 claims description 12
- 238000007726 management method Methods 0.000 description 163
- 230000008569 process Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
Some embodiments of the present application provide a method, a system, an apparatus, a storage medium, and an electronic device for managing a cryptographic module, where the method includes: after receiving the broadcasting information of the password management system, the password module automatically initiates a registration application to the password management system, and receives a challenge code fed back by the password management system aiming at a registration request sent by the password module; signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; and sending a registration application to the password management system, wherein the registration application carries the signature message, so that the password management system completes the registration of the password module after verifying the signature message. Some embodiments of the present application may implement automated security management of cryptographic modules, with high practicality.
Description
Technical Field
The present application relates to the field of cryptographic module management technologies, and in particular, to a method, a system, an apparatus, a storage medium, and an electronic device for cryptographic module management.
Background
While cloud computing is widely extended into various industry fields, security is also an important problem to be broken through in the cloud computing field. Considering the use scenario and security of cloud computing, the cryptographic module of the service system is usually managed manually by an administrator to normally provide cryptographic services.
At present, a hardware cryptographic module such as a traditional cryptographic machine generally provides a special management client or a local management page, and a manager uses a device-specific IC card or a USBKey to perform device management initialization. Because the cloud computing scene has the scalability according to the demand, after the cryptographic module is accessed into the cloud computing environment, if the traffic volume of the cloud computing is increased, the demand for cryptographic services is also rapidly increased. However, the initialization process of the cryptographic module based on manual intervention seriously affects the rapid expansibility of the service, and cannot achieve automatic management, and further cannot provide normal cryptographic services.
Therefore, how to provide a method for managing a cryptographic module with a higher degree of automation becomes a technical problem to be solved.
Disclosure of Invention
An object of some embodiments of the present application is to provide a method, a system, an apparatus, a storage medium, and an electronic device for managing a cryptographic module, where automation and security management of the cryptographic module can be implemented through the technical solutions of the embodiments of the present application.
In a first aspect, some embodiments of the present application provide a method for cryptographic module management, applied to a cryptographic module, including: receiving a challenge code fed back by a password management system aiming at a registration request sent by the password module; signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; and sending a registration application to the password management system, wherein the registration application carries the signature message, so that the password management system completes the registration of the password module after verifying the signature message.
The cryptographic module of some embodiments of the present application obtains a signature message by signing the received challenge code of the cryptographic management system and the locally generated environment proof file and the device information, and sends the signature message to the cryptographic management system by sending a registration application, so that the cryptographic management system can verify the signature message and then complete the cryptographic module registration. According to the method and the device, the automatic registration of the password module can be achieved, manual intervention is not needed, and rapid expansion can be achieved when the computing power of the password service needs to be expanded, so that normal password service is guaranteed.
In some embodiments, after the sending of the registration application to the password management system, the method further comprises: after receiving the registration success information sent by the password management system, sending an initialization request to the password management system so that the password management system can conveniently add the password module into a corresponding group; receiving group configuration information sent by the password management system, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
According to the method and the device for initializing the password module, after registration is completed, the password management system can group the password modules and give the corresponding group configuration information to the password modules by sending an initialization request to the password management system, so that the initialization management of the password modules is achieved, the automation degree is high, and the expansion is easy.
In some embodiments, before the receiving the challenge code fed back by the password management system for the registration request sent by the password module, the method further includes: receiving broadcast information sent by the password management system, wherein the broadcast information carries broadcast messages, and the broadcast messages are obtained by signing system configuration information by the password management system; and after the broadcast message is confirmed to pass the verification, sending the registration request to the password management system.
According to the method and the device for managing the password, the password module can send the registration request to the password management system by receiving the broadcast information of the password management system and verifying the carried broadcast message, so that the security is guaranteed, and meanwhile, the automatic management of the same-segment password module can be achieved in a broadcast mode, and the efficiency is high.
In a second aspect, some embodiments of the present application provide a method for managing a cryptographic module, applied to a cryptographic management system, including: sending a challenge code corresponding to the registration request to the password module; receiving a registration application sent by the password module, wherein the registration application carries a signature message, and the signature message is obtained by signing the generated environment evidence file, equipment information and the challenge code by the password module; and confirming that the signature message passes verification, and sending registration success information to the password module.
The password management system of some embodiments of the present application completes the registration of the password module by sending the challenge code to the password module, then receiving the signature message sent by the challenge code and verifying the signature message. According to the method and the device, the automatic registration of the password module can be achieved, manual intervention is not needed, and rapid expansion can be achieved when the service requirement needs to be expanded, so that normal password service is guaranteed.
In some embodiments, after the sending registration success information to the cryptographic module, the method further comprises: receiving an initialization request sent by the password module; acquiring service information of the password module, and adding the password module into a group matched with the service information; transmitting group configuration information to the cryptographic module, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
After receiving the initialization request of the cryptographic module, the embodiments of the present invention group the cryptographic module based on the service information of the cryptographic module and feed back the group configuration information, thereby realizing the initialization management of the cryptographic module, with high automation degree and easy expansion.
In some embodiments, before the sending the challenge code corresponding to the registration request to the cryptographic module, the method further comprises: signing system configuration information to obtain a broadcast message, wherein the system configuration information comprises: system IP and ports; sending broadcast information carrying the broadcast message to the cryptographic module so as to facilitate verification by the cryptographic module; and receiving the registration request sent by the password module.
According to the method and the device for the registration of the password module, the password module initiates registration by acquiring the broadcast message and sending the corresponding broadcast information to the password module, the security is guaranteed in the whole registration process, and meanwhile, the automatic management of the same-segment password module can be achieved in a broadcast mode, so that the efficiency is high.
In a third aspect, some embodiments of the present application provide a system for cryptographic module management, comprising: a password module and a password management system; wherein, the cryptographic module is used for: receiving a challenge code fed back by the password management system aiming at a registration request; signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; sending a registration application to the password management system, wherein the registration application carries the signature message so that the password management system can complete the registration of the password module after verifying the signature message; the password management system is used for: sending the challenge code corresponding to the registration request to the password module; receiving a registration application sent by the password module, wherein the registration application carries a signature message; and confirming that the signature message passes verification, and sending registration success information to the password module.
In a fourth aspect, some embodiments of the present application provide an apparatus for cryptographic module management, applied to a cryptographic module, including: the first receiving module is used for receiving a challenge code fed back by the password management system aiming at the registration request sent by the password module; the first signature module is used for signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; the first sending module is used for sending a registration application to the password management system, wherein the registration application carries the signature message, so that the password management system can finish the registration of the password module after verifying the signature message.
In a fifth aspect, some embodiments of the present application provide an apparatus for cryptographic module management, applied to a cryptographic management system, including: the second sending module is used for sending the challenge code corresponding to the registration request to the password module; the second receiving module is used for receiving a registration application sent by the password module, wherein the registration application carries a signature message, and the signature message is obtained by signing the generated environment evidence file, equipment information and the challenge code by the password module; and the verification module is used for confirming that the signature message passes verification and sending registration success information to the password module.
In a sixth aspect, some embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs a method according to any of the embodiments of the first aspect.
In a seventh aspect, some embodiments of the present application provide an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the program, can implement a method according to any embodiment of the first aspect.
In an eighth aspect, some embodiments of the present application provide a computer program product comprising a computer program, wherein the computer program, when executed by a processor, is adapted to carry out the method according to any one of the embodiments of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions of some embodiments of the present application, the drawings that are required to be used in some embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort to a person having ordinary skill in the art.
FIG. 1 is a system diagram of cryptographic module management provided in some embodiments of the present application;
FIG. 2 is one of the flow charts of the method of cryptographic module management provided in some embodiments of the present application;
FIG. 3 is a second flowchart of a method for cryptographic module management according to some embodiments of the present application;
FIG. 4 is an interactive flow chart of cryptographic module management provided in some embodiments of the present application;
FIG. 5 is one of the block diagrams of the apparatus for cryptographic module management provided in some embodiments of the present application;
FIG. 6 is a second block diagram of a cryptographic module management apparatus according to some embodiments of the present application;
fig. 7 is a schematic diagram of an electronic device according to some embodiments of the present application.
Detailed Description
The technical solutions in some embodiments of the present application will be described below with reference to the drawings in some embodiments of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Currently, digital economy has become an important direction for realizing high-quality development of economy, and the importance of security problems centered on data is continuously highlighted, so that passwords become the core of data full life cycle security. For example, cryptographic techniques such as digital certificates, data encryption, signatures, etc., are used throughout the collection, transmission, storage, processing, exchange, and destruction of data. The password can completely realize the functions of network space information disclosure prevention, content tamper prevention, identity impersonation prevention, behavior repudiation resistance and the like, and meets the security requirements of the network and the information system on confidentiality, integrity, authenticity, non-repudiation and the like. As cloud computing gradually goes deep into various social fields, security becomes an important problem to be broken through in the cloud computing field. In particular cryptographic applications as network security cores, are accelerating from behind the scenes to in front of the desks.
For security and usage scenario limitation, the password module in the industry generally adopts manual initialization process by an administrator to provide the password service, and the following two password module initialization schemes are commonly used: 1) The traditional cipher machine and other hardware cipher modules generally provide a special management client or local management page, and a manager uses a special IC card or USBKey for equipment management initialization; 2) In recent years, software cryptographic modules developed by various manufacturers are also basically initialized manually by an administrator by using a local command line tool through hardware media such as an external USBKey with reference to a traditional hardware cryptographic module, or manually discovered and initialized by the administrator through a remote management system.
However, in a cloud computing scenario, the cloud provides on-demand scalability, and is easy to configure, automated, and resilient. When the cryptographic module is accessed into a cloud computing environment, and when the demand for cryptographic services is rapidly increased due to rapid increase of the traffic, the rapid expansibility of the service is seriously affected in the process of initializing the cryptographic module based on manual intervention, and automation and elasticity cannot be achieved at all. If a large number of cipher modules are deployed in advance and initialized manually in advance, resource waste is likely to be caused, and the number of cipher modules deployed in advance is difficult to evaluate accurately.
As can be seen from the above related art, the management method of the cryptographic module in the prior art is too dependent on management personnel, and has low automation degree and poor expandability.
In view of this, some embodiments of the present application provide a method for managing a cryptographic module, where the cryptographic module of the method may interact with a cryptographic management system to implement automatic secure registration and initialization of the cryptographic module, so as to implement rapid expansion of the cryptographic module based on a change in traffic of cloud computing, thereby ensuring normal implementation of cryptographic services.
The overall composition of the cryptographic module management system provided in some embodiments of the present application is described below by way of example in conjunction with fig. 1.
As shown in fig. 1, some embodiments of the present application provide a system for cryptographic module management, the system for cryptographic module management comprising: a cryptographic module 100 and a cryptographic management system 200. Wherein, the automatic registration and initialization management of the password module can be realized through data interaction between the password module 100 and the password management system 200.
Specifically, the cryptographic module 100 is a cryptographic service component deployed with a service system, and may be a software cryptographic module or a hardware cryptographic module such as a cryptographic card. The cryptographic module management system (as a specific example of the cryptographic management system 200) is a software system supported by proprietary software or hardware cryptographic modules, providing key management, device management, module management, and packet management, and is responsible for remote registration initialization and daily management of the cryptographic module 100 under the premise of security.
In some embodiments of the present application, the cryptographic module 100 is shipped from the factory, and the manufacturer's SM2 algorithm digital certificate and key pair is preset, and the preset SM2 algorithm digital certificate and key pair is cryptographically protected, and the cryptographic module 100 page is subjected to code signing, so as to ensure the security of the cryptographic module 100. The cryptographic module management system generates a system key pair and a certificate application during initialization, the certificate application is used for being sent to a manufacturer or a third party CA, and the manufacturer or the third party CA issues a system digital certificate for the cryptographic module management system, so that initialization is completed. After the initialization is completed, an administrator sets the system IP and the port of the password module management system through the management page of the password module management system. In addition, the administrator needs to create a group in the cryptographic module management system, and set group configuration information such as a group access key, group key data, application information, and certificate.
In some embodiments of the present application, the cryptographic module 100 is configured to: receiving a challenge code fed back by the password management system aiming at a registration request; signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; sending a registration application to the password management system, wherein the registration application carries the signature message so that the password management system can complete the registration of the password module after verifying the signature message;
in some embodiments of the present application, password management system 200 is used to: sending the challenge code corresponding to the registration request to the password module; receiving a registration application sent by the password module, wherein the registration application carries a signature message; and confirming that the signature message passes verification, and sending registration success information to the password module.
It should be noted that some embodiments of the following text application are mainly exemplarily described with respect to the cryptographic module 100 as an automatic registration and initialization process of a software cryptographic module.
An implementation of cryptographic module management performed by cryptographic module 100 provided in some embodiments of the present application is described below by way of example in conjunction with fig. 2.
Referring to fig. 2, fig. 2 is a flowchart of a method for managing a cryptographic module according to some embodiments of the present application, where the method for managing a cryptographic module includes:
s210, receiving a challenge code fed back by the password management system aiming at the registration request sent by the password module.
For example, in some embodiments of the present application, after the cryptographic module 100 sends a registration request to the cryptographic module management system, the cryptographic module management system returns a corresponding challenge code.
In some embodiments of the present application, before performing S210, the method for cryptographic module management may further include: receiving broadcast information sent by the password management system, wherein the broadcast information carries broadcast messages, and the broadcast messages are obtained by signing system configuration information by the password management system; and after the broadcast message is confirmed to pass the verification, sending the registration request to the password management system.
For example, in some embodiments of the present application, upon automated registration, the cryptographic module management system sends a registration broadcast (as a specific example of broadcast information) to the cryptographic module 100, with the broadcast message carried on the registration broadcast. The broadcast message is signed by the cryptographic module management system by using the private key of the system key pair. The broadcast message includes: the cryptographic module manages system configuration information such as system IP and ports of the system. After the cryptographic module 100 receives the broadcast information of the cryptographic module management system, firstly, the authenticity (i.e. the verification signature) of the broadcast message is verified, and after the verification is passed, the cryptographic module 100 is actively connected with the cryptographic module management system and automatically initiates a registration request.
S220, signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message.
For example, in some embodiments of the present application, cryptographic module 100 generates a trusted execution environment remote certificate (as a specific example of an environment certificate) and signs data such as challenge code and remote certificate, device information (e.g., cryptographic module IP), etc., using a private key in a preset vendor key pair to obtain a signed message.
S230, a registration application is sent to the password management system, wherein the registration application carries the signature message, so that the password management system can complete the registration of the password module after verifying the signature message.
For example, in some embodiments of the present application, the cryptographic module 100 submits a registration application to the cryptographic module management system so that the cryptographic module management system may complete an automatic registration of the cryptographic module 100.
In some embodiments of the present application, after performing S230, the method of cryptographic module management may further include: after receiving the registration success information sent by the password management system, sending an initialization request to the password management system so that the password management system can conveniently add the password module into a corresponding group; receiving group configuration information sent by the password management system, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
For example, in some embodiments of the present application, after receiving registration success information fed back by the cryptographic module management system, the cryptographic module 100 actively initiates an initialization request to complete initialization, and the initialization process of the cryptographic module management system 200 includes: the cryptographic module device master key generation, device key pair generation, and device certificate issue may enable the cryptographic module management system 200 to automatically initialize the cryptographic module 100, where the cryptographic module 100 may obtain group configuration information such as a corresponding cryptographic module device master key, device key pair, device certificate, group access key, key encryption key (as a specific example of key data), user key (as a specific example of key data), application information, application certificate, certificate chain, and CRL (certificate revocation list Certificate Revocation List, abbreviated CRL).
After the cryptographic module 100 is registered and initialized by the above method embodiment, the cryptographic module 100 can directly provide cryptographic services for the corresponding service, and the state of the cryptographic module 100 is consistent with that of the cryptographic module manually initialized by the administrator in the prior art.
An implementation of cryptographic module management performed by the cryptographic management system 200 provided in some embodiments of the present application is described below by way of example in conjunction with fig. 3.
Referring to fig. 3, fig. 3 is a flowchart of a method for managing a cryptographic module according to some embodiments of the present application, where the method for managing a cryptographic module includes:
s310, a challenge code corresponding to the registration request is sent to the password module.
For example, in some embodiments of the present application, after receiving a registration request sent by the cryptographic module 100, the cryptographic module management system may feed back a challenge code to the cryptographic module management system to improve registration security.
In some embodiments of the present application, before performing S310, the method of cryptographic module management may further include: signing system configuration information to obtain a broadcast message, wherein the system configuration information comprises: system IP and ports; sending broadcast information carrying the broadcast message to the cryptographic module so as to facilitate verification by the cryptographic module; and receiving the registration request sent by the password module.
For example, in some embodiments of the present application, the cryptographic module management system initiates a registration broadcast of the cryptographic module 100, where the broadcast message in the registration broadcast includes system configuration information such as a system IP, a port, etc. of the cryptographic module management system, and the broadcast message is signed by the cryptographic module management system using its own private key. And then, the cryptographic module management system receives a registration request sent after the cryptographic module 100 verifies the broadcast message, so as to realize registration of the cryptographic module 100. Wherein, the automatic registration of the same network segment cipher module 100 can be realized by broadcasting.
In other embodiments of the present application, the cryptographic module management system may employ either of the following two schemes in addition to broadcasting to notify the cryptographic module 100 to perform automatic registration: (1) the administrator manually derives the group configuration information of the cryptographic module management system to install and deploy with the cryptographic module 100, so that the cryptographic module 100 can automatically register and initialize the following even if the cryptographic module management system broadcast information cannot be received at the time of startup. (2) The broadcast (i.e. registration broadcast) may be initiated by the cryptographic module 100, and after the cryptographic module management system receives the broadcast of the cryptographic module 100, the administrator confirms according to the broadcast information of the cryptographic module 100, and then the cryptographic module management system is actively connected with the cryptographic module 100 to complete registration and subsequent initialization of the cryptographic module 100. Specifically, the notification registration may be selected according to the actual situation, and the embodiment of the present application is not limited to this.
S320, receiving a registration application sent by the password module, wherein the registration application carries a signature message, and the signature message is obtained by signing the generated environment proof file, equipment information and the challenge code by the password module.
For example, in some embodiments of the present application, the cryptographic module management system receives a registration request sent by the cryptographic module 100. The generation manner of the signature message carried by the method can refer to the method embodiment provided above, and is not repeated here for avoiding repetition.
S330, confirming that the signature message passes verification, and sending registration success information to the password module.
For example, in some embodiments of the present application, the cryptographic module management system verifies the validity of the cryptographic module 100 and the validity of the request by signing the signed message with a cryptographic module factory preset public key. After the verification is passed, the registration success information is fed back to the cryptographic module 100.
In some embodiments of the present application, after performing S330, the method of cryptographic module management may further include: receiving an initialization request sent by the password module; acquiring service information of the password module, and adding the password module into a group matched with the service information; transmitting group configuration information to the cryptographic module, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
For example, in some embodiments of the present application, after the cryptographic module management system receives an initialization request of the cryptographic module 100, an administrator of the cryptographic module management system logs in to the management page, checks related information (e.g., IP, service information, etc. of the cryptographic module 100) of the cryptographic module 100, and adds the cryptographic module 100 to a different group according to a service requirement (as a specific example of service information), and after the cryptographic module 100 is added to the group, the cryptographic module management system automatically triggers the group configuration information to be started, so as to send data such as an access key, key data, application information, application certificate, certificate chain, CRL, etc. of the group to the cryptographic module 100 side of the added group.
It can be understood that in the cloud computing environment, when the initialized cryptographic module 100 is deployed quickly in a mirror image manner, the newly deployed cryptographic module 100 can directly provide services only by automatically completing registration, initialization and automatic acquisition of the group configuration information by the cryptographic module management system because the newly deployed cryptographic module 100 already has the group configuration information issued by the cryptographic module management system, thereby improving the cryptographic module expansion rate and being suitable for different service scenarios.
In addition, in other embodiments of the present application, the method for remotely and automatically registering the signature and verification of the related message in the identity by the cryptographic module 100 may further include the following methods: the registration application information (i.e., the environment proof file, the device information, and the challenge code) is HMAC signed based on a symmetric key, which may be derived based on a password and may be cryptographically built into the cryptographic module 100. Alternatively, the registration application information may be signed to complete registration authentication using a built-in key of RSA algorithm, other ECC algorithm (elliptic encryption algorithm, curve25519, brainool, NIST Curve). Or, authentication of registration application information when the cryptographic module 100 is automatically registered is completed by means of a dynamic password. Alternatively, the authentication of the registration application information when the cryptographic module 100 is automatically registered is accomplished by deriving a key from a device fingerprint (e.g., a device ID) in which the cryptographic module 100 is located. Specifically, the selection may be flexibly performed according to actual situations, and embodiments of the present application are not specifically limited herein.
The following illustrates a specific process for cryptographic module management provided in some embodiments of the present application in connection with fig. 4.
Referring to fig. 4, fig. 4 is an interaction flow chart of cryptographic module management according to some embodiments of the present application.
The above-described process is exemplarily set forth below.
S401, the password management system 200 sends a registration broadcast to the password module 100, where the registration broadcast carries a broadcast message.
S402, the password module 100 verifies the broadcast message.
S403, after the verification is passed, a registration request is sent to the password management system 200.
S404, the password management system 200 transmits the challenge code to the password module 100.
S405, the cryptographic module 100 generates an environment proof file, and signs the environment proof file, the device information and the challenge code to obtain a signed message.
S406, a registration application is sent to the password management system 200, wherein the registration application carries a signature message.
S407, the password management system 200 verifies the signature message.
And S408, after the verification is passed, sending registration success information to the password module 100.
S409, the cryptographic module 100 transmits an initialization request to the cryptographic management system 200.
S410, the password management system 200 completes the initialization of the password module 100, generates a password module device master key, a device key pair and issues a device certificate.
S411, the password management system 200 acquires the service information of the password module 100, and adds the password module 100 to the group matched with the service information.
S412, the group configuration information is sent to the cryptographic module 100.
For example, the cryptographic module 100 may obtain corresponding cryptographic module device master key, device key pair, device certificate, group access key, key encryption key, user key, application information, application certificate, certificate chain, CRL, and other group configuration information.
It should be appreciated that the specific implementation procedures of S401 to S411 may refer to the method embodiments provided above, and detailed descriptions are omitted here as appropriate to avoid repetition.
According to some embodiments of the above text application, the automatic registration and initialization of the password module 100 are realized on the basis of ensuring the manual initialization function of the original password module manager, the horizontal expansion is rapid, and new password calculation force is rapidly provided as required. Specific: the administrator only needs to complete relevant initial setting at the cryptographic module management system end, and the cryptographic module management system realizes the automatic registration of the cryptographic modules in the same network segment in a broadcast mode. In the cloud computing environment, the cryptographic modules which are deployed in the container or the virtual machine and registered can be packaged into a container mirror image or a virtual machine mirror image, the cryptographic modules can be expanded according to the requirements, and new cryptographic module mirror images can automatically register and initialize to obtain group configuration information to the cryptographic module management system, so that new cryptographic computing power is formed rapidly. The password module presets a manufacturer digital certificate and a key pair, when registration is initiated, a manufacturer private key preset by the password module is used for signing registration request information such as a password module management system challenge code, a remote certificate, a device ID and the like, the password module management system verifies the legitimacy of the password module and the legitimacy of the request through verifying the signature and the signature message, the registration request of the password module can be completed after the verification is passed, and the safe registration and the automatic initialization of the password module are completed.
Referring to fig. 5, fig. 5 illustrates a block diagram of an apparatus for cryptographic module management according to some embodiments of the present application. It should be understood that the apparatus for managing a cryptographic module corresponds to the above-described method embodiment, and is capable of performing the steps involved in the above-described method embodiment, and specific functions of the apparatus for managing a cryptographic module may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
The cryptographic module management apparatus of fig. 5 includes at least one software functional module that can be stored in a memory in the form of software or firmware or cured in the cryptographic module management apparatus, which is applied to the cryptographic module, including: a first receiving module 510, configured to receive a challenge code fed back by the password management system for a registration request sent by the password module; the first signature module 520 is configured to sign the generated environment proof file, the device information and the challenge code, so as to obtain a signed message; and the first sending module 530 is configured to send a registration application to the password management system, where the registration application carries the signature message, so that the password management system completes registration of the password module after verifying the signature message.
In some embodiments of the present application, after the first transmitting module 530, the apparatus for cryptographic module management further includes: an initialization module (not shown in the figure) for: after receiving the registration success information sent by the password management system, sending an initialization request to the password management system so that the password management system can conveniently add the password module into a corresponding group; receiving group configuration information sent by the password management system, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
In some embodiments of the present application, before the first receiving module 510, the apparatus for cryptographic module management further includes: a broadcasting module (not shown in the figure) for: receiving broadcast information sent by the password management system, wherein the broadcast information carries broadcast messages, and the broadcast messages are obtained by signing system configuration information by the password management system; and after the broadcast message is confirmed to pass the verification, sending the registration request to the password management system.
Referring to fig. 6, fig. 6 illustrates a block diagram of an apparatus for cryptographic module management provided in some embodiments of the present application. It should be understood that the apparatus for managing a cryptographic module corresponds to the above-described method embodiment, and is capable of performing the steps involved in the above-described method embodiment, and specific functions of the apparatus for managing a cryptographic module may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
The cryptographic module management apparatus of fig. 6 includes at least one software functional module that can be stored in a memory in the form of software or firmware or cured in a cryptographic module management apparatus, which is applied to a cryptographic management system, comprising: a second sending module 610, configured to send a challenge code corresponding to the registration request to the cryptographic module; a second receiving module 620, configured to receive a registration application sent by the cryptographic module, where the registration application carries a signature packet, where the signature packet is obtained by signing the generated environment certificate, device information and the challenge code by the cryptographic module; and the verification module 630 is configured to confirm that the signed message passes verification, and send registration success information to the cryptographic module.
In some embodiments of the present application, after the authentication module 630, the device for cryptographic module management further comprises: an initialization module (not shown in the figure) for: receiving an initialization request sent by the password module; acquiring service information of the password module, and adding the password module into a group matched with the service information; transmitting group configuration information to the cryptographic module, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
In some embodiments of the present application, before the second transmitting module 610, the apparatus for managing a cryptographic module further includes: a broadcasting module (not shown in the figure) for: signing system configuration information to obtain a broadcast message, wherein the system configuration information comprises: system IP and ports; sending broadcast information carrying the broadcast message to the cryptographic module so as to facilitate verification by the cryptographic module; and receiving the registration request sent by the password module.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the apparatus described above, and this will not be repeated here.
Some embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program, which when executed by a processor, may implement operations of the method corresponding to any of the above-described methods provided by the above-described embodiments.
Some embodiments of the present application further provide a computer program product, where the computer program product includes a computer program, where the computer program when executed by a processor may implement operations of a method corresponding to any of the foregoing methods provided by the foregoing embodiments.
As shown in fig. 7, some embodiments of the present application provide an electronic device 700, the electronic device 700 comprising: memory 710, processor 720, and a computer program stored on memory 710 and executable on processor 720, wherein processor 720 may implement a method as in any of the embodiments described above when reading the program from memory 710 and executing the program via bus 730.
Processor 720 may process the digital signals and may include various computing structures. Such as a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements a combination of instruction sets. In some examples, processor 720 may be a microprocessor.
Memory 710 may be used for storing instructions to be executed by processor 720 or data related to execution of the instructions. Such instructions and/or data may include code to implement some or all of the functions of one or more modules described in embodiments of the present application. The processor 720 of the disclosed embodiments may be configured to execute instructions in the memory 710 to implement the methods shown above. Memory 710 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memory known to those skilled in the art.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Claims (11)
1. A method of cryptographic module management, applied to a cryptographic module, the method comprising:
receiving a challenge code fed back by a password management system aiming at a registration request sent by the password module;
signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message;
and sending a registration application to the password management system, wherein the registration application carries the signature message, so that the password management system completes the registration of the password module after verifying the signature message.
2. The method of claim 1, wherein after said sending a registration application to the password management system, the method further comprises:
after receiving the registration success information sent by the password management system, sending an initialization request to the password management system so that the password management system can conveniently add the password module into a corresponding group;
receiving group configuration information sent by the password management system, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
3. The method of claim 1 or 2, wherein prior to receiving a challenge code fed back by a password management system for a registration request sent by the password module, the method further comprises:
receiving broadcast information sent by the password management system, wherein the broadcast information carries broadcast messages, and the broadcast messages are obtained by signing system configuration information by the password management system;
and after the broadcast message is confirmed to pass the verification, sending the registration request to the password management system.
4. A method of cryptographic module management, characterized by being applied to a cryptographic management system, the method comprising:
sending a challenge code corresponding to the registration request to the password module;
receiving a registration application sent by the password module, wherein the registration application carries a signature message, and the signature message is obtained by signing the generated environment evidence file, equipment information and the challenge code by the password module;
and confirming that the signature message passes verification, and sending registration success information to the password module.
5. The method of claim 4, wherein after said sending registration success information to said cryptographic module, said method further comprises:
Receiving an initialization request sent by the password module;
acquiring service information of the password module, and adding the password module into a group matched with the service information;
transmitting group configuration information to the cryptographic module, wherein the group configuration information comprises: the cryptographic module comprises access keys, key data, application information, application certificates, certificate chains and CRLs of the group to which the cryptographic module belongs.
6. The method of claim 4 or 5, wherein prior to said sending the challenge code corresponding to the registration request to the cryptographic module, the method further comprises:
signing system configuration information to obtain a broadcast message, wherein the system configuration information comprises: system IP and ports;
sending broadcast information carrying the broadcast message to the cryptographic module so as to facilitate verification by the cryptographic module;
and receiving the registration request sent by the password module.
7. A system for cryptographic module management, comprising: a password module and a password management system; wherein,
the cryptographic module is used for: receiving a challenge code fed back by the password management system aiming at a registration request; signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message; sending a registration application to the password management system, wherein the registration application carries the signature message so that the password management system can complete the registration of the password module after verifying the signature message;
The password management system is used for: sending the challenge code corresponding to the registration request to the password module; receiving a registration application sent by the password module, wherein the registration application carries a signature message; and confirming that the signature message passes verification, and sending registration success information to the password module.
8. An apparatus for cryptographic module management, applied to a cryptographic module, the apparatus comprising:
the first receiving module is used for receiving a challenge code fed back by the password management system aiming at the registration request sent by the password module;
the first signature module is used for signing the generated environment evidence file, the equipment information and the challenge code to obtain a signature message;
the first sending module is used for sending a registration application to the password management system, wherein the registration application carries the signature message, so that the password management system can finish the registration of the password module after verifying the signature message.
9. An apparatus for cryptographic module management, for use in a cryptographic management system, the apparatus comprising:
the second sending module is used for sending the challenge code corresponding to the registration request to the password module;
The second receiving module is used for receiving a registration application sent by the password module, wherein the registration application carries a signature message, and the signature message is obtained by signing the generated environment evidence file, equipment information and the challenge code by the password module;
and the verification module is used for confirming that the signature message passes verification and sending registration success information to the password module.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program, wherein the computer program when run by a processor performs the method according to any of claims 1-6.
11. An electronic device comprising a memory, a processor, and a computer program stored on the memory and running on the processor, wherein the computer program when run by the processor performs the method of any one of claims 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311563113.8A CN117335986A (en) | 2023-11-22 | 2023-11-22 | Method, system, device, storage medium and electronic equipment for managing cryptographic module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311563113.8A CN117335986A (en) | 2023-11-22 | 2023-11-22 | Method, system, device, storage medium and electronic equipment for managing cryptographic module |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117335986A true CN117335986A (en) | 2024-01-02 |
Family
ID=89283361
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311563113.8A Pending CN117335986A (en) | 2023-11-22 | 2023-11-22 | Method, system, device, storage medium and electronic equipment for managing cryptographic module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117335986A (en) |
-
2023
- 2023-11-22 CN CN202311563113.8A patent/CN117335986A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3742696B1 (en) | Identity management method, equipment, communication network, and storage medium | |
JP4410821B2 (en) | Verifying the binding of the initial trusted device to the protected processing system | |
US9621356B2 (en) | Revocation of root certificates | |
US20210051024A1 (en) | Two-dimensional code generation method, apparatus, data processing method, apparatus, and server | |
JP3971890B2 (en) | Signature verification support apparatus, signature verification support method, and electronic signature verification method | |
CN112165382B (en) | Software authorization method and device, authorization server side and terminal equipment | |
WO2019033822A1 (en) | Methods for generating and authenticating digital certificate, communication device, and storage medium | |
CN106464667B (en) | Certificate management method, equipment and system | |
CN105635062A (en) | Network access equipment verification method and device | |
CN101534192A (en) | System used for providing cross-domain token and method thereof | |
CN102082665A (en) | Identity authentication method, system and equipment in EAP (Extensible Authentication Protocol) authentication | |
JP2018117185A (en) | Information processing apparatus, information processing method | |
CN115664655A (en) | TEE credibility authentication method, device, equipment and medium | |
CN108632037B (en) | Public key processing method and device of public key infrastructure | |
US20220182248A1 (en) | Secure startup method, controller, and control system | |
CN114338091B (en) | Data transmission method, device, electronic equipment and storage medium | |
US11570008B2 (en) | Pseudonym credential configuration method and apparatus | |
CN116506134B (en) | Digital certificate management method, device, equipment, system and readable storage medium | |
CN110771087B (en) | Private key update | |
CN112261103A (en) | Node access method and related equipment | |
CN113872986B (en) | Power distribution terminal authentication method and device and computer equipment | |
CN117335986A (en) | Method, system, device, storage medium and electronic equipment for managing cryptographic module | |
EP4252384B1 (en) | Methods, devices and system related to a distributed ledger and user identity attribute | |
CN111445245A (en) | Certificate index updating method and device for security type general certificate | |
KR102162108B1 (en) | Lw_pki system for nfv environment and communication method using the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |