CN117914489A - Cloud platform key distribution method and system based on password processor - Google Patents

Cloud platform key distribution method and system based on password processor Download PDF

Info

Publication number
CN117914489A
CN117914489A CN202410133452.0A CN202410133452A CN117914489A CN 117914489 A CN117914489 A CN 117914489A CN 202410133452 A CN202410133452 A CN 202410133452A CN 117914489 A CN117914489 A CN 117914489A
Authority
CN
China
Prior art keywords
key
cloud platform
server
management module
processor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410133452.0A
Other languages
Chinese (zh)
Inventor
顾达晟
张名扬
苏年乐
李大为
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dingchain Digital Technology Shenzhen Co ltd
Original Assignee
Dingchain Digital Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dingchain Digital Technology Shenzhen Co ltd filed Critical Dingchain Digital Technology Shenzhen Co ltd
Priority to CN202410133452.0A priority Critical patent/CN117914489A/en
Publication of CN117914489A publication Critical patent/CN117914489A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a cloud platform key distribution method and a system based on a cryptographic processor, wherein the method comprises the following steps: respectively initializing a cloud platform and a server group; the cloud platform management module and the server equipment adopt an SM2 algorithm to carry out identity authentication, after authentication is successful, the key to be distributed is encrypted, the cloud platform management module sends a key ciphertext to each server equipment, and the server equipment decrypts the key ciphertext and then carries out local storage; the cloud platform management module sends the key allocation configuration information of the virtual machine to the server equipment, and the server equipment pushes the key allocation configuration information to the virtual machine on the cloud platform management module. By constructing a two-section key distribution flow based on the cloud platform-server equipment and the server equipment-virtual machine, the number of one-time distribution of the cloud platform is reduced, and key use of other virtual machines is not affected under the condition that the virtual machines are in failure.

Description

Cloud platform key distribution method and system based on password processor
Technical Field
The invention relates to the technical field of key distribution, in particular to a cloud platform key distribution method and system based on a password processor.
Background
In the existing scene, all cloud service providers provide domestic server resources based on cloud platforms and domestic algorithm cloud password operation services. The cloud password operation service can provide a password operation interface for the application, and the password capability is used. In some current scenes with larger application quantity and larger requirements on performance of the cryptographic operation service, a cloud platform has a requirement for providing a plurality of cryptographic operation services. In this scenario, the application system needs to call different cryptographic services and use the same key. Therefore, the same secret key is uniformly distributed to each server resource and finally distributed to each virtual machine, and the secret key is provided for users to directly use.
Currently, mainstream cloud service providers provide cryptographic capability, mainly through providing a cryptographic operation service interface on a cloud server. The server and the server cannot share the internal key, and can only store the internal key through the external key management system, and when the external key management system is used, the key call is acquired from the external key management system, and the unified internal key cannot be used for carrying out service operation.
Disclosure of Invention
In the prior art, a cloud server is mainly used for providing a password operation service interface, an internal key cannot be shared between servers, and service operation cannot be performed by using a uniform internal key.
Aiming at the problems, the cloud platform key distribution method and the cloud platform key distribution system based on the password processor are provided, and the password operation performance is enhanced by configuring the password processor on the cloud platform and the server equipment, so that the keys can be safely and efficiently distributed on the server equipment; the two-section key distribution flow based on the cloud platform-server equipment and the server equipment-virtual machine is constructed, the number of one-time distribution of the cloud platform is reduced, and the number of the entity server equipment is controlled to be distributed at most once; the distribution of the virtual machines is carried out by a host machine of the server equipment, so that the influence caused by data loss and omission in the distribution process is reduced, and each virtual machine can finally receive the secret key; each virtual machine manages own secret key, under the condition that the virtual machine fails, the influence on the use of secret keys of other virtual machines is zero, and under the condition that the virtual machine drift occurs, the virtual machine after drift can continue to use the imported secret key, and the influence on the use of the secret key is zero.
In a first aspect, a method for distributing a cloud platform key based on a cryptographic processor includes:
Step 100, initializing a cloud platform and a server group respectively, wherein the cloud platform is in communication connection with the server group, the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices, and the server devices comprise a cache and a second password processor;
Step 200, the cloud platform management module and the server equipment adopt an SM2 algorithm to carry out identity authentication, after authentication is successful, a key to be distributed is encrypted, the cloud platform management module sends a key ciphertext to each server equipment, and the server equipment decrypts the key ciphertext and then carries out local storage;
Step 300, the cloud platform management module sends the key allocation configuration information of the virtual machine to the server equipment, and the server equipment pushes the key allocation configuration information to the virtual machine on the server equipment.
In combination with the method for distributing a cryptographic processor-based cloud platform key according to the first aspect of the present invention, in a first possible implementation manner, the step 100 includes:
Step 110, the cloud platform management module generates a national cryptographic signing key and an encryption key by using the first cryptographic processor, and imports an issuing certificate;
Step 120, the server device generates a cryptographic device key, a signature certificate and an encryption certificate by using a second cryptographic processor;
And 130, inputting the server equipment information into the cloud platform management module, and sending an issuing certificate to the server equipment by the cloud platform management module according to the server equipment information.
With reference to the first possible implementation manner of the first aspect of the present invention, in a second possible implementation manner, the step 200 includes:
step 210, the cloud platform management module negotiates with the server device to encrypt and decrypt the key to be distributed.
With reference to the second possible implementation manner of the first aspect of the present invention, in a third possible implementation manner, the step 210 includes:
Step 211, the cloud platform management module negotiates a protection key with the server equipment based on random numbers sent by both parties after the identity authentication is successful;
and 212, after receiving the key ciphertext, the server equipment decrypts the key ciphertext by using the protection keys negotiated with the cloud platform.
With reference to the first possible implementation manner of the first aspect of the present invention, in a fourth possible implementation manner, the step 200 further includes:
Step 220, the cloud platform management module selects any one of the server devices as a main server device to perform identity authentication, and encrypts a key to be distributed by using the main server device after the identity authentication is successful;
and 230, each server device adopts an encryption private key to decrypt the received encryption ciphertext.
With reference to the fourth possible implementation manner of the first aspect of the present invention, in a fifth possible implementation manner, the step 220 includes:
Step 221, generating a signature private key, an encryption private key and a certificate application file in the main server equipment;
step 222, the cloud platform management module sends the device encryption certificate to which the key is to be distributed to the main server device;
and 223, the main server equipment encrypts the signature private key and the encryption private key through the encryption certificate and returns the encrypted private key and the encrypted private key to the cloud platform management module.
With reference to the second or fourth possible implementation manner of the first aspect of the present invention, in a sixth possible implementation manner, the step 300 includes:
step 310, the virtual machine obtains a virtual processor through the virtualization technology of the second password processor;
step 320, the cloud platform management module sends the key configuration information of the virtual machine to the server device;
step 330, the server device pushes the key configuration information to the virtual machine;
And 340, the virtual machine stores the configuration information locally and internally.
With reference to the sixth possible implementation manner of the first aspect of the present invention, in a seventh possible implementation manner, the method further includes:
Step 400, the virtual machine calls a password processor of the server equipment to carry out password operation through a password interface of the virtual password processor;
And 500, completing the password operation, and returning an operation result to the application of the virtual machine through the virtual password processor.
With reference to the seventh possible implementation manner of the first aspect of the present invention, in an eighth possible implementation manner, the step 400 includes:
Step 410, the virtual machine reads the local key mating information to obtain a key number or a key identifier;
Step 420, transmitting the key number or key identification to a cryptographic interface of a second cryptographic processor through a virtualization technology;
Step 430, calling the second cryptographic processor to operate through the cryptographic interface.
In a second aspect, a cloud platform key distribution system based on a cryptographic processor, which adopts the method in the first aspect, includes:
A cloud platform;
a server group;
the cloud platform is in communication connection with the server group;
the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices which are connected with each other in a communication mode, and the server devices comprise a second password processor;
the cloud platform management module performs identity authentication with the server equipment by adopting an SM2 algorithm, encrypts a key to be distributed after authentication is successful, sends a key ciphertext to each server equipment, and decrypts the key ciphertext and then locally stores the key ciphertext;
The cloud platform management module is further configured to send key configuration information of the virtual machine to the server device, and the server device is pushed to the virtual machine on the cloud platform management module.
By implementing the cloud platform key distribution method and system based on the password processor, the password operation performance is enhanced by configuring the password processor on the cloud platform and the server equipment, and the key can be safely and efficiently distributed to the server equipment; the two-section key distribution flow based on the cloud platform-server equipment and the server equipment-virtual machine is constructed, the number of one-time distribution of the cloud platform is reduced, and the number of the entity server equipment is controlled to be distributed at most once; the distribution of the virtual machines is carried out by a host machine of the server equipment, so that the influence caused by data loss and omission in the distribution process is reduced, and each virtual machine can finally receive the secret key; each virtual machine manages own secret key, under the condition that the virtual machine fails, the influence on the use of secret keys of other virtual machines is zero, and under the condition that the virtual machine drift occurs, the virtual machine after drift can continue to use the imported secret key, and the influence on the use of the secret key is zero.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow diagram of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
Fig. 2 is a schematic diagram of a second flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 3 is a schematic diagram of a third flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 4 is a schematic diagram of a fourth flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 5 is a fifth flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
Fig. 6 is a sixth flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 7 is a schematic diagram of a seventh flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 8 is a schematic diagram of an eighth flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention;
fig. 9 is a schematic diagram of a cloud platform key distribution system based on a cryptographic processor according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. Based on the embodiments of the present invention, other embodiments that may be obtained by those of ordinary skill in the art without undue burden are within the scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
It will be understood that when an element is referred to as being "mounted" or "disposed" on another element, it can be directly on the other element or be indirectly on the other element. When an element is referred to as being "connected to" another element, it can be directly connected to the other element or be indirectly connected to the other element.
It is to be understood that the terms "length," "width," "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," and the like are merely for convenience in describing and simplifying the description based on the orientation or positional relationship shown in the drawings, and do not indicate or imply that the devices or elements referred to must have a particular orientation, be constructed and operated in a particular orientation, and thus are not to be construed as limiting the application.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. In the description of the present application, the meaning of "a plurality" is two or more, unless explicitly defined otherwise.
In the prior art, a cloud server is mainly used for providing a password operation service interface, an internal key cannot be shared between servers, and service operation cannot be performed by using a uniform internal key.
Aiming at the problems, a cloud platform key distribution method and a cloud platform key distribution system based on a password processor are provided.
Example 1 symmetric Key distribution
In a first aspect, as shown in fig. 1, fig. 1 is a schematic flow diagram of a cloud platform key distribution method based on a cryptographic processor according to the present invention; a cloud platform key distribution method based on a cryptographic processor comprises the following steps:
Step 100, initializing a cloud platform and a server group respectively, wherein the cloud platform is in communication connection with the server group, the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices, and the server devices comprise a cache and a second password processor.
Preferably, as shown in fig. 2, fig. 2 is a schematic diagram of a second flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 100 comprises: step 110, the cloud platform management module generates a national cryptographic signing key and an encryption key by using a first cryptographic processor, and imports an issuing certificate; step 120, the server device generates a cryptographic device key, a signature certificate and an encryption certificate by using the second cryptographic processor; and 130, inputting the server equipment information into a cloud platform management module, and sending an issuing certificate to the server equipment by the cloud platform management module according to the server equipment information.
Key: a key is a parameter that is input in an algorithm that converts plaintext into ciphertext or converts ciphertext into plaintext. The keys are classified into symmetric keys and asymmetric keys. Encryption/decryption: the plaintext information is changed into ciphertext through the cryptographic operation, so that the ciphertext is unreadable when special information is absent; and decrypting to restore the ciphertext information through password operation to obtain the original data before encryption.
The first cipher processor and the second cipher processor are based on a common processor, and the cipher coprocessors are supported by the cipher coprocessors to complete various basic cipher operations, and the method is characterized by high performance and safety, and relates to key related operations and key storage in the processor.
The cloud platform is initialized, a national secret signature key and an encryption key of the management platform are generated by using the cryptographic capability of a self processor (a first cryptographic processor), and a certificate is issued for importing; initializing an entity server equipment resource, and generating an equipment key, a signature certificate and an encryption certificate of a national encryption algorithm by using the cryptographic capability of a self processor (a second cryptographic processor); the entity server information input cloud management platform system comprises server equipment (namely a host) ip, names, communication ports and the like; and the cloud platform sends the certificate of the cloud platform to the server equipment according to the entered server equipment information.
And 200, carrying out identity authentication on the cloud platform management module and the server equipment by adopting an SM2 algorithm, encrypting a key to be distributed after authentication is successful, sending a key ciphertext to each server equipment by the cloud platform management module, decrypting the key ciphertext by the server equipment, and then carrying out local storage.
SM2: the elliptic curve public key cryptographic algorithm issued by the national cryptographic administration belongs to the public key cryptographic algorithm, and has the advantages of high performance, high password complexity and high processing speed.
Preferably, step 200 comprises:
Step 210, the cloud platform management module negotiates with the server device to encrypt and decrypt the key to be distributed.
Preferably, as shown in fig. 3, fig. 3 is a schematic diagram of a third flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 210 includes: step 211, after the identity authentication is successful, the cloud platform management module and the server equipment negotiate a protection key based on the random numbers sent by the two parties respectively; and 212, after receiving the key ciphertext, the server equipment decrypts the key ciphertext by using the protection keys negotiated with the cloud platform.
The cloud platform management module firstly negotiates a protection key with each server device, identity authentication is carried out based on a national security SM2 algorithm in the process, and the protection key is negotiated based on random numbers sent by the two parties after the authentication of the identity is successful.
The cloud platform management module encrypts a key to be distributed by using a protection key, sends a key ciphertext to each server device, and simultaneously sends virtual machine information of each server device, and each server device decrypts by using the protection key negotiated with the cloud platform and stores the decryption information in the local device.
After the cloud platform is initialized, server equipment information is input, certificates of the server equipment are imported, and after the input is successful, the certificates of the platform are sent to the server equipment.
Firstly, the cloud platform management system performs key distribution, and the encryption certificate of the server equipment (namely the host machine) is used for encrypting the key and then distributing the key to the server equipment.
The server device decrypts the key and stores it in the local cryptoprocessor.
Step 300, the cloud platform management module sends the key allocation configuration information of the virtual machine to the server equipment, and the server equipment pushes the key allocation configuration information to the virtual machine on the server equipment.
Preferably, as shown in fig. 4, fig. 4 is a fourth flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 300 includes: step 310, the virtual machine acquires a virtual processor through a virtualization technology of the second password processor; step 320, the cloud platform management module sends the configuration information for the key of the virtual machine to the server device; step 330, the server device pushes the key configuration information to the virtual machine; and 340, the virtual machine performs local internal storage on the configuration information.
The virtual machine on the server device generates virtual processors through the virtualization technology of the second password processor, wherein each virtual processor contains a distributed secret key.
The cloud platform management module sends the key allocation configuration information of the virtual machine to the server equipment, and the server equipment pushes the key allocation configuration information to the virtual machine;
the virtual machine imports the key allocation information into the virtual machine for storage.
Preferably, as shown in fig. 5, fig. 5 is a fifth flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention, where the method further includes:
Step 400, the virtual machine calls a password processor of the server equipment through a password interface of the virtual password processor to carry out password operation; and 500, completing the password operation, and returning an operation result to the application of the virtual machine through the virtual password processor.
Preferably, as shown in fig. 6, fig. 6 is a sixth flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 400 includes: step 410, the virtual machine reads the local key mating information to obtain a key number or a key identifier; step 420, transmitting the key number or key identification to a cryptographic interface of a second cryptographic processor through a virtualization technology; step 430, calling the second cryptographic processor to operate through the cryptographic interface.
When the application in the virtual machine calls the password operation, the local key matching information is read, and the acquired key number or key identification is transmitted into a password operation interface provided by the password processor.
The password processor in the virtual machine invokes the password processor (second password processor) on the server device (host machine) to perform password operation through a virtualization technology;
the virtual password processor in the virtual machine completes password operation through the second password processor of the server device (host machine), and returns the result to the application of the virtual machine, so that unified distribution and high-performance use of the secret key in the cloud platform are realized.
Implementation 2 asymmetric Key distribution
Preferably, as shown in fig. 7, fig. 7 is a seventh flowchart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 200 further comprises: step 220, the cloud platform management module selects any one of the server devices as a main server device to carry out identity authentication, and after the identity authentication is successful, the main server device is utilized to encrypt a key to be distributed; step 230, each server device decrypts the received encrypted ciphertext by using the encryption private key.
Preferably, as shown in fig. 8, fig. 8 is a schematic diagram of an eighth flow chart of a cloud platform key distribution method based on a cryptographic processor according to the present invention; step 220 includes: step 221, generating a signature private key, an encryption private key and a certificate application file in the main server equipment; step 222, the cloud platform management module sends the device encryption certificate to which the key is to be distributed to the main server device; and 223, the main server equipment encrypts the signature private key and the encryption private key through the encryption certificate and returns the encrypted private key and the encrypted private key to the cloud platform management module.
The embodiment 2 is different from the embodiment 1 in steps such as authentication, key encryption and decryption, and the other steps are the same as the embodiment 1.
The cloud platform management module randomly selects one main server device to mutually identify, the process carries out identity authentication based on a national secret SM2 algorithm, certificate application is carried out after authentication is successful, a signature private key, an encryption private key and a certificate application file are generated in the main server device, and finally double certificates are imported.
The management module sends the other device encryption certificates to be distributed to the main server device.
The main equipment encrypts the signature private key and the encryption private key which need to be distributed through the encryption certificate and returns the encrypted private key and the encryption certificate to the cloud platform management module.
And the cloud platform management module sends the key ciphertext to each server device, and simultaneously sends the key ciphertext to the virtual machine information of each server device, and each server device uses the private key for decryption and stores the key ciphertext in the local device. By configuring the password processor on the cloud platform and the server equipment, the password operation performance is enhanced, and the secret key can be safely and efficiently distributed to the server equipment; the two-section key distribution flow based on the cloud platform-server equipment and the server equipment-virtual machine is constructed, the number of one-time distribution of the cloud platform is reduced, and the number of the entity server equipment is controlled to be distributed at most once; the distribution of the virtual machines is carried out by a host machine of the server equipment, so that the influence caused by data loss and omission in the distribution process is reduced, and each virtual machine can finally receive the secret key; each virtual machine manages own secret key, under the condition that the virtual machine fails, the influence on the use of secret keys of other virtual machines is zero, and under the condition that the virtual machine drift occurs, the virtual machine after drift can continue to use the imported secret key, and the influence on the use of the secret key is zero.
Example 3
In a second aspect, as shown in fig. 9, fig. 9 is a schematic diagram of a cloud platform key distribution system based on a cryptographic processor according to the present invention. The cloud platform key distribution system based on the password processor adopts the method of the first aspect and comprises a cloud platform and a server group; the cloud platform is in communication connection with the server group; the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices which are in communication connection with each other, and the server devices comprise a second password processor; the cloud platform management module and the server equipment adopt an SM2 algorithm to carry out identity authentication, after authentication is successful, the key to be distributed is encrypted, the cloud platform management module sends a key ciphertext to each server equipment, and the server equipment decrypts the key ciphertext and then carries out local storage; the cloud platform management module is also used for sending the key allocation configuration information of the virtual machine to the server equipment, and the server equipment is pushed to the virtual machine on the cloud platform management module.
The server farm may include a server device 1, a server device 2, …, a server device n.
The cloud management platform is used as a management system to interface with server equipment (namely an entity server or a host machine), allocate server equipment resources and generate and manage virtual machines. Wherein each server device is internally provided with a processor (second cryptographic processor) with cryptographic capability, and the virtual machine generated based on the server device can also use the capability of an interface of the cryptographic processor through a virtualization technology.
Each server device also includes a cache, a key management service module that may generate a plurality of virtual machines and corresponding virtual key management service modules and virtual crypto processors.
By implementing the cloud platform key distribution method and system based on the password processor, the password operation performance is enhanced by configuring the password processor on the cloud platform and the server equipment, and the key can be distributed to the server equipment safely and efficiently; the two-section key distribution flow based on the cloud platform-server equipment and the server equipment-virtual machine is constructed, the number of one-time distribution of the cloud platform is reduced, and the number of the entity server equipment is controlled to be distributed at most once; the distribution of the virtual machines is carried out by a host machine of the server equipment, so that the influence caused by data loss and omission in the distribution process is reduced, and each virtual machine can finally receive the secret key; each virtual machine manages own secret key, under the condition that the virtual machine fails, the influence on the use of secret keys of other virtual machines is zero, and under the condition that the virtual machine drift occurs, the virtual machine after drift can continue to use the imported secret key, and the influence on the use of the secret key is zero.
The foregoing is only illustrative of the present invention and is not to be construed as limiting thereof, but rather as various modifications, equivalent arrangements, improvements, etc., within the spirit and principles of the present invention.

Claims (10)

1. The cloud platform key distribution method based on the password processor is characterized by comprising the following steps of:
Step 100, initializing a cloud platform and a server group respectively, wherein the cloud platform is in communication connection with the server group, the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices, and the server devices comprise a cache and a second password processor;
Step 200, the cloud platform management module and the server equipment adopt an SM2 algorithm to carry out identity authentication, after authentication is successful, a key to be distributed is encrypted, the cloud platform management module sends a key ciphertext to each server equipment, and the server equipment decrypts the key ciphertext and then carries out local storage;
Step 300, the cloud platform management module sends the key allocation configuration information of the virtual machine to the server equipment, and the server equipment pushes the key allocation configuration information to the virtual machine on the server equipment.
2. The method for distributing cryptographic processor-based cloud platform key mating according to claim 1, wherein the step 100 comprises:
Step 110, the cloud platform management module generates a national cryptographic signing key and an encryption key by using the first cryptographic processor, and imports an issuing certificate;
Step 120, the server device generates a cryptographic device key, a signature certificate and an encryption certificate by using a second cryptographic processor;
And 130, inputting the server equipment information into the cloud platform management module, and sending an issuing certificate to the server equipment by the cloud platform management module according to the server equipment information.
3. The method for distributing cryptographic processor-based cloud platform key mating according to claim 1, wherein said step 200 comprises:
step 210, the cloud platform management module negotiates with the server device to encrypt and decrypt the key to be distributed.
4. The method for distributing cryptographic processor-based cloud platform key mating as recited in claim 3, wherein said step 210 comprises:
Step 211, the cloud platform management module negotiates a protection key with the server equipment based on random numbers sent by both parties after the identity authentication is successful;
and 212, after receiving the key ciphertext, the server equipment decrypts the key ciphertext by using the protection keys negotiated with the cloud platform.
5. The method for distributing cryptographic processor-based cloud platform key mating according to claim 2, wherein said step 200 further comprises:
Step 220, the cloud platform management module selects any one of the server devices as a main server device to perform identity authentication, and encrypts a key to be distributed by using the main server device after the identity authentication is successful;
and 230, each server device adopts an encryption private key to decrypt the received encryption ciphertext.
6. The method for distributing cryptographic processor-based cloud platform key mating in accordance with claim 5, wherein said step 220 comprises:
Step 221, generating a signature private key, an encryption private key and a certificate application file in the main server equipment;
step 222, the cloud platform management module sends the device encryption certificate to which the key is to be distributed to the main server device;
and 223, the main server equipment encrypts the signature private key and the encryption private key through the encryption certificate and returns the encrypted private key and the encrypted private key to the cloud platform management module.
7. The method for distributing cryptographic processor-based cloud platform key mating according to claim 3 or 5, wherein said step 300 comprises:
step 310, the virtual machine obtains a virtual processor through the virtualization technology of the second password processor;
step 320, the cloud platform management module sends the key configuration information of the virtual machine to the server device;
step 330, the server device pushes the key configuration information to the virtual machine;
And 340, the virtual machine stores the configuration information locally and internally.
8. The cryptographic processor-based cloud platform key distribution method of claim 7, wherein the method further comprises:
Step 400, the virtual machine calls a password processor of the server equipment to carry out password operation through a password interface of the virtual password processor;
And 500, completing the password operation, and returning an operation result to the application of the virtual machine through the virtual password processor.
9. The method for distributing cryptographic processor-based cloud platform key mating in accordance with claim 8, wherein said step 400 comprises:
Step 410, the virtual machine reads the local key mating information to obtain a key number or a key identifier;
Step 420, transmitting the key number or key identification to a cryptographic interface of a second cryptographic processor through a virtualization technology;
Step 430, calling the second cryptographic processor to operate through the cryptographic interface.
10. A cloud platform key distribution system based on a cryptographic processor, employing the method of any of claims 1-9, comprising:
A cloud platform;
a server group;
the cloud platform is in communication connection with the server group;
the cloud platform comprises a cloud platform management module and a first password processor, the server group comprises a plurality of server devices which are connected with each other in a communication mode, and the server devices comprise a second password processor;
the cloud platform management module performs identity authentication with the server equipment by adopting an SM2 algorithm, encrypts a key to be distributed after authentication is successful, sends a key ciphertext to each server equipment, and decrypts the key ciphertext and then locally stores the key ciphertext;
The cloud platform management module is further configured to send key configuration information of the virtual machine to the server device, and the server device is pushed to the virtual machine on the cloud platform management module.
CN202410133452.0A 2024-01-31 2024-01-31 Cloud platform key distribution method and system based on password processor Pending CN117914489A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410133452.0A CN117914489A (en) 2024-01-31 2024-01-31 Cloud platform key distribution method and system based on password processor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410133452.0A CN117914489A (en) 2024-01-31 2024-01-31 Cloud platform key distribution method and system based on password processor

Publications (1)

Publication Number Publication Date
CN117914489A true CN117914489A (en) 2024-04-19

Family

ID=90685855

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410133452.0A Pending CN117914489A (en) 2024-01-31 2024-01-31 Cloud platform key distribution method and system based on password processor

Country Status (1)

Country Link
CN (1) CN117914489A (en)

Similar Documents

Publication Publication Date Title
JP7119040B2 (en) Data transmission method, device and system
US10243742B2 (en) Method and system for accessing a device by a user
US8499156B2 (en) Method for implementing encryption and transmission of information and system thereof
EP2767029B1 (en) Secure communication
CN109800588B (en) Dynamic bar code encryption method and device and dynamic bar code decryption method and device
CN103986723B (en) A kind of secret communication control, secret communication method and device
CN109586908A (en) A kind of safe packet transmission method and its system
CN112766962A (en) Method for receiving and sending certificate, transaction system, storage medium and electronic device
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN111901335B (en) Block chain data transmission management method and system based on middle station
CN110266483A (en) Based on unsymmetrical key pond to and the quantum communications service station cryptographic key negotiation method of QKD, system, equipment
CN113411347B (en) Transaction message processing method and processing device
CN113422753B (en) Data processing method, device, electronic equipment and computer storage medium
CN112054905B (en) Secure communication method and system of mobile terminal
CN117914489A (en) Cloud platform key distribution method and system based on password processor
KR100401063B1 (en) the method and the system for passward based key change
CN105791301A (en) Key distribution management method with information and key separated for multiple user groups
CN109347735A (en) A kind of secure data exchange method based on application integration plug-in unit
CN114205170B (en) Bridging port platform networking communication and service encryption calling method
CN113676468B (en) Three-party enhanced authentication system design method based on message verification technology
CN115001705B (en) Network protocol security improving method based on encryption equipment
CN118449786B (en) Local communication lightweight authentication method, system, equipment and medium of power terminal
Scholar et al. Easy and Secure Smart SMS Protocol on M-Health Environment in Mobile Computing
CN118381609B (en) Method and device for providing multi-type quantum security key
Yeun et al. Secure software download for programmable mobile user equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination