CN105933118A - Communication method and system, PCI password card and remote management medium - Google Patents
Communication method and system, PCI password card and remote management medium Download PDFInfo
- Publication number
- CN105933118A CN105933118A CN201610412873.2A CN201610412873A CN105933118A CN 105933118 A CN105933118 A CN 105933118A CN 201610412873 A CN201610412873 A CN 201610412873A CN 105933118 A CN105933118 A CN 105933118A
- Authority
- CN
- China
- Prior art keywords
- communication
- cipher card
- result
- pci cipher
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Algebra (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Pure & Applied Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a communication method and system, a PCI password card and a remote management medium. The communication method is applied in the PCI password card. The method comprises following steps of step 1, receiving an external call instruction; sending a communication establishment request to the remote management medium according to the call instruction; establishing communication with the remote management medium; step 2, starting a secure communication protocol; packaging communication related information according to a command format preset by the secure communication protocol; sending the packaged communication related information to the remote management medium; step 3, receiving processing results fed back by the remote management medium, wherein the processing results are packaged by using the command format preset by the secure communication protocol; step 4, verifying the processing results; and finishing communicating by the PCI password card and the remote management medium when the verification is successful. The problem of right control and secret key management security of the PCI password card in support of virtualization is solved; and the replay attack can be defensed by two communication parties.
Description
Technical field
The present invention relates to a kind of means of communication, system, PCI cipher card and remotely manage medium, belonging to letter
Breath security fields.
Background technology
The development and application of the domestic commercial encryption product history away from the present existing more than ten years, domestic commercial cipher
Technology there has also been large development, and integrated circuit application in terms of cryptographic technique also achieves considerable entering
Step.The appearance of domestic crypto chip and develop into commercial cipher technology Hardware and provide the foundation and ensure,
It is effectively increased disposal ability and the safety of encryption device.
Commercial symmetry cipher aspect, China has issued the commercial cipher algorithms such as SSF33, SM1, SM4
And corresponding algorithm process chip, and have been obtained for being widely applied.Public key algorithm is the most still
RSA-2048 solely supports situation, but developing rapidly along with computer technology, there is increasing people to open
Begin to worry the safety issue of RSA-2048 algorithm.
Within 1985, it is proposed and utilizes discrete logarithm on elliptic curve to replace discrete logarithm on finite field, i.e.
Elliptic curve cryptosystem.Elliptic curve cryptosystem ECC is based on elliptic curve discrete on finite field
The difficulty of Logarithmic calculation, has compared with the higher security intensity of RSA-2048, and elliptic curve
Realization than RSA-2048 algorithm much faster.In the U.S., ECDSA signature algorithm based on ECC is early
Became ansi standard in 1999, support the chip of domestic ECC standard SM2 elliptic curve be
Within 2008, occur, within 2009, begin with the products such as KEY, PCI cipher card, cipher machine and occur, state simultaneously
Password Management office of family organizes associated member's unit to build CA pilot system.This illustrates domestic ECC application bar
Part is the most ripe, and has begun to dispose in some closed system.
PKI has been the basis of cipher application at present, all be unable to do without PKI in many industries and field
Support and guarantee, current PKI system the most from RSA-2048 algorithm to SM2 public key algorithm
Transition.PCI cipher card is as the hardware encryption module of the bottom, and this change stands in the breach.
The control of authority of current PCI cipher card is mostly based on the system of symmetry algorithm, Based PC I password
Card hardware connects intelligent IC card or the pattern of USB key, this application model can not meet all the more
The application demand of client.As: the server room of PCI cipher card is installed, apart from work position farther out,
When PCI cipher card being managed every time, grafting IC-card sheet or USB key ten points will be pass by not
Convenient and support that virtualized PCI cipher card there will be in the future, the user of application PCI cipher card may be
Other places, therefore connects PCI along with the constantly change of technology is this based on symmetry algorithm administrative mechanism and hardware
The control of authority pattern of cipher card will be eliminated.
Summary of the invention
The technical problem to be solved is to provide one based on SM2 cryptographic algorithm as control of authority
Rudimentary algorithm, devise the means of communication of a set of secure communications protocols and system, PCI cipher card and remote
Thread management medium.
The technical scheme is that a kind of means of communication, it is applied to PCI
In cipher card, comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe
Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols
Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical
The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management
Medium terminates communication;Otherwise, abandon described result, terminate communication.
The invention has the beneficial effects as follows: the present invention can solve to support the authority control of virtualization PCI cipher card
System, the safety issue of key management;Use session identity number and combine signature mechanism, it is ensured that communication is double
Can enough resist Replay Attack;Solve time PCI cipher card is managed simultaneously, need outside grafting
The problem of management medium, by remotely managing medium, it is possible to achieve the long-range management to PCI cipher card.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described step 1 also includes, after remotely management medium begins setting up communication, receives remote
PKI that thread management medium sends also preserves, and described PKI is with remotely to manage the private key in medium corresponding.
Use above-mentioned further scheme to provide the benefit that, adopt between PCI cipher card and remotely management medium
It is identified identity with corresponding PKI and private key, prevents communication and connect the problem made mistakes, it is ensured that be logical
Interrogate in the right direction.
Further, described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Using above-mentioned further scheme to provide the benefit that, SM2 is that Password Management office of country was in 2010
The ellipse curve public key cipher algorithm that December is issued on the 17th, uses the effect of SM2 cryptographic algorithm to be better than existing
There are other cryptographic algorithms.
Further, described step 2 specifically includes herein below:
Start secure communications protocols, produce session identity number and the first random number;
Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols
Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely
Management medium.
Use above-mentioned further scheme to provide the benefit that, use session identity number to enable communication two party to support
Imperial Replay Attack, and by the way of command code is packaged, prevent Content of communciation by other unlawful meanses
Intercept and capture, even if not having corresponding command code to intercept and capture also cannot obtain wherein content.
Further, described generation session identity number and the first random number are saved in the RAM of PCI cipher card;
At the end of starting secure communications protocols or communication, the RAM of PCI cipher card performs renewal, regenerates
Session identity number and the first random number replace the session identity number and the first random number preserved in RAM.
Above-mentioned further scheme is used to provide the benefit that, it will words ID and the first random number are saved in
In the RAM of PCI cipher card, at the end of starting secure communications protocols or communication, the RAM of PCI cipher card
Perform renewal, it is ensured that session identity number and the first random number are constant in a communication, maintain communication
Uniqueness, do not have and intersect or situation about makeing mistakes.
Further, described step 3 specifically includes herein below:
Receive the result of remotely management medium feedback, it is judged that the session identity number in result with
Session identity number in RAM is the most consistent, performs step 4 time only consistent;Wherein result uses
The command code form encapsulation that secure communications protocols is preset.
Use above-mentioned further scheme to provide the benefit that, judge whether it is same logical by session identity number
News process, as inconsistent in occurred, communication will not be carried out.
Further, the checking in described step 4 includes, use the PKI that prestores to the first random number, the
Two randoms number and signing messages are verified;Described second random number is that remotely management medium randomly generates,
Signing messages is that remotely management medium uses private key to perform the first random number of the second random number and reception
Signature produces.
The technical scheme is that a kind of means of communication, it is applied to far
In thread management medium, comprise the following steps:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication
Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication
The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends
As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, abandon described result,
Terminate communication.
The invention has the beneficial effects as follows: the present invention can solve to support the authority control of virtualization PCI cipher card
System, the safety issue of key management;Use session identity number and combine signature mechanism, it is ensured that communication is double
Can enough resist Replay Attack;Solve time PCI cipher card is managed simultaneously, need outside grafting
The problem of management medium, by remotely managing medium, it is possible to achieve the long-range management to PCI cipher card.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described step 1 also includes, generates PKI and the private key of a pair correspondence according to communication request,
PKI therein is sent to PCI cipher card.
Use above-mentioned further scheme to provide the benefit that, adopt between PCI cipher card and remotely management medium
It is identified identity with corresponding PKI and private key, prevents communication and connect the problem made mistakes, it is ensured that be logical
Interrogate in the right direction.
Further, described step 2 specifically includes:
Receive the communication relevant information after the encapsulation that PCI cipher card sends, according to the life of secure communications protocols
Make code that communication relevant information is unsealed, obtain session identity number, the first random number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature,
Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset
Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
Use above-mentioned further scheme to provide the benefit that, use command code, session identity number to carry out dual
Checking, it is ensured that the correctness of information, and by after the encapsulation of session ID, the second random number and signing messages
Feedback PCI cipher card, it is ensured that the correspondence of communication.
The technical scheme is that a kind of PCI cipher card, including: institute
State receiver module, api interface, result receiver module and authentication module;
Described receiver module, receive external call instruction, according to call instruction send set up communication request to
Remotely manage medium, set up communication with remotely management medium;
Described api interface, starts secure communications protocols, the command code lattice preset according to secure communications protocols
Formula encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module, receives the result of remotely management medium feedback, described result
Use the command code form encapsulation that secure communications protocols is preset;
Described authentication module, verifies result, and when being verified, then PCI cipher card is with remote
Thread management medium terminates communication.
The technical scheme is that one remotely manages medium, including:
Request receiver module, Communication processing module and communication complete module;
Described request receiver module, receives the communication request that PCI cipher card sends;
Described Communication processing module, receives the communication relevant information after the encapsulation that PCI cipher card sends, right
Communication relevant information carries out process and obtains result and feed back to PCI cipher card, and described result is adopted
The command code form encapsulation preset with secure communications protocols;
Described communication completes module, receives the result that PCI cipher card sends, when being verified,
Terminate the communication with PCI cipher card.
The technical scheme is that a kind of communication system, including above-mentioned PCI
Cipher card and remotely manage medium;
Described PCI cipher card receives external call instruction, sets up with remotely management medium according to call instruction
Communication.
The invention has the beneficial effects as follows: the invention provides novel administrative mechanism, open interface, visitor
Family can select the carrier of control of authority flexibly, and this point is different from and existing manufacturer can only be selected to provide and deliver
The pattern of medium.As: the soft hardware equipment such as USB KEY, soft certificate can be used as control of authority angle
Color (such as: manager, operator), carrier only need to possess the generation password such as random number, SM2, SM3 fortune
Calculate function, it is possible to the storage cipher key function of safety.
Accompanying drawing explanation
Fig. 1 is a kind of means of communication flow chart described in the embodiment of the present invention 1;
Fig. 2 is a kind of means of communication flow chart described in the embodiment of the present invention 2;
Fig. 3 is a kind of PCI cipher card structural representation described in the embodiment of the present invention 3;
Fig. 4 is a kind of remotely management dielectric structure schematic diagram described in the embodiment of the present invention 4;
Fig. 5 is a kind of communication system architectures schematic diagram described in the embodiment of the present invention 5;
Fig. 6 is communications protocol command format schematic diagram in the concrete example of the present invention.
In accompanying drawing, the list of parts representated by each label is as follows:
1, receiver module, 2, api interface, 3, result receiver module, 4, authentication module, 5, request
Receiver module, 6, Communication processing module, 7, communication complete module, 10, PCI cipher card, 20, remote
Thread management medium.
Detailed description of the invention
Being described principle and the feature of the present invention below in conjunction with accompanying drawing, example is served only for explaining this
Invention, is not intended to limit the scope of the present invention.
As it is shown in figure 1, for a kind of means of communication described in the embodiment of the present invention 1, it is close that it is applied to PCI
In code card, comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe
Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols
Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical
The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management
Medium terminates communication;Otherwise, represent that mistake occurs in possible under attack in communication process or data transmission,
PCI cipher card abandons the described result of reception, and records the manager ID of initiator and send mistake
The information such as time, so that investigation problem, terminate communication.
Described step 1 also includes, after remotely management medium begins setting up communication, receives and remotely manages Jie
PKI that matter sends also preserves, and described PKI is with remotely to manage the private key in medium corresponding.
Described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Described step 2 specifically includes herein below: start secure communications protocols, produce session identity number and
First random number;Command code form encapsulation Content of communciation, the session identity preset according to secure communications protocols
Number and the first random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send out
Deliver to remotely manage medium.
Described generation session identity number and the first random number are saved in the RAM of PCI cipher card;Work as startup
At the end of secure communications protocols or communication, the RAM of PCI cipher card performs renewal, regenerates session body
Part number and the first random number replace the session identity number and the first random number preserved in RAM.
Described step 3 specifically includes herein below: receives the result of remotely management medium feedback, sentences
Session identity number in disconnected result is the most consistent with the session identity number in RAM, holds time only consistent
Row step 4;Wherein result uses the command code form encapsulation that secure communications protocols is preset.
Checking in described step 4 includes, uses the PKI prestored to the first random number, the second random number
Verify with signing messages;Described second random number is that remotely management medium randomly generates, signing messages
It is that remotely management medium uses private key that the first random number of the second random number and reception is performed signature generation.
As in figure 2 it is shown, for a kind of means of communication described in the embodiment of the present invention 2, it is applied to remotely manage
In reason medium, comprise the following steps:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication
Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication
The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends
As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, representing can in communication process
Energy is under attack or mistake occurs in data transmission, and remotely management medium abandons the described result of reception,
And record the manager ID of initiator and send the information such as wrong time so that investigation problem, terminate communication.
Described step 1 also includes, generates PKI and the private key of a pair correspondence according to communication request, will wherein
PKI be sent to PCI cipher card.
Described step 2 specifically includes: receive the communication relevant information after the encapsulation that PCI cipher card sends,
Command code according to secure communications protocols to communication relevant information unseal, obtain session identity number, first with
Machine number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature,
Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset
Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
As it is shown on figure 3, for a kind of PCI cipher card described in the embodiment of the present invention 3, including: described in connect
Receive module 1, api interface 2, result receiver module 3 and authentication module 4;
Described receiver module 1, receives external call instruction, sends according to call instruction and sets up communication request
To remotely managing medium, set up communication with remotely management medium;
Described api interface 2, starts secure communications protocols, the command code preset according to secure communications protocols
Form encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module 3, receives the result of remotely management medium feedback, and described process is tied
Fruit uses the command code form encapsulation that secure communications protocols is preset;
Described authentication module 4, verifies result, when being verified, then PCI cipher card and
Remotely management medium terminates communication.
Described receiver module 1 is additionally operable to, and after remotely management medium begins setting up communication, receives remotely pipe
The PKI that reason medium sends, described PKI is corresponding with the private key in remotely management medium.
Described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Described api interface 2 is used for, and starts secure communications protocols, produces session identity number and first random
Number;Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols
Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely
Management medium.
Described generation session identity number and the first random number are saved in the RAM of PCI cipher card;Work as startup
At the end of secure communications protocols or communication, the RAM of PCI cipher card performs renewal.
Described result receiver module 3 is used for, and receives the result of remotely management medium feedback, it is judged that place
Session identity number in reason result is the most consistent with the session identity number in RAM, performs step time only consistent
Rapid 4;Wherein result uses the command code form encapsulation that secure communications protocols is preset.
Described authentication module 4 is used for, and uses the PKI prestored to the first random number, the second random number and label
Name information is verified;Described second random number is that remotely management medium randomly generates, and signing messages is remote
Thread management medium uses private key that the first random number of the second random number and reception is performed signature and produces.
As shown in Figure 4, remotely manage medium for the one described in the embodiment of the present invention 4, including: request
Receiver module 5, Communication processing module 6 and communication complete module 7;
Described request receiver module 5, receives the communication request that PCI cipher card sends;
Described Communication processing module 6, receives the communication relevant information after the encapsulation that PCI cipher card sends,
Communication relevant information carries out process obtain result and feed back to PCI cipher card, described result
Use the command code form encapsulation that secure communications protocols is preset;
Described communication completes module 7, receives the result that PCI cipher card sends, when being verified,
Terminate the communication with PCI cipher card.
Described request receiver module 5 is additionally operable to, and generates PKI and the private key of a pair correspondence according to communication request,
PKI therein is sent to PCI cipher card.
Described Communication processing module 6 is used for, and receives the relevant letter of the communication after the encapsulation that PCI cipher card sends
Breath, unseals communication relevant information according to the command code of secure communications protocols, obtain session identity number, the
One random number and Content of communciation;Stochastic generation the second random number, uses private key to the first random number and second
Random number performs signature, produces signing messages;Session ID, the second random number and signing messages are adopted
The command code form encapsulation preset with secure communications protocols;Result after being encapsulated also feeds back to
PCI cipher card.
As it is shown in figure 5, for a kind of communication system described in the embodiment of the present invention 5, close including above-mentioned PCI
Code card 10 and remotely management medium 20;
Described PCI cipher card 10 receives external call instruction, according to call instruction with remotely manage medium
20 set up communication;
The communication of described PCI cipher card 10 and remotely management medium 20 uses challenge response mode to carry out.
The concrete example communication of the present invention and management (as a example by administrator role logs in) process include:
1. it is PCI cipher card software system, the pipe in the interface that application call software system provides
Reason person's login function;
2. produce session identity number, random number R 1 for PCI cipher card is internal and starts communications protocol;
3. it is that remotely management medium receives data and resolves packet according to communications protocol command format, produces
Raw random number R 2 also uses the signature key in management medium to sign private key to R1 and R2, according to logical
News protocol command format organization packet is sent to PCI cipher card software system;
4. receive data for PCI cipher card software system and resolve number according to communications protocol command format
According to bag, it is judged that whether session identity number is consistent and safeguards current sessions;
5., for R1 and R2 signature result in PCI cipher card checking packet, as being verified, show
Communications protocol is shaken hands successfully and manager logs in successfully, and PCI cipher card arranges and logins successfully mark and by interior
The session identity number that portion safeguards resets;
6. being PCI cipher card software system closed communication agreement, communication terminates.
The api interface that client provides by calling PCI cipher card operates PCI cipher card and manages with long-range
Medium communication, before starting secure communications protocols, each long-range management medium all produces a SM2 double secret key mark
Know identity, and the PKI of the SM2 key of correspondence imports PCI cipher card.User calls api interface and starts
Secure communications protocols PCI cipher card simultaneously can produce session identity number and 32 byte random number R 1, session
ID and random number R 1 are maintained in the RAM of PCI cipher card DSP, start safety association only every time
Update at the end of view or communication.Inside api interface according to communications protocol command format encapsulation Content of communciation also
Send to remotely managing medium.Remotely management medium inspection communication command code, recording conversation ID, with
Time produce 32 byte random number R 2 and use the private key of SM2 double secret key that R1 and R2 is signed, according to logical
News protocol command code form by session ID, R2, that signature result encapsulates and be sent to PCI cipher card is soft
Part system, first PCI cipher card software system detects whether session identity number is consistent, and this mechanism is used for real
Now safeguard current sessions.Session identity number detects by rear use SM2 double secret key public key verifications R1, R2
With signature result, set up as being verified then communication.
In the communication process of PCI cipher card and remotely management medium, only PCI cipher card can initiate to lead to
News, communication uses the mode of challenge response, uses session identity number and combines the mechanism such as SM2 signature and guarantee
Communication two party can resist Replay Attack.
Fig. 6 is communications protocol command format in the concrete example of the present invention, and in communication, packet is with int unit.
Wherein: a is the command code of communication, command code includes shaking hands, logging in (administrator role, operator angle
Color), publish, back up, recovery etc..B is session identity number, and session identity number is the random number of 32bit,
For safeguarding the session of Current communications.C is the random number of 32 bytes, anti-replay-attack in communication.d
For the concrete operations content in business.Select freely to manage medium, this command code form because being easy to client
It is open.
Communication system of the present invention is mainly by Applied layer interface, communications protocol, PCI cipher card, remote
Thread management medium four part forms, four part cooperating finishing service processing procedures.Specific embodiments
As follows:
Client calls Applied layer interface and is managed PCI cipher card and accesses, at the beginning of first management function is
Beginningization function, function of initializing is prepared for setting up communications protocol, has mainly generated for identifying PCI close
The SM2 signature key pair of code card identity.Require that each long-range management medium produces one according to communications protocol
Indicating the SM2 double secret key (three managers of standard configuration and an operator) of management identity, PCI cipher card is led
Entering the SM2 double secret key PKI of manager and operator, SM2 double secret key private key is preserved by customer account management medium
And safeguard.
Initial work can carry out normal PCI cipher card Remote management operations after completing, application layer connects
The a series of interfaces such as mouth provides that manager logs in, operator logs in, authority is published, backs up, recovery
Call and manage PCI cipher card for client.Applied layer interface is assisted with PCI cipher card communication and according to communication
View command format encapsulated data packet, starts communications protocol and manages medium communication with long-range.Remotely manage Jie
Matter, by customer selecting and operation, mainly resolves packet according to communications protocol command format, and response processes
And according to communications protocol command format encapsulated data packet the Applied layer interface that is sent to PCI cipher card.PCI
Cipher card Applied layer interface resolves packet, and verification session identity number, checking SM2 signature value etc. operate logical
Later, PCI cipher card determines credible from Remote management operations and performs to manage function accordingly.Such as pipe
Reason person's login function, then arranging PCI cipher card is that manager logs in success status;Such as backup functionality, then
Produce backup keys, share the behaviour such as segmentation backup keys, encrypted backup key components, encrypted user key
Make.Having operated rear PCI cipher card can be reset by session ID, Applied layer interface then closed communication is assisted
View.
Above implementation process is verified on actual PCI cipher card hardware, and successful.This
Bright novel PCI cipher card software system solves PCI cipher card support virtualization rights management and key
Management security problem, remotely can manage PCI cipher card, it is provided that development interface open and
Client can independently realize the management to PCI cipher card flexibly.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all in the present invention
Spirit and principle within, any modification, equivalent substitution and improvement etc. made, should be included in this
Within bright protection domain.
Claims (13)
1. means of communication, it is applied in PCI cipher card, it is characterised in that comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe
Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols
Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical
The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management
Medium terminates communication;Otherwise, abandon described result, terminate communication.
A kind of means of communication the most according to claim 1, it is characterised in that described step 1 is also wrapped
Including, after remotely management medium begins setting up communication, the reception PKI that remotely management medium sends also preserves,
Described PKI is corresponding with the private key in remotely management medium.
A kind of means of communication the most according to claim 2, it is characterised in that described PKI is SM2
The PKI of key, described private key is the private key of SM2 key.
4. according to a kind of means of communication described in any one of claim 1-3, it is characterised in that described step
Rapid 2 specifically include herein below:
Start secure communications protocols, produce session identity number and the first random number;
Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols
Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely
Management medium.
A kind of means of communication the most according to claim 4, it is characterised in that described generation session body
Part number and the first random number are saved in the RAM of PCI cipher card;When starting secure communications protocols or communication
At the end of, the RAM of PCI cipher card performs renewal, regenerates session identity number and the first random number replaces
Change the session identity number and the first random number preserved in RAM.
A kind of means of communication the most according to claim 5, it is characterised in that described step 3 is concrete
Including herein below:
Receive the result of remotely management medium feedback, it is judged that the session identity number in result with
Session identity number in RAM is the most consistent, performs step 4 time only consistent;Wherein result uses
The command code form encapsulation that secure communications protocols is preset.
A kind of means of communication the most according to claim 6, it is characterised in that in described step 4
Checking includes, uses the PKI prestored to verify the first random number, the second random number and signing messages;
Described second random number is that remotely management medium randomly generates, and signing messages is that remotely management medium uses private
Key performs signature to the first random number of the second random number and reception and produces.
8. means of communication, it is applied to remotely manage in medium, it is characterised in that include following step
Rapid:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication
Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication
The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends
As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, abandon described result,
Terminate communication.
A kind of means of communication the most according to claim 8, it is characterised in that described step 1 is also wrapped
Include, generate PKI and the private key of a pair correspondence according to communication request, PKI therein is sent to PCI close
Code card.
A kind of means of communication the most according to claim 9, it is characterised in that described step 2 has
Body includes:
Receive the communication relevant information after the encapsulation that PCI cipher card sends, according to the life of secure communications protocols
Make code that communication relevant information is unsealed, obtain session identity number, the first random number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature,
Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset
Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
11. 1 kinds of PCI cipher cards, its means of communication described in any one of corresponding claims 1-7, its
It is characterised by, including: described receiver module, api interface, result receiver module and authentication module;
Described receiver module, receive external call instruction, according to call instruction send set up communication request to
Remotely manage medium, set up communication with remotely management medium;
Described api interface, starts secure communications protocols, the command code lattice preset according to secure communications protocols
Formula encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module, receives the result of remotely management medium feedback, described result
Use the command code form encapsulation that secure communications protocols is preset;
Described authentication module, verifies result, and when being verified, then PCI cipher card is with remote
Thread management medium terminates communication.
12. 1 kinds of long-range management media, its means of communication described in any one of corresponding claims 8-10,
It is characterized in that, including: request receiver module, Communication processing module and communication complete module;
Described request receiver module, receives the communication request that PCI cipher card sends;
Described Communication processing module, receives the communication relevant information after the encapsulation that PCI cipher card sends, right
Communication relevant information carries out process and obtains result and feed back to PCI cipher card, and described result is adopted
The command code form encapsulation preset with secure communications protocols;
Described communication completes module, receives the result that PCI cipher card sends, when being verified,
Terminate the communication with PCI cipher card.
13. 1 kinds of communication systems, it is characterised in that include PCI cipher card as claimed in claim 11
With remotely manage medium as claimed in claim 12;
Described PCI cipher card receives external call instruction, sets up with remotely management medium according to call instruction
Communication.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610412873.2A CN105933118A (en) | 2016-06-13 | 2016-06-13 | Communication method and system, PCI password card and remote management medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610412873.2A CN105933118A (en) | 2016-06-13 | 2016-06-13 | Communication method and system, PCI password card and remote management medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105933118A true CN105933118A (en) | 2016-09-07 |
Family
ID=56833919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610412873.2A Pending CN105933118A (en) | 2016-06-13 | 2016-06-13 | Communication method and system, PCI password card and remote management medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105933118A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111641446A (en) * | 2020-04-21 | 2020-09-08 | 山东省科学院海洋仪器仪表研究所 | Iridium-based deep sea intelligent buoy data communication system and communication method |
CN112187474A (en) * | 2020-09-27 | 2021-01-05 | 北京三未信安科技发展有限公司 | Password authentication auto-negotiation switching system and method based on IIC multi-master-slave communication |
CN112926983A (en) * | 2021-04-13 | 2021-06-08 | 无锡井通网络科技有限公司 | Block chain-based deposit certificate transaction encryption system and method |
CN113505349A (en) * | 2021-07-24 | 2021-10-15 | 山东三未信安信息科技有限公司 | Mini PCI-E password card operation method under embedded uboot |
CN114640989A (en) * | 2022-03-26 | 2022-06-17 | 三未信安科技股份有限公司 | System and method for managing cryptographic module based on wireless communication technology |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1797266A (en) * | 2004-12-21 | 2006-07-05 | 赛孚耐(北京)信息技术有限公司 | Security communication method and device between software and hardware |
CN1859091A (en) * | 2006-06-06 | 2006-11-08 | 南相浩 | Credible link safety verifying system and method based on CPK |
CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
WO2013109370A2 (en) * | 2012-01-18 | 2013-07-25 | Square, Inc. | Secure communications between devices and a trusted server |
CN103457736A (en) * | 2013-08-29 | 2013-12-18 | 无锡华御信息技术有限公司 | System and method for receiving and sending official document based on WEB |
CN103856463A (en) * | 2012-12-04 | 2014-06-11 | 航天信息股份有限公司 | Lightweight directory access protocol realizing method and device based on key exchange protocol |
CN105162808A (en) * | 2015-10-19 | 2015-12-16 | 成都卫士通信息产业股份有限公司 | Safety login method based on domestic cryptographic algorithm |
-
2016
- 2016-06-13 CN CN201610412873.2A patent/CN105933118A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1797266A (en) * | 2004-12-21 | 2006-07-05 | 赛孚耐(北京)信息技术有限公司 | Security communication method and device between software and hardware |
CN1859091A (en) * | 2006-06-06 | 2006-11-08 | 南相浩 | Credible link safety verifying system and method based on CPK |
WO2013109370A2 (en) * | 2012-01-18 | 2013-07-25 | Square, Inc. | Secure communications between devices and a trusted server |
CN103856463A (en) * | 2012-12-04 | 2014-06-11 | 航天信息股份有限公司 | Lightweight directory access protocol realizing method and device based on key exchange protocol |
CN103118027A (en) * | 2013-02-05 | 2013-05-22 | 中金金融认证中心有限公司 | Transport layer security (TLS) channel constructing method based on cryptographic algorithm |
CN103457736A (en) * | 2013-08-29 | 2013-12-18 | 无锡华御信息技术有限公司 | System and method for receiving and sending official document based on WEB |
CN105162808A (en) * | 2015-10-19 | 2015-12-16 | 成都卫士通信息产业股份有限公司 | Safety login method based on domestic cryptographic algorithm |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111641446A (en) * | 2020-04-21 | 2020-09-08 | 山东省科学院海洋仪器仪表研究所 | Iridium-based deep sea intelligent buoy data communication system and communication method |
CN112187474A (en) * | 2020-09-27 | 2021-01-05 | 北京三未信安科技发展有限公司 | Password authentication auto-negotiation switching system and method based on IIC multi-master-slave communication |
CN112187474B (en) * | 2020-09-27 | 2024-04-09 | 三未信安科技股份有限公司 | IIC multi-master-slave communication-based password authentication auto-negotiation switching system and method |
CN112926983A (en) * | 2021-04-13 | 2021-06-08 | 无锡井通网络科技有限公司 | Block chain-based deposit certificate transaction encryption system and method |
CN113505349A (en) * | 2021-07-24 | 2021-10-15 | 山东三未信安信息科技有限公司 | Mini PCI-E password card operation method under embedded uboot |
CN114640989A (en) * | 2022-03-26 | 2022-06-17 | 三未信安科技股份有限公司 | System and method for managing cryptographic module based on wireless communication technology |
CN114640989B (en) * | 2022-03-26 | 2023-09-26 | 三未信安科技股份有限公司 | System and method for managing cryptographic module based on wireless communication technology |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105376216B (en) | A kind of remote access method, proxy server and client | |
US9760721B2 (en) | Secure transaction method from a non-secure terminal | |
CN106101147B (en) | A kind of method and system for realizing smart machine and the communication of remote terminal dynamic encryption | |
CN109936547A (en) | Identity identifying method, system and calculating equipment | |
CN105933118A (en) | Communication method and system, PCI password card and remote management medium | |
CN110473318B (en) | Unlocking method, equipment for realizing unlocking and computer readable medium | |
CN105933113A (en) | Secret key backup recovering method and system, and related devices | |
CN109040067A (en) | A kind of user authentication device and authentication method based on the unclonable technology PUF of physics | |
US20180219688A1 (en) | Information Transmission Method and Mobile Device | |
CN103338215A (en) | Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm | |
CN104836784B (en) | A kind of information processing method, client and server | |
CN103036681B (en) | A kind of password safety keyboard device and system | |
CN108366063A (en) | Data communications method, device and its equipment of smart machine | |
CN106027250B (en) | A kind of ID card information safe transmission method and system | |
CN111181723B (en) | Method and device for offline security authentication between Internet of things devices | |
CN104917807A (en) | Resource transfer method, apparatus and system | |
CN103973445A (en) | Two-channel login method and system | |
CN105162808A (en) | Safety login method based on domestic cryptographic algorithm | |
US20120284787A1 (en) | Personal Secured Access Devices | |
CN116633530A (en) | Quantum key transmission method, device and system | |
CN104270346B (en) | The methods, devices and systems of two-way authentication | |
CN111901301B (en) | Security protection method based on network multimedia equipment data transmission | |
CN107251520A (en) | Method for the polymerization authentication protocol in M2M communication | |
CN109510711A (en) | A kind of network communication method, server, client and system | |
CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160907 |
|
RJ01 | Rejection of invention patent application after publication |