The method and system of far-end encryption instruction are obtained based on CSP
Technical field
The present invention relates to CSP encryption technology field, be specifically related to a kind of based on CSP obtain far-end encryption instruction method and
System.
Background technology
CSP (Cryptographic Service Provider, CSP) is to grasp for Windows series
Make the bottom encryption interface that system is worked out, it is achieved the encryption such as the encryption of data, deciphering, digital signature, checking and data summarization refers to
Order operation.Application is called by CryptoAPI series of functions, and its operation object is container, has the public and private key of encryption in a container
To, encrypted certificate, signature public private key pair and signing certificate.The operation such as encryption and decryption, signature sign test can be completed by container.
CSP is the basis of Windows safety applications, realizes https-secure and browse (i.e. SSL in Windows operating system
Secure data communication) and realize secure tunnel (such as Ipsec) function, CSP all must be had to participate in crypto-operation.
The Organization Chart of existing CSP is as it is shown in figure 1, run three application programs at application layer Application Layer
Application A, Application B and Application C, the CryptoAPI part of intermediate layer System Layer
For operating system aspect, this layer all can be first delivered in all access to U-shield, and then the producer according to U-shield is different with model, visits
Ask correspondence producer's CSP module (each CSP module of the Service Provider Layer layer in Fig. 1: (CSP) #1,
(CSP) #2, (CSP) #3), then realized the true access to U-shield equipment by concrete producer's CSP module.
When application program accesses U-shield, it it is the api function by calling CryptoAPI, it is achieved the tune to producer's CSP module
?.Below for using 25 api functions of the CryptoAPI arrived.
1 |
CPAcquireContext |
2 |
CPReleaseContext |
3 |
CPGenKey |
4 |
CPDeriveKey |
5 |
CPDestroyKey |
6 |
CPSetKeyParam |
7 |
CPGetKeyParam |
8 |
CPExportKey |
9 |
CPImportKey |
10 |
CPEncrypt |
11 |
CPDecrypt |
12 |
CPCreateHash |
13 |
CPHashData |
14 |
CPHashSessionKey |
15 |
CPDestroyHash |
16 |
CPSignHash |
17 |
CPVerifySignature |
18 |
CPGenRandom |
19 |
CPGetUserKey |
20 |
CPSetProvParam |
21 |
CPGetProvParam |
22 |
CPSetHashParam |
23 |
CPGetHashParam |
24 |
CPDuplicateHash |
25 |
CPDuplicateKey |
What this existing CSP framework in Fig. 1 demonstrated is the mode of typical local IP access U-shield, and along with network
Developing rapidly of information technology, the extensive application of network trading, the mode of local IP access U-shield has had pole for network trading place
Big restriction, operator wants to have access to U-shield at telesecurity, it is achieved the work such as safe network trading anywhere or anytime
Make.
Summary of the invention
The present invention provides a kind of method and system obtaining far-end encryption instruction based on CSP, it is possible to realizes telesecurity and visits
Ask U-shield, to solve the problems referred to above.
A kind of method obtaining far-end encryption instruction based on CSP that the embodiment of the present invention provides, including step:
A: set up a CSP module of this locality respectively and set up the CSP calling module of remote equipment;
B: the one CSP module is obtained the encrypted instruction sent by application program and asks by local CryptoAPI, and right
The request of this encrypted instruction carries out coding and generates request for data bag, and the CSP of this application packet transmission to remote equipment is called mould
Block;
This application packet is translated into the CSP function corresponding with the CryptoAPI of remote equipment by C:CSP calling module
Call and pass through the 2nd CSP mould of the encrypted smart card equipment connected on the CryptoAPI access remote equipment of remote equipment
Block, reads the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
Encrypted instruction is converted into result data bag by D:CSP calling module, and this result data bag is beamed back described first
CSP module, result data bag is translated as encrypted instruction by a CSP module, and by local CryptoAPI by encrypted instruction
It is sent to this application program.
Preferably, step E of association registration is also included after described step A: replaced by the configuration information of the 2nd CSP module
Insert in operating system registration table after configuration information for a local CSP module.
Preferably, the step of described association registration includes:
E1: call a CSP module, by a CSP module to described CSP calling module by local CryptoAPI
Send the request obtaining the 2nd CSP module configuration information;
E2:CSP calling module passes through the CryptoAPI of remote equipment by described acquisition the 2nd CSP module configuration information
Request sends to the 2nd CSP module and obtains the 2nd CSP module configuration information, is then beamed back by the 2nd CSP module configuration information
Oneth CSP module;
E3: the configuration information of a 2nd CSP module CSP module obtained replaces with joining of a local CSP module
Insert in operating system registration table after confidence breath.
Preferably, data are transmitted by socket network bi-directional between a CSP module and CSP module.
Preferably, described encrypted smart card equipment is U-shield.
Based on the method obtaining far-end encryption instruction based on CSP in above-described embodiment, the embodiment of the present invention additionally provides
A kind of system obtaining far-end encryption instruction based on CSP, including:
CSP analogue unit and program analogue unit, for setting up a CSP module of this locality respectively and setting up remote equipment
CSP calling module;
Encrypted instruction request unit, is sent by application program by local CryptoAPI acquisition for a CSP module
Encrypted instruction request, and to this encrypted instruction request carry out coding generate request for data bag, by this application packet send extremely
The CSP calling module of remote equipment;
Encrypted instruction acquiring unit, translates into this application packet and remote equipment for CSP calling module
What CSP function call corresponding for CryptoAPI being accessed by the CryptoAPI of remote equipment was connected on remote equipment adds
2nd CSP module of close smart card device, reads the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
Encrypted instruction feedback unit, is converted into result data bag for CSP calling module by encrypted instruction, and by this result
Packet beams back a described CSP module, and result data bag is translated as encrypted instruction by a CSP module, and by this locality
Encrypted instruction is sent to this application program by CryptoAPI.
Preferably, also include associating registering unit, for the configuration information of the 2nd CSP module replaces with local first
Insert in operating system registration table after the configuration information of CSP module.
Preferably, described association registering unit includes:
Far-end CSP module configuration information request unit, for calling a CSP module by local CryptoAPI, by
Oneth CSP module sends the request obtaining the 2nd CSP module configuration information to described CSP calling module;
Far-end CSP module configuration information acquiring unit, will by the CryptoAPI of remote equipment for CSP calling module
The request of described acquisition the 2nd CSP module configuration information sends to the 2nd CSP module and obtains the 2nd CSP module configuration information,
Then the 2nd CSP module configuration information is beamed back a CSP module;
Configuration information replacement unit, the configuration information of the 2nd CSP module for a CSP module being obtained replaces with this
Insert in operating system registration table after the configuration information of ground the oneth CSP module.
Technique scheme is it can be seen that due to the embodiment of the present invention based on CSP framework in a locally created standard
A CSP module simulate the CSP module of producer, remote equipment create that CSP calling module carrys out simulation application layer should
By program, achieved with the docking that communicates of CSP calling module by a CSP module and on the local device remote equipment is connected
The access of the 2nd CSP module in the encrypted smart card equipment connect, so that the application program of local runtime can obtain this
The encrypted instruction of the encrypted smart card equipment connected on remote equipment.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
In having technology to describe, the required accompanying drawing used is briefly described, it should be apparent that, the accompanying drawing in describing below is only this
Some embodiments of invention, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to
Other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is existing CSP Organization Chart;
Fig. 2 is the flow chart of the method obtaining far-end encryption instruction in the embodiment of the present invention 1 based on CSP;
Fig. 3 is the CSP extensible frame composition in the embodiment of the present invention 1;
Fig. 4 is the flow chart associating registration step in the embodiment of the present invention 1.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments wholely.Based on
Embodiment in the present invention, those of ordinary skill in the art obtained under not making creative work premise all other
Embodiment, broadly falls into the scope of protection of the invention.
Embodiment 1:
The embodiment of the present invention provides a kind of method obtaining far-end encryption instruction based on CSP, as in figure 2 it is shown, include as follows
Step.
Step 101: set up a CSP module of this locality respectively and set up the CSP calling module of remote equipment.
The establishment of a CSP module and the establishment of CSP calling module can carry out separating simultaneously in this step
Carrying out, its main purpose is to set up CSP to extend framework, and this CSP extension framework is as it is shown on figure 3, a CSP module is standard
CSP module, therefore, it is possible to the CSP module in simulation actual encrypted smart card device, encrypted smart card equipment is built-in miniature intelligence
The device that can provide AES of energy Card processor, specifically, encrypted smart card equipment uses U in embodiments of the present invention
Shield, U-shield is for Web bank's electronic signature and the instrument of digital authenticating, its built-in miniature smartcard processor, uses 1024
Online data are encrypted, decipher and digital signature by position asymmetric key algorithm, it is ensured that the confidentiality of online transaction, true
Property, integrity and non-repudiation.
CSP calling module is for simulating the application program of application layer on remote equipment, and it can be logical as application program
Crossing CryptoAPI to go to access CSP module, CryptoAPI is as the application program of the part offer of Microsoft Windows
DLL (API).CryptoAPI provides one group of function, and these functions allow application program at the sensitive private key to user
Data are encrypted or digital signature when providing protection by data in a flexible way.Actual cryptographic operation is by referred to as encrypting
The standalone module of service providing program (CSP) performs.Therefore, in the embodiment of the present invention, CSP calling module is and application program one
Sample is positioned at application layer and runs.
After setting up a CSP module and CSP calling module in this step, the configuration information of a CSP module is the most recorded
In system registry, CSP module configuration information includes program point, program name, concrete producer encrypted smart card equipment
Model (such as U-shield model) so that system can accurately call this CSP module according to this configuration information, but due to system
The CSP module configuration information that CSP module configuration information is concrete producer (the i.e. the 2nd CSP module configuration information) that acquiescence identifies,
Therefore, need the step carrying out that a CSP module and the 2nd CSP module relation are registered on the local device, will the 2nd CSP
The configuration information of module is inserted in operating system registration table after replacing with the configuration information of a local CSP module.This association
The step of registration can be associated by the way of artificial amendment system registry, but owing to system registry is joined as public
Put file arbitrarily to be revised by user, therefore embodiments provide a kind of step being automatically obtained association registration, as
Shown in Fig. 4.
Step 1011: call a CSP module by local CryptoAPI, a CSP module adjust to described CSP
The request obtaining the 2nd CSP module configuration information is sent by module.In the embodiment of the present invention, a CSP module and CSP call mould
Realize socket network transmission function between block, transmitted by socket network bi-directional between the i.e. the oneth CSP module and CSP module
Data.In this step, the request of described acquisition the 2nd CSP module configuration information can be carried out coded treatment life by a CSP module
Become a request data package, in order to the safe and reliable transmission of data, by the form of packet by this acquisition the 2nd CSP module
The request of configuration information is sent to CSP calling module.
Described acquisition the 2nd CSP module is configured by step 1012:CSP calling module by the CryptoAPI of remote equipment
The request of information sends to the 2nd CSP module and obtains the 2nd CSP module configuration information, then by the 2nd CSP module configuration letter
Breath beams back a CSP module.After request data package during CSP calling module receives previous step 1011 in this step, can be right
Request data package is translated, and generates CSP function call, so that the request of this acquisition the 2nd CSP module configuration information can
Had access in the 2nd CSP module by the CryptoAPI of remote equipment, thus obtain the 2nd CSP module configuration information, then will
2nd CSP module configuration information beams back a CSP module, it is possible to understand that this is in before beaming back still can be to the 2nd CSP module
Configuration information encodes, and generates a result data bag, and then this result data bag send back to a CSP module, and
This result data bag still can be translated by one CSP module, restores the 2nd CSP module configuration information.
Step 1013: the configuration information of a 2nd CSP module CSP module obtained replaces with a local CSP mould
Insert in operating system registration table after the configuration information of block.So far step is complete association registration, it can be seen that, when in system
When corresponding application program needs to call CSP module, join owing to the 2nd CPS module configuration information is replaced by a CSP module
Confidence ceases, and therefore application program can start a CSP module according to the CSP module configuration information after replacing and carry out remotely accessing the
Two CSP modules, next can be described further remote access step.
Step 102: a CSP module obtains, by local CryptoAPI, the encrypted instruction sent by application program please
Ask, and the request of this encrypted instruction is carried out coding generation request for data bag, this application packet is sent the CSP to remote equipment
Calling module.
When the application program run in system needs cryptographic services, such as industrial and commercial bank's Net silver program needs to access U-shield and obtains close
Key, this application program can send an encrypted instruction by CryptoAPI and ask to CSP module, due in the embodiment of the present invention
Simulating existing local CSP module with a CSP module, therefore a CSP module can be obtained by local CryptoAPI
The encrypted instruction request sent by this application program, and as in above-mentioned steps 1011, encrypted instruction request is encoded
Generate a request for data bag, then this application packet is sent to the CSP calling module of remote equipment, it is achieved thereby that one
Plant the effect of " pipeline transfer ".
This application packet is translated into corresponding with the CryptoAPI of remote equipment by step 103:CSP calling module
The of the encrypted smart card equipment that CSP function call being accessed by the CryptoAPI of remote equipment is connected on remote equipment
Two CSP modules, read the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module.
CSP function call corresponding with CryptoAPI in the embodiment of the present invention relates to 25 altogether, in background herein
These 25 function calls being made that introduction in technology, here is omitted.
Still can be with above-mentioned step after being appreciated that CSP calling module request data package in receiving previous step 102
Mode in rapid 1012 is translated, and generating function is called, thus has access to the 2nd CSP by the CryptoAPI of remote equipment
Module gets encrypted instruction.So far, whole long-range CSP access path has built up successfully.
Encrypted instruction is converted into result data bag by step 104:CSP calling module, and this result data bag is beamed back institute
Stating a CSP module, result data bag is translated as encrypted instruction by a CSP module, and will be added by local CryptoAPI
Close instruction is sent to this application program.
In this step, the encryption in previous step 103 is referred to by the mode in the same above-mentioned steps 1012 of CSP calling module
Order carries out changing (i.e. coding) and generates a result data bag, and then this result data bag beam back a CSP module, and first
Result data bag is carried out translation and is reduced into encrypted instruction by CSP module, and a CSP module now is equivalent in local U-shield
CSP module has encrypted instruction, and encrypted instruction can be issued to send answering of request before by local CryptoAPI
Use program.
It is understood that the embodiment of the present invention is on the not impact of existing encryption flow, simply with virtual CSP module
(a CSP module) instead of original CSP module (the CSP module that producer is concrete), allow obtain CSP handle time obtain be remote
CSP module on end equipment, thus reach to use the U-shield on remote equipment to carry out the purpose of encryption and decryption.Therefore, for specifically
Encryption flow not concrete in embodiments of the present invention introduce.
As can be seen from the above technical solutions, the technological thought of the present invention is: the U-shield technology based on CSP framework extension, makes
Computer not only can access the smart card device of the machine, additionally it is possible to accesses the smart card device being inserted in remote computer, logical
Cross this equipment and use safety applications based on smart card.Smart card device based on CSP framework, all supports general CSP interface, and
Thering is provided a CSP module (being producer CSP), it is (the most virtual that the embodiment of the present invention achieves a virtual CSP module
CSP), install on the local computer, and producer CSP installs on the remote computer, encrypted smart card equipment (hereinafter referred to as U
Shield) insert on the remote computer too, virtual CSP supports general CSP interface (25 systems API), replaces producer CSP to receive
From the access of computer security applications, it is forwarded on the producer CSP of remote computer, and receives the return from producer CSP
Information, is forwarded back to computer security applications, it is achieved thereby that the redirection of producer CSP secure access, is also achieved that U-shield safety
The redirection accessed.Allow user when using the U-shield on remote computer, use impression to use U-shield consistent with in the machine.This
Bright can apply in the application scenarios such as desktop and application virtualization, the virtual use of application will be expanded to smart card device neck
Territory.
Embodiment 2:
The embodiment of the present invention provides a kind of based on CSP acquisition far-end encryption instruction based on the method in above-described embodiment 1
System, including:
CSP analogue unit and program analogue unit, for setting up a CSP module of this locality respectively and setting up remote equipment
CSP calling module;
Encrypted instruction request unit, is sent by application program by local CryptoAPI acquisition for a CSP module
Encrypted instruction request, and to this encrypted instruction request carry out coding generate request for data bag, by this application packet send extremely
The CSP calling module of remote equipment;
Encrypted instruction acquiring unit, translates into this application packet and remote equipment for CSP calling module
What CSP function call corresponding for CryptoAPI being accessed by the CryptoAPI of remote equipment was connected on remote equipment adds
2nd CSP module of close smart card device, reads the encrypted instruction of this encrypted smart card equipment by the 2nd CSP module;
Encrypted instruction feedback unit, is converted into result data bag for CSP calling module by encrypted instruction, and by this result
Packet beams back a described CSP module, and result data bag is translated as encrypted instruction by a CSP module, and by this locality
Encrypted instruction is sent to this application program by CryptoAPI.
In order to realize the registration that associates of a CSP module and the 2nd CSP module, native system also including, association registration is single
Unit, inserts operating system note after the configuration information that the configuration information of the 2nd CSP module replaces with a local CSP module
In volume table.
Specifically, described association registering unit includes:
Far-end CSP module configuration information request unit, for calling a CSP module by local CryptoAPI, by
Oneth CSP module sends the request obtaining the 2nd CSP module configuration information to described CSP calling module;
Far-end CSP module configuration information acquiring unit, will by the CryptoAPI of remote equipment for CSP calling module
The request of described acquisition the 2nd CSP module configuration information sends to the 2nd CSP module and obtains the 2nd CSP module configuration information,
Then the 2nd CSP module configuration information is beamed back a CSP module;
Configuration information replacement unit, the configuration information of the 2nd CSP module for a CSP module being obtained replaces with this
Insert in operating system registration table after the configuration information of ground the oneth CSP module.
During use, it is only necessary to run association registering unit and can complete the automatic pass of a CSP module and the 2nd CSP module
Connection registration.
It should be noted that the contents such as mutual, the execution process of information between said system and intrasystem each unit, by
In with the inventive method embodiment based on same design, particular content can be found in the narration in the inventive method embodiment, herein
Repeat no more.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
Completing instructing relevant hardware by program, this program can be stored in a computer-readable recording medium, storage
Medium may include that read only memory (ROM, Read Only Memory), random access memory (RAM, Random
Access Memory), disk or CD etc..
A kind of based on CSP acquisition far-end encryption instruction the method and system provided the embodiment of the present invention above are carried out
Being discussed in detail, principle and the embodiment of the present invention are set forth by specific case used herein, above example
Explanation be only intended to help to understand method and the core concept thereof of the present invention;Simultaneously for one of ordinary skill in the art,
According to the thought of the present invention, the most all will change, in sum, in this specification
Hold and should not be construed as limitation of the present invention.