CN105933118A - Communication method and system, PCI password card and remote management medium - Google Patents

Communication method and system, PCI password card and remote management medium Download PDF

Info

Publication number
CN105933118A
CN105933118A CN201610412873.2A CN201610412873A CN105933118A CN 105933118 A CN105933118 A CN 105933118A CN 201610412873 A CN201610412873 A CN 201610412873A CN 105933118 A CN105933118 A CN 105933118A
Authority
CN
China
Prior art keywords
communication
cipher card
result
pci cipher
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610412873.2A
Other languages
Chinese (zh)
Inventor
桑洪波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Sansec Technology Development Co Ltd
Original Assignee
Beijing Sansec Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sansec Technology Development Co Ltd filed Critical Beijing Sansec Technology Development Co Ltd
Priority to CN201610412873.2A priority Critical patent/CN105933118A/en
Publication of CN105933118A publication Critical patent/CN105933118A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a communication method and system, a PCI password card and a remote management medium. The communication method is applied in the PCI password card. The method comprises following steps of step 1, receiving an external call instruction; sending a communication establishment request to the remote management medium according to the call instruction; establishing communication with the remote management medium; step 2, starting a secure communication protocol; packaging communication related information according to a command format preset by the secure communication protocol; sending the packaged communication related information to the remote management medium; step 3, receiving processing results fed back by the remote management medium, wherein the processing results are packaged by using the command format preset by the secure communication protocol; step 4, verifying the processing results; and finishing communicating by the PCI password card and the remote management medium when the verification is successful. The problem of right control and secret key management security of the PCI password card in support of virtualization is solved; and the replay attack can be defensed by two communication parties.

Description

The means of communication, system, PCI cipher card and remotely manage medium
Technical field
The present invention relates to a kind of means of communication, system, PCI cipher card and remotely manage medium, belonging to letter Breath security fields.
Background technology
The development and application of the domestic commercial encryption product history away from the present existing more than ten years, domestic commercial cipher Technology there has also been large development, and integrated circuit application in terms of cryptographic technique also achieves considerable entering Step.The appearance of domestic crypto chip and develop into commercial cipher technology Hardware and provide the foundation and ensure, It is effectively increased disposal ability and the safety of encryption device.
Commercial symmetry cipher aspect, China has issued the commercial cipher algorithms such as SSF33, SM1, SM4 And corresponding algorithm process chip, and have been obtained for being widely applied.Public key algorithm is the most still RSA-2048 solely supports situation, but developing rapidly along with computer technology, there is increasing people to open Begin to worry the safety issue of RSA-2048 algorithm.
Within 1985, it is proposed and utilizes discrete logarithm on elliptic curve to replace discrete logarithm on finite field, i.e. Elliptic curve cryptosystem.Elliptic curve cryptosystem ECC is based on elliptic curve discrete on finite field The difficulty of Logarithmic calculation, has compared with the higher security intensity of RSA-2048, and elliptic curve Realization than RSA-2048 algorithm much faster.In the U.S., ECDSA signature algorithm based on ECC is early Became ansi standard in 1999, support the chip of domestic ECC standard SM2 elliptic curve be Within 2008, occur, within 2009, begin with the products such as KEY, PCI cipher card, cipher machine and occur, state simultaneously Password Management office of family organizes associated member's unit to build CA pilot system.This illustrates domestic ECC application bar Part is the most ripe, and has begun to dispose in some closed system.
PKI has been the basis of cipher application at present, all be unable to do without PKI in many industries and field Support and guarantee, current PKI system the most from RSA-2048 algorithm to SM2 public key algorithm Transition.PCI cipher card is as the hardware encryption module of the bottom, and this change stands in the breach.
The control of authority of current PCI cipher card is mostly based on the system of symmetry algorithm, Based PC I password Card hardware connects intelligent IC card or the pattern of USB key, this application model can not meet all the more The application demand of client.As: the server room of PCI cipher card is installed, apart from work position farther out, When PCI cipher card being managed every time, grafting IC-card sheet or USB key ten points will be pass by not Convenient and support that virtualized PCI cipher card there will be in the future, the user of application PCI cipher card may be Other places, therefore connects PCI along with the constantly change of technology is this based on symmetry algorithm administrative mechanism and hardware The control of authority pattern of cipher card will be eliminated.
Summary of the invention
The technical problem to be solved is to provide one based on SM2 cryptographic algorithm as control of authority Rudimentary algorithm, devise the means of communication of a set of secure communications protocols and system, PCI cipher card and remote Thread management medium.
The technical scheme is that a kind of means of communication, it is applied to PCI In cipher card, comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management Medium terminates communication;Otherwise, abandon described result, terminate communication.
The invention has the beneficial effects as follows: the present invention can solve to support the authority control of virtualization PCI cipher card System, the safety issue of key management;Use session identity number and combine signature mechanism, it is ensured that communication is double Can enough resist Replay Attack;Solve time PCI cipher card is managed simultaneously, need outside grafting The problem of management medium, by remotely managing medium, it is possible to achieve the long-range management to PCI cipher card.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described step 1 also includes, after remotely management medium begins setting up communication, receives remote PKI that thread management medium sends also preserves, and described PKI is with remotely to manage the private key in medium corresponding.
Use above-mentioned further scheme to provide the benefit that, adopt between PCI cipher card and remotely management medium It is identified identity with corresponding PKI and private key, prevents communication and connect the problem made mistakes, it is ensured that be logical Interrogate in the right direction.
Further, described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Using above-mentioned further scheme to provide the benefit that, SM2 is that Password Management office of country was in 2010 The ellipse curve public key cipher algorithm that December is issued on the 17th, uses the effect of SM2 cryptographic algorithm to be better than existing There are other cryptographic algorithms.
Further, described step 2 specifically includes herein below:
Start secure communications protocols, produce session identity number and the first random number;
Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely Management medium.
Use above-mentioned further scheme to provide the benefit that, use session identity number to enable communication two party to support Imperial Replay Attack, and by the way of command code is packaged, prevent Content of communciation by other unlawful meanses Intercept and capture, even if not having corresponding command code to intercept and capture also cannot obtain wherein content.
Further, described generation session identity number and the first random number are saved in the RAM of PCI cipher card; At the end of starting secure communications protocols or communication, the RAM of PCI cipher card performs renewal, regenerates Session identity number and the first random number replace the session identity number and the first random number preserved in RAM.
Above-mentioned further scheme is used to provide the benefit that, it will words ID and the first random number are saved in In the RAM of PCI cipher card, at the end of starting secure communications protocols or communication, the RAM of PCI cipher card Perform renewal, it is ensured that session identity number and the first random number are constant in a communication, maintain communication Uniqueness, do not have and intersect or situation about makeing mistakes.
Further, described step 3 specifically includes herein below:
Receive the result of remotely management medium feedback, it is judged that the session identity number in result with Session identity number in RAM is the most consistent, performs step 4 time only consistent;Wherein result uses The command code form encapsulation that secure communications protocols is preset.
Use above-mentioned further scheme to provide the benefit that, judge whether it is same logical by session identity number News process, as inconsistent in occurred, communication will not be carried out.
Further, the checking in described step 4 includes, use the PKI that prestores to the first random number, the Two randoms number and signing messages are verified;Described second random number is that remotely management medium randomly generates, Signing messages is that remotely management medium uses private key to perform the first random number of the second random number and reception Signature produces.
The technical scheme is that a kind of means of communication, it is applied to far In thread management medium, comprise the following steps:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, abandon described result, Terminate communication.
The invention has the beneficial effects as follows: the present invention can solve to support the authority control of virtualization PCI cipher card System, the safety issue of key management;Use session identity number and combine signature mechanism, it is ensured that communication is double Can enough resist Replay Attack;Solve time PCI cipher card is managed simultaneously, need outside grafting The problem of management medium, by remotely managing medium, it is possible to achieve the long-range management to PCI cipher card.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described step 1 also includes, generates PKI and the private key of a pair correspondence according to communication request, PKI therein is sent to PCI cipher card.
Use above-mentioned further scheme to provide the benefit that, adopt between PCI cipher card and remotely management medium It is identified identity with corresponding PKI and private key, prevents communication and connect the problem made mistakes, it is ensured that be logical Interrogate in the right direction.
Further, described step 2 specifically includes:
Receive the communication relevant information after the encapsulation that PCI cipher card sends, according to the life of secure communications protocols Make code that communication relevant information is unsealed, obtain session identity number, the first random number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature, Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
Use above-mentioned further scheme to provide the benefit that, use command code, session identity number to carry out dual Checking, it is ensured that the correctness of information, and by after the encapsulation of session ID, the second random number and signing messages Feedback PCI cipher card, it is ensured that the correspondence of communication.
The technical scheme is that a kind of PCI cipher card, including: institute State receiver module, api interface, result receiver module and authentication module;
Described receiver module, receive external call instruction, according to call instruction send set up communication request to Remotely manage medium, set up communication with remotely management medium;
Described api interface, starts secure communications protocols, the command code lattice preset according to secure communications protocols Formula encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module, receives the result of remotely management medium feedback, described result Use the command code form encapsulation that secure communications protocols is preset;
Described authentication module, verifies result, and when being verified, then PCI cipher card is with remote Thread management medium terminates communication.
The technical scheme is that one remotely manages medium, including: Request receiver module, Communication processing module and communication complete module;
Described request receiver module, receives the communication request that PCI cipher card sends;
Described Communication processing module, receives the communication relevant information after the encapsulation that PCI cipher card sends, right Communication relevant information carries out process and obtains result and feed back to PCI cipher card, and described result is adopted The command code form encapsulation preset with secure communications protocols;
Described communication completes module, receives the result that PCI cipher card sends, when being verified, Terminate the communication with PCI cipher card.
The technical scheme is that a kind of communication system, including above-mentioned PCI Cipher card and remotely manage medium;
Described PCI cipher card receives external call instruction, sets up with remotely management medium according to call instruction Communication.
The invention has the beneficial effects as follows: the invention provides novel administrative mechanism, open interface, visitor Family can select the carrier of control of authority flexibly, and this point is different from and existing manufacturer can only be selected to provide and deliver The pattern of medium.As: the soft hardware equipment such as USB KEY, soft certificate can be used as control of authority angle Color (such as: manager, operator), carrier only need to possess the generation password such as random number, SM2, SM3 fortune Calculate function, it is possible to the storage cipher key function of safety.
Accompanying drawing explanation
Fig. 1 is a kind of means of communication flow chart described in the embodiment of the present invention 1;
Fig. 2 is a kind of means of communication flow chart described in the embodiment of the present invention 2;
Fig. 3 is a kind of PCI cipher card structural representation described in the embodiment of the present invention 3;
Fig. 4 is a kind of remotely management dielectric structure schematic diagram described in the embodiment of the present invention 4;
Fig. 5 is a kind of communication system architectures schematic diagram described in the embodiment of the present invention 5;
Fig. 6 is communications protocol command format schematic diagram in the concrete example of the present invention.
In accompanying drawing, the list of parts representated by each label is as follows:
1, receiver module, 2, api interface, 3, result receiver module, 4, authentication module, 5, request Receiver module, 6, Communication processing module, 7, communication complete module, 10, PCI cipher card, 20, remote Thread management medium.
Detailed description of the invention
Being described principle and the feature of the present invention below in conjunction with accompanying drawing, example is served only for explaining this Invention, is not intended to limit the scope of the present invention.
As it is shown in figure 1, for a kind of means of communication described in the embodiment of the present invention 1, it is close that it is applied to PCI In code card, comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management Medium terminates communication;Otherwise, represent that mistake occurs in possible under attack in communication process or data transmission, PCI cipher card abandons the described result of reception, and records the manager ID of initiator and send mistake The information such as time, so that investigation problem, terminate communication.
Described step 1 also includes, after remotely management medium begins setting up communication, receives and remotely manages Jie PKI that matter sends also preserves, and described PKI is with remotely to manage the private key in medium corresponding.
Described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Described step 2 specifically includes herein below: start secure communications protocols, produce session identity number and First random number;Command code form encapsulation Content of communciation, the session identity preset according to secure communications protocols Number and the first random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send out Deliver to remotely manage medium.
Described generation session identity number and the first random number are saved in the RAM of PCI cipher card;Work as startup At the end of secure communications protocols or communication, the RAM of PCI cipher card performs renewal, regenerates session body Part number and the first random number replace the session identity number and the first random number preserved in RAM.
Described step 3 specifically includes herein below: receives the result of remotely management medium feedback, sentences Session identity number in disconnected result is the most consistent with the session identity number in RAM, holds time only consistent Row step 4;Wherein result uses the command code form encapsulation that secure communications protocols is preset.
Checking in described step 4 includes, uses the PKI prestored to the first random number, the second random number Verify with signing messages;Described second random number is that remotely management medium randomly generates, signing messages It is that remotely management medium uses private key that the first random number of the second random number and reception is performed signature generation.
As in figure 2 it is shown, for a kind of means of communication described in the embodiment of the present invention 2, it is applied to remotely manage In reason medium, comprise the following steps:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, representing can in communication process Energy is under attack or mistake occurs in data transmission, and remotely management medium abandons the described result of reception, And record the manager ID of initiator and send the information such as wrong time so that investigation problem, terminate communication.
Described step 1 also includes, generates PKI and the private key of a pair correspondence according to communication request, will wherein PKI be sent to PCI cipher card.
Described step 2 specifically includes: receive the communication relevant information after the encapsulation that PCI cipher card sends, Command code according to secure communications protocols to communication relevant information unseal, obtain session identity number, first with Machine number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature, Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
As it is shown on figure 3, for a kind of PCI cipher card described in the embodiment of the present invention 3, including: described in connect Receive module 1, api interface 2, result receiver module 3 and authentication module 4;
Described receiver module 1, receives external call instruction, sends according to call instruction and sets up communication request To remotely managing medium, set up communication with remotely management medium;
Described api interface 2, starts secure communications protocols, the command code preset according to secure communications protocols Form encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module 3, receives the result of remotely management medium feedback, and described process is tied Fruit uses the command code form encapsulation that secure communications protocols is preset;
Described authentication module 4, verifies result, when being verified, then PCI cipher card and Remotely management medium terminates communication.
Described receiver module 1 is additionally operable to, and after remotely management medium begins setting up communication, receives remotely pipe The PKI that reason medium sends, described PKI is corresponding with the private key in remotely management medium.
Described PKI is the PKI of SM2 key, and described private key is the private key of SM2 key.
Described api interface 2 is used for, and starts secure communications protocols, produces session identity number and first random Number;Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely Management medium.
Described generation session identity number and the first random number are saved in the RAM of PCI cipher card;Work as startup At the end of secure communications protocols or communication, the RAM of PCI cipher card performs renewal.
Described result receiver module 3 is used for, and receives the result of remotely management medium feedback, it is judged that place Session identity number in reason result is the most consistent with the session identity number in RAM, performs step time only consistent Rapid 4;Wherein result uses the command code form encapsulation that secure communications protocols is preset.
Described authentication module 4 is used for, and uses the PKI prestored to the first random number, the second random number and label Name information is verified;Described second random number is that remotely management medium randomly generates, and signing messages is remote Thread management medium uses private key that the first random number of the second random number and reception is performed signature and produces.
As shown in Figure 4, remotely manage medium for the one described in the embodiment of the present invention 4, including: request Receiver module 5, Communication processing module 6 and communication complete module 7;
Described request receiver module 5, receives the communication request that PCI cipher card sends;
Described Communication processing module 6, receives the communication relevant information after the encapsulation that PCI cipher card sends, Communication relevant information carries out process obtain result and feed back to PCI cipher card, described result Use the command code form encapsulation that secure communications protocols is preset;
Described communication completes module 7, receives the result that PCI cipher card sends, when being verified, Terminate the communication with PCI cipher card.
Described request receiver module 5 is additionally operable to, and generates PKI and the private key of a pair correspondence according to communication request, PKI therein is sent to PCI cipher card.
Described Communication processing module 6 is used for, and receives the relevant letter of the communication after the encapsulation that PCI cipher card sends Breath, unseals communication relevant information according to the command code of secure communications protocols, obtain session identity number, the One random number and Content of communciation;Stochastic generation the second random number, uses private key to the first random number and second Random number performs signature, produces signing messages;Session ID, the second random number and signing messages are adopted The command code form encapsulation preset with secure communications protocols;Result after being encapsulated also feeds back to PCI cipher card.
As it is shown in figure 5, for a kind of communication system described in the embodiment of the present invention 5, close including above-mentioned PCI Code card 10 and remotely management medium 20;
Described PCI cipher card 10 receives external call instruction, according to call instruction with remotely manage medium 20 set up communication;
The communication of described PCI cipher card 10 and remotely management medium 20 uses challenge response mode to carry out.
The concrete example communication of the present invention and management (as a example by administrator role logs in) process include:
1. it is PCI cipher card software system, the pipe in the interface that application call software system provides Reason person's login function;
2. produce session identity number, random number R 1 for PCI cipher card is internal and starts communications protocol;
3. it is that remotely management medium receives data and resolves packet according to communications protocol command format, produces Raw random number R 2 also uses the signature key in management medium to sign private key to R1 and R2, according to logical News protocol command format organization packet is sent to PCI cipher card software system;
4. receive data for PCI cipher card software system and resolve number according to communications protocol command format According to bag, it is judged that whether session identity number is consistent and safeguards current sessions;
5., for R1 and R2 signature result in PCI cipher card checking packet, as being verified, show Communications protocol is shaken hands successfully and manager logs in successfully, and PCI cipher card arranges and logins successfully mark and by interior The session identity number that portion safeguards resets;
6. being PCI cipher card software system closed communication agreement, communication terminates.
The api interface that client provides by calling PCI cipher card operates PCI cipher card and manages with long-range Medium communication, before starting secure communications protocols, each long-range management medium all produces a SM2 double secret key mark Know identity, and the PKI of the SM2 key of correspondence imports PCI cipher card.User calls api interface and starts Secure communications protocols PCI cipher card simultaneously can produce session identity number and 32 byte random number R 1, session ID and random number R 1 are maintained in the RAM of PCI cipher card DSP, start safety association only every time Update at the end of view or communication.Inside api interface according to communications protocol command format encapsulation Content of communciation also Send to remotely managing medium.Remotely management medium inspection communication command code, recording conversation ID, with Time produce 32 byte random number R 2 and use the private key of SM2 double secret key that R1 and R2 is signed, according to logical News protocol command code form by session ID, R2, that signature result encapsulates and be sent to PCI cipher card is soft Part system, first PCI cipher card software system detects whether session identity number is consistent, and this mechanism is used for real Now safeguard current sessions.Session identity number detects by rear use SM2 double secret key public key verifications R1, R2 With signature result, set up as being verified then communication.
In the communication process of PCI cipher card and remotely management medium, only PCI cipher card can initiate to lead to News, communication uses the mode of challenge response, uses session identity number and combines the mechanism such as SM2 signature and guarantee Communication two party can resist Replay Attack.
Fig. 6 is communications protocol command format in the concrete example of the present invention, and in communication, packet is with int unit. Wherein: a is the command code of communication, command code includes shaking hands, logging in (administrator role, operator angle Color), publish, back up, recovery etc..B is session identity number, and session identity number is the random number of 32bit, For safeguarding the session of Current communications.C is the random number of 32 bytes, anti-replay-attack in communication.d For the concrete operations content in business.Select freely to manage medium, this command code form because being easy to client It is open.
Communication system of the present invention is mainly by Applied layer interface, communications protocol, PCI cipher card, remote Thread management medium four part forms, four part cooperating finishing service processing procedures.Specific embodiments As follows:
Client calls Applied layer interface and is managed PCI cipher card and accesses, at the beginning of first management function is Beginningization function, function of initializing is prepared for setting up communications protocol, has mainly generated for identifying PCI close The SM2 signature key pair of code card identity.Require that each long-range management medium produces one according to communications protocol Indicating the SM2 double secret key (three managers of standard configuration and an operator) of management identity, PCI cipher card is led Entering the SM2 double secret key PKI of manager and operator, SM2 double secret key private key is preserved by customer account management medium And safeguard.
Initial work can carry out normal PCI cipher card Remote management operations after completing, application layer connects The a series of interfaces such as mouth provides that manager logs in, operator logs in, authority is published, backs up, recovery Call and manage PCI cipher card for client.Applied layer interface is assisted with PCI cipher card communication and according to communication View command format encapsulated data packet, starts communications protocol and manages medium communication with long-range.Remotely manage Jie Matter, by customer selecting and operation, mainly resolves packet according to communications protocol command format, and response processes And according to communications protocol command format encapsulated data packet the Applied layer interface that is sent to PCI cipher card.PCI Cipher card Applied layer interface resolves packet, and verification session identity number, checking SM2 signature value etc. operate logical Later, PCI cipher card determines credible from Remote management operations and performs to manage function accordingly.Such as pipe Reason person's login function, then arranging PCI cipher card is that manager logs in success status;Such as backup functionality, then Produce backup keys, share the behaviour such as segmentation backup keys, encrypted backup key components, encrypted user key Make.Having operated rear PCI cipher card can be reset by session ID, Applied layer interface then closed communication is assisted View.
Above implementation process is verified on actual PCI cipher card hardware, and successful.This Bright novel PCI cipher card software system solves PCI cipher card support virtualization rights management and key Management security problem, remotely can manage PCI cipher card, it is provided that development interface open and Client can independently realize the management to PCI cipher card flexibly.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all in the present invention Spirit and principle within, any modification, equivalent substitution and improvement etc. made, should be included in this Within bright protection domain.

Claims (13)

1. means of communication, it is applied in PCI cipher card, it is characterised in that comprise the following steps:
Step 1: receive external call instruction, sends according to call instruction and sets up communication request to remotely pipe Reason medium, sets up communication with remotely management medium;
Step 2: start secure communications protocols, the command code form encapsulation preset according to secure communications protocols Communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Step 3: receive the result of remotely management medium feedback, described result uses safety logical The command code form encapsulation that news agreement is preset;
Step 4: result is verified, when being verified, then PCI cipher card and remotely management Medium terminates communication;Otherwise, abandon described result, terminate communication.
A kind of means of communication the most according to claim 1, it is characterised in that described step 1 is also wrapped Including, after remotely management medium begins setting up communication, the reception PKI that remotely management medium sends also preserves, Described PKI is corresponding with the private key in remotely management medium.
A kind of means of communication the most according to claim 2, it is characterised in that described PKI is SM2 The PKI of key, described private key is the private key of SM2 key.
4. according to a kind of means of communication described in any one of claim 1-3, it is characterised in that described step Rapid 2 specifically include herein below:
Start secure communications protocols, produce session identity number and the first random number;
Command code form encapsulation Content of communciation, the session identity number and first preset according to secure communications protocols Random number encapsulated after communication relevant information, and will encapsulation after communication relevant information send to remotely Management medium.
A kind of means of communication the most according to claim 4, it is characterised in that described generation session body Part number and the first random number are saved in the RAM of PCI cipher card;When starting secure communications protocols or communication At the end of, the RAM of PCI cipher card performs renewal, regenerates session identity number and the first random number replaces Change the session identity number and the first random number preserved in RAM.
A kind of means of communication the most according to claim 5, it is characterised in that described step 3 is concrete Including herein below:
Receive the result of remotely management medium feedback, it is judged that the session identity number in result with Session identity number in RAM is the most consistent, performs step 4 time only consistent;Wherein result uses The command code form encapsulation that secure communications protocols is preset.
A kind of means of communication the most according to claim 6, it is characterised in that in described step 4 Checking includes, uses the PKI prestored to verify the first random number, the second random number and signing messages; Described second random number is that remotely management medium randomly generates, and signing messages is that remotely management medium uses private Key performs signature to the first random number of the second random number and reception and produces.
8. means of communication, it is applied to remotely manage in medium, it is characterised in that include following step Rapid:
Step 1: receive the communication request that PCI cipher card sends;
Step 2: receive the communication relevant information after the encapsulation that PCI cipher card sends, letter relevant to communication Breath carries out process and obtains result and feed back to PCI cipher card, and described result uses safety communication The command code form encapsulation that agreement is preset;
Result is verified by step 3:PCI cipher card, receives the checking that PCI cipher card sends As a result, when being verified, terminate the communication with PCI cipher card;Otherwise, abandon described result, Terminate communication.
A kind of means of communication the most according to claim 8, it is characterised in that described step 1 is also wrapped Include, generate PKI and the private key of a pair correspondence according to communication request, PKI therein is sent to PCI close Code card.
A kind of means of communication the most according to claim 9, it is characterised in that described step 2 has Body includes:
Receive the communication relevant information after the encapsulation that PCI cipher card sends, according to the life of secure communications protocols Make code that communication relevant information is unsealed, obtain session identity number, the first random number and Content of communciation;
Stochastic generation the second random number, uses private key that the first random number and the second random number are performed signature, Produce signing messages;
Session ID, the second random number and signing messages are used the command code that secure communications protocols is preset Form encapsulates;Result after being encapsulated also feeds back to PCI cipher card.
11. 1 kinds of PCI cipher cards, its means of communication described in any one of corresponding claims 1-7, its It is characterised by, including: described receiver module, api interface, result receiver module and authentication module;
Described receiver module, receive external call instruction, according to call instruction send set up communication request to Remotely manage medium, set up communication with remotely management medium;
Described api interface, starts secure communications protocols, the command code lattice preset according to secure communications protocols Formula encapsulation communication relevant information, and the communication relevant information after encapsulation is sent to remotely managing medium;
Described result receiver module, receives the result of remotely management medium feedback, described result Use the command code form encapsulation that secure communications protocols is preset;
Described authentication module, verifies result, and when being verified, then PCI cipher card is with remote Thread management medium terminates communication.
12. 1 kinds of long-range management media, its means of communication described in any one of corresponding claims 8-10, It is characterized in that, including: request receiver module, Communication processing module and communication complete module;
Described request receiver module, receives the communication request that PCI cipher card sends;
Described Communication processing module, receives the communication relevant information after the encapsulation that PCI cipher card sends, right Communication relevant information carries out process and obtains result and feed back to PCI cipher card, and described result is adopted The command code form encapsulation preset with secure communications protocols;
Described communication completes module, receives the result that PCI cipher card sends, when being verified, Terminate the communication with PCI cipher card.
13. 1 kinds of communication systems, it is characterised in that include PCI cipher card as claimed in claim 11 With remotely manage medium as claimed in claim 12;
Described PCI cipher card receives external call instruction, sets up with remotely management medium according to call instruction Communication.
CN201610412873.2A 2016-06-13 2016-06-13 Communication method and system, PCI password card and remote management medium Pending CN105933118A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610412873.2A CN105933118A (en) 2016-06-13 2016-06-13 Communication method and system, PCI password card and remote management medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610412873.2A CN105933118A (en) 2016-06-13 2016-06-13 Communication method and system, PCI password card and remote management medium

Publications (1)

Publication Number Publication Date
CN105933118A true CN105933118A (en) 2016-09-07

Family

ID=56833919

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610412873.2A Pending CN105933118A (en) 2016-06-13 2016-06-13 Communication method and system, PCI password card and remote management medium

Country Status (1)

Country Link
CN (1) CN105933118A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641446A (en) * 2020-04-21 2020-09-08 山东省科学院海洋仪器仪表研究所 Iridium-based deep sea intelligent buoy data communication system and communication method
CN112187474A (en) * 2020-09-27 2021-01-05 北京三未信安科技发展有限公司 Password authentication auto-negotiation switching system and method based on IIC multi-master-slave communication
CN112926983A (en) * 2021-04-13 2021-06-08 无锡井通网络科技有限公司 Block chain-based deposit certificate transaction encryption system and method
CN113505349A (en) * 2021-07-24 2021-10-15 山东三未信安信息科技有限公司 Mini PCI-E password card operation method under embedded uboot
CN114640989A (en) * 2022-03-26 2022-06-17 三未信安科技股份有限公司 System and method for managing cryptographic module based on wireless communication technology

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1797266A (en) * 2004-12-21 2006-07-05 赛孚耐(北京)信息技术有限公司 Security communication method and device between software and hardware
CN1859091A (en) * 2006-06-06 2006-11-08 南相浩 Credible link safety verifying system and method based on CPK
CN103118027A (en) * 2013-02-05 2013-05-22 中金金融认证中心有限公司 Transport layer security (TLS) channel constructing method based on cryptographic algorithm
WO2013109370A2 (en) * 2012-01-18 2013-07-25 Square, Inc. Secure communications between devices and a trusted server
CN103457736A (en) * 2013-08-29 2013-12-18 无锡华御信息技术有限公司 System and method for receiving and sending official document based on WEB
CN103856463A (en) * 2012-12-04 2014-06-11 航天信息股份有限公司 Lightweight directory access protocol realizing method and device based on key exchange protocol
CN105162808A (en) * 2015-10-19 2015-12-16 成都卫士通信息产业股份有限公司 Safety login method based on domestic cryptographic algorithm

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1797266A (en) * 2004-12-21 2006-07-05 赛孚耐(北京)信息技术有限公司 Security communication method and device between software and hardware
CN1859091A (en) * 2006-06-06 2006-11-08 南相浩 Credible link safety verifying system and method based on CPK
WO2013109370A2 (en) * 2012-01-18 2013-07-25 Square, Inc. Secure communications between devices and a trusted server
CN103856463A (en) * 2012-12-04 2014-06-11 航天信息股份有限公司 Lightweight directory access protocol realizing method and device based on key exchange protocol
CN103118027A (en) * 2013-02-05 2013-05-22 中金金融认证中心有限公司 Transport layer security (TLS) channel constructing method based on cryptographic algorithm
CN103457736A (en) * 2013-08-29 2013-12-18 无锡华御信息技术有限公司 System and method for receiving and sending official document based on WEB
CN105162808A (en) * 2015-10-19 2015-12-16 成都卫士通信息产业股份有限公司 Safety login method based on domestic cryptographic algorithm

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111641446A (en) * 2020-04-21 2020-09-08 山东省科学院海洋仪器仪表研究所 Iridium-based deep sea intelligent buoy data communication system and communication method
CN112187474A (en) * 2020-09-27 2021-01-05 北京三未信安科技发展有限公司 Password authentication auto-negotiation switching system and method based on IIC multi-master-slave communication
CN112187474B (en) * 2020-09-27 2024-04-09 三未信安科技股份有限公司 IIC multi-master-slave communication-based password authentication auto-negotiation switching system and method
CN112926983A (en) * 2021-04-13 2021-06-08 无锡井通网络科技有限公司 Block chain-based deposit certificate transaction encryption system and method
CN113505349A (en) * 2021-07-24 2021-10-15 山东三未信安信息科技有限公司 Mini PCI-E password card operation method under embedded uboot
CN114640989A (en) * 2022-03-26 2022-06-17 三未信安科技股份有限公司 System and method for managing cryptographic module based on wireless communication technology
CN114640989B (en) * 2022-03-26 2023-09-26 三未信安科技股份有限公司 System and method for managing cryptographic module based on wireless communication technology

Similar Documents

Publication Publication Date Title
CN105376216B (en) A kind of remote access method, proxy server and client
US9760721B2 (en) Secure transaction method from a non-secure terminal
CN106101147B (en) A kind of method and system for realizing smart machine and the communication of remote terminal dynamic encryption
CN109936547A (en) Identity identifying method, system and calculating equipment
CN105933118A (en) Communication method and system, PCI password card and remote management medium
CN110473318B (en) Unlocking method, equipment for realizing unlocking and computer readable medium
CN105933113A (en) Secret key backup recovering method and system, and related devices
CN109040067A (en) A kind of user authentication device and authentication method based on the unclonable technology PUF of physics
US20180219688A1 (en) Information Transmission Method and Mobile Device
CN103338215A (en) Method for establishing TLS (Transport Layer Security) channel based on state secret algorithm
CN104836784B (en) A kind of information processing method, client and server
CN103036681B (en) A kind of password safety keyboard device and system
CN108366063A (en) Data communications method, device and its equipment of smart machine
CN106027250B (en) A kind of ID card information safe transmission method and system
CN111181723B (en) Method and device for offline security authentication between Internet of things devices
CN104917807A (en) Resource transfer method, apparatus and system
CN103973445A (en) Two-channel login method and system
CN105162808A (en) Safety login method based on domestic cryptographic algorithm
US20120284787A1 (en) Personal Secured Access Devices
CN116633530A (en) Quantum key transmission method, device and system
CN104270346B (en) The methods, devices and systems of two-way authentication
CN111901301B (en) Security protection method based on network multimedia equipment data transmission
CN107251520A (en) Method for the polymerization authentication protocol in M2M communication
CN109510711A (en) A kind of network communication method, server, client and system
CN111435389A (en) Power distribution terminal operation and maintenance tool safety protection system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160907

RJ01 Rejection of invention patent application after publication