CN111698087A - Miniature cipher machine and information processing method - Google Patents
Miniature cipher machine and information processing method Download PDFInfo
- Publication number
- CN111698087A CN111698087A CN202010545217.6A CN202010545217A CN111698087A CN 111698087 A CN111698087 A CN 111698087A CN 202010545217 A CN202010545217 A CN 202010545217A CN 111698087 A CN111698087 A CN 111698087A
- Authority
- CN
- China
- Prior art keywords
- security chip
- cryptographic
- chip
- slave
- master
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a miniature cipher machine and an information processing method, wherein the cipher machine comprises: the mainboard and the at least one password submodule are configured to communicate with the mainboard through a USB interface to acquire the service request and return password information obtained by calculation according to the service request data through the USB interface; wherein the at least one cryptographic submodule is located on the motherboard; one of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip. The micro cipher machine provided by the embodiment of the application can meet the requirement of system safety and has absolute advantages in the aspects of price, hardware facility environment and the like.
Description
Technical Field
The application relates to the field of password information processing, in particular to a micro password machine and an information processing method.
Background
With the rapid development of computer networks, the problem of information security is increasingly highlighted, and therefore, server cipherers are used as basic cipher devices in many network security scenarios. The encryption machine is widely applied to scenes such as electronic government affairs, financial payment, certificate service and the like, can provide functions of data encryption and decryption and digital signature verification, and is suitable for various applications such as electronic signatures, electronic documents, CA systems and the like. In the general scenario, the traditional server crypto needs to have higher requirements on performance, so the server crypto generally adopts a hardware server form, and has a larger volume. For some scenes with low performance requirements and few users, the cryptographic machine in the form of a hardware server has great restrictions on factors such as price, machine room environment and the like.
Therefore, how to provide a suitable cipher machine in scenes with small number of users, limited project funds and simple network environment, such as photo studios, immigration institutions, hotels and the like, becomes a technical problem to be solved urgently.
Disclosure of Invention
The embodiment of the application aims to provide a micro cipher machine and an information processing method, and the micro cipher machine provided by the embodiment of the application can meet the requirement of system security and has absolute advantages in the aspects of price, hardware facility environment and the like.
In a first aspect, an embodiment of the present application provides a micro crypto engine, where the crypto engine includes: a main board; the at least one password submodule is configured to communicate with the mainboard through a USB interface to acquire the service request, and to return password information obtained through calculation according to the service request data through the USB interface; the at least one cipher sub-module is located on the mainboard, one sub-module of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip.
The volume of the cipher machine can be reduced by using the codon modules of the USB interfaces, the miniaturization of the cipher equipment is realized, and the operation speed is increased compared with a single chip by adopting a multi-chip cluster strategy.
In some embodiments, the at least one codon module comprises a first codon module and a second codon module; the first password submodule and the second password submodule are backups of each other.
The embodiment of the application adopts a mutual backup mode of the two cipher sub-modules, so that on one hand, the performance of the system is improved, and on the other hand, the problem that the whole product cannot be used due to the failure of one cipher sub-module can be solved.
In some embodiments, the micro cryptographic engine further comprises: and the application programming interface is configured to be connected with an application system to receive service request data and feed back the password information obtained based on the service request data.
The embodiment of the application adopts a multi-chip cluster strategy, and compared with a single chip, the operation speed is improved.
In some embodiments, the codon module comprises: and the command distribution submodule is configured to encapsulate the service request data to obtain command frame data, and select the security chip in an idle state from the at least one slave security chip.
The embodiment of the application ensures that the security chip in the idle state is selected to execute the password calculation, and improves the speed of processing the password service request.
In some embodiments, the micro cryptographic engine includes an embedded operating system, wherein the embedded operating system is located on the motherboard.
The size of the cipher machine can be reduced by adopting the embedded operating system.
In some embodiments, the micro crypto-engine further comprises a noise source chip, wherein the noise source chip is configured to generate and process true random numbers for the cryptographic submodule to perform cryptographic operations and key management.
According to the embodiment of the application, the cipher submodule is combined with the noise source chip, the true random source is finally generated through the internal strategy, and the performance of the equipment is improved.
In a second aspect, an embodiment of the present application further provides an information processing method, which is applied to a micro crypto-machine, where the method includes: determining at least one master security chip and at least one slave security chip from a plurality of cryptographic chips included in the slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing cryptographic operation; and performing management related to cryptographic processing business on the at least one master security chip and the at least one slave security chip in different stages.
In some embodiments, the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises: in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip; in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key.
In some embodiments, the negotiating the determination of the session key by the at least one master secure chip and the at least one slave secure chip includes: the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip; and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed.
In some embodiments, the method further comprises confirming that the at least one slave secure chip allowed by the authority of the at least one master secure chip processes the service request.
In some embodiments, the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a micro cipher machine according to an embodiment of the present application;
fig. 2 is a block diagram of the hardware components of the micro crypto-engine provided in the embodiment of the present application;
fig. 3 is a flowchart of an information processing method applied to a micro crypto engine according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
As can be seen from the description of the background art, in the current server cryptographic engine market, the core hardware components of the product are usually a server host and a cryptographic card. The traditional server encryption machine needs to have higher requirements on performance, so the server encryption machine usually adopts a hardware server form and has a larger volume.
In order to solve the above problem, an embodiment of the present application provides a micro crypto engine based on an embedded operating system (for example, an ARM processor), a micro motherboard, and a crypto sub module, for a scenario where the number of users is small. An ARM processor is embedded in a mainboard of the micro cipher machine to provide system scheduling and platform support, the mainboard is communicated with a codon module through an internal USB interface, the codon module exists as a module for replacing a cipher card, a plurality of cipher chips are carried through a USB Hub to carry out cipher operation, in addition, a cipher submodule generates and processes a true random number through a noise source chip to be used for cipher operation and key management, and interface service of the cipher machine is provided on the basis of the hardware platform.
Referring to fig. 1, fig. 1 provides a micro cryptographic engine 10, where the micro cryptographic engine 10 includes an embedded operating system 200, a management service module and a cryptographic main service module located inside the embedded operating system 200. The miniature cryptographic engine 10 further comprises hardware 100 inside the cryptographic engine, wherein the hardware 100 inside the cryptographic engine comprises at least a codon module 101 for performing cryptographic operations.
The embedded operating system 200 may include an ARM processor, and the embodiment of the present application does not limit the specific type of the embedded operating system 200.
The composition of the hardware 100 inside the miniature cryptographic engine 10 is further illustrated in connection with fig. 1 and 2.
The hardware structure 100 of the miniature cryptographic machine 10 provided by the embodiment of the present application includes a main board 190, an application programming interface 30 and a codon module 101.
An application programming interface 30 configured to interface with an application system to receive service request data and feed back cryptographic information derived based on the service request data. At least one code module 101 configured to communicate with the motherboard 190 via a USB interface (not shown) to obtain the service request, and send back the cryptographic information calculated according to the service request data to the application programming interface 30 via the USB interface (not shown). The application programming interface 30 and the at least one cryptographic submodule 101 are located on the motherboard 190, one of the at least one cryptographic submodule includes a plurality of integrated security chips, and the plurality of security chips includes a master security chip and at least one slave security chip. The size of the cipher machine can be reduced through the USB serial port, and miniaturization of cipher equipment is achieved.
In order to further improve the performance of the micro-cipher machine, as shown in fig. 2, at least one of the cipher sub-modules 101 of the embodiment of the present application may include a first cipher sub-module 140 and a second cipher sub-module 150; the first submodule 140 and the second submodule 150 are backup for each other. The embodiment of the application adopts a mode that two codon modules are mutually backed up, so that on one hand, the performance of the system is improved, and on the other hand, the problem that one codon module cannot be used by the whole product is also ensured.
In order to further improve the performance of a cryptographic submodule and further improve the performance of a micro cipher machine, at least one of the first cryptographic submodule 140 or the second cryptographic submodule 150 in fig. 2 in the embodiment of the present application includes a plurality of integrated security chips, wherein the plurality of security chips include a master security chip and at least one slave security chip. For example, the first submodule 140 includes 8 security chips, wherein the 8 security chips further include a master security chip and 7 slave security chips. The embodiment of the application adopts a multi-chip cluster strategy, and compared with a single chip, the operation speed is improved.
In order to respond to the cryptographic service proposed by the user as soon as possible when there are multiple security chips, the cryptographic submodule of the embodiment of the present application may further include a command distribution submodule (not shown in the figure) configured to encapsulate the service request data to obtain command frame data, and select a security chip in an idle state from the at least one slave security chip.
In order to generate a true random source through the content of the micro crypto engine, the micro information crypto engine of the embodiment of the present application further includes a noise source chip 160, wherein the noise source chip 160 is configured to generate and process a true random number for the cryptographic submodule to perform cryptographic operation and key management.
The micro cryptographic engine and the working process thereof according to the embodiment of the present application are further described below with reference to a specific example.
As shown in fig. 2, the components of the cryptographic hardware platform of the embodiment of the present application include: a processor 110, a memory 170 (i.e., memory), a RAM180, a motherboard 190, RTC (real time clock) circuitry 120, and a housing 130. The shell material of the miniature cipher machine provided by the embodiment of the application is an opaque hard metal shell, so that the internal components can be prevented from being snooped; the screw hole is sealed by adopting a fragile paste, and traces can be remained during disassembly.
The internal portion of the microserver cryptographic engine 10 provided by the embodiment of the present application adopts an embedded motherboard to provide a service hardware platform, and a cryptographic chip (i.e. a cryptographic submodule) and a noise source chip are integrated on the motherboard to perform cryptographic operation. The micro-crypto engine 10 implements various cryptographic service functions by calling the application programming interface 30 of the codon module 101, and the application programming interface 30 is provided to the user 20 in a target module manner, and operates in a user mode of the operating system. For example, the application programming interface 30 of the cryptographic submodule 101 encapsulates the command frame data based on the service request data of the application system and selects the secure chip in the idle state (for example, the secure chip may be selected), and transmits the command frame data to the command distribution submodule (not shown in the figure) inside the chip through the USB bus interface. After receiving the command frame data, the command management submodule (not shown in the figure) parses the command frame data to obtain the requested service function and parameter, calls an interface function of the corresponding service module to execute the service operation, takes the output value of the function as the result of the service operation, transmits the result to the main control module to package the result to obtain response data, returns the response data to the application programming interface 30 through the USB bus interface, and finally formats and processes the response data through the application programming interface 30 and returns the response data to the application system.
It should be noted that the cryptographic submodule 101 includes at least two cryptographic submodules for mutual backup. The number of the security chips included in the cryptographic submodule is not limited in the embodiment of the present application, for example, 8 security chips (for example, eight security chips may include one master security chip and 7 slave security chips) may be set inside each cryptographic submodule for performing cryptographic operation, and the codon module 101 communicates with the embedded motherboard 190 through the USB. The communication protocol between the cryptographic submodule 101 at the bottom layer of the embodiment of the present application and the embedded operating system is based on the USB protocol. The command distribution submodule (not shown in the figure) of the embodiment of the application is responsible for communication scheduling, and the command management submodule (not shown in the figure) is used for calling the security chips (for example, eight security chips included in the codon module) to perform corresponding service cryptographic operation after analyzing data, assembling the obtained service cryptographic operation data to obtain response data, and sending the response data to the upper application system (namely, the password main service and the management service of fig. 1) through the USB as response data. That is, the cryptographic service calls the cryptographic submodule application programming interface to implement various cryptographic service requests. For example, the cryptographic main service may provide cryptographic operation service based on a TCP/IP protocol, the communication data packet adopts a private data format, and is configured to send a request and request data to the cryptographic main service through the API component, the cryptographic main service parses the cryptographic operation request, distributes and schedules the cryptographic operation instruction to the cryptographic submodule to perform cryptographic operation (for example, generate a random number, asymmetric encryption/decryption, signature verification, symmetric encryption, and the like), and encapsulates the result after the operation into response data to return to the API component, so that the user completes the cryptographic service call. The password management service is used for providing system management, key management, log management functions and administrator management functions, only an authorized administrator can access the management functions after authentication through the usbkey certificate, wherein the key management is particularly important and is used for generating, destroying, updating, backing up and recovering the symmetric key and the asymmetric key pair, and therefore life cycle management of all keys is completed.
As shown in fig. 3, an embodiment of the present application further provides an information processing method applied to the micro crypto-machine 10, where the method includes: s101, determining at least one master security chip and at least one slave security chip from a plurality of password chips included in a slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing password operation; s102, the at least one master security chip and the at least one slave security chip in different stages are managed related to the cryptographic processing service.
In some embodiments, the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises: in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip; in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key. For example, the negotiating and determining the session key between the at least one master secure chip and the at least one slave secure chip includes: the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip; and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed. For example, it is confirmed that the at least one slave security chip allowed by the authority of the at least one master security chip processes the service request. For example, the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
The above information processing method is explained below with reference to a specific example (i.e., a cryptographic submodule having one master security chip and 7 slave security chips).
The main security chip is responsible for key management and application work such as key storage, key agreement, authority control, session key generation and the like. And the slave security chip is responsible for business work of the password service. The internal software of the master and slave secure chips is identical but performs different functions as described above.
In the white card stage before hardware leaves factory, a master security chip and a slave security chip respectively generate respective internal communication public and private key pairs (ICKs) internally, then a public key of the slave security chip is stored in the master security chip, and a public key of the master security chip is also stored in the slave security chip.
In an initial state and a ready state, from power-on start, at intervals, under the control of the MCU, the master security chip initiatively initiates negotiation of a session key link protection key (ICSK) to the slave security chip, sends encryption information of the session key link protection key (ICSK) key by holding a public key of the slave security chip, and attaches a signature of the master security chip to the ICSK. When the slave security chip receives the information, the private key of the slave security chip is used for decrypting the ICSK, the signature of the master security chip is authenticated, and the key ICSK is stored in the internal RAM after the authentication is passed for subsequent line protection.
When the service processing information is sent to the slave security chip, if the permission of the master security chip is not passed, the slave security chip does not perform service processing. At the moment, the MCU inquires whether the security authority of the master security chip is met, and if the security authority is met, the master security chip sends asymmetric key pair data to the slave security chip. The key-dependent transaction can be performed upon receipt of the keys from the security chip.
When the administrator changes the key, the MCU will again initiate a key update command to the slave security chip through the master security chip, and then the slave security chip will synchronize the data of the asymmetric key pair or delete the asymmetric key pair, and at this time, the previous key cannot be applied to the related service processing.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (11)
1. A miniature cryptographic engine, said cryptographic engine comprising:
a main board, a plurality of first and second connection terminals,
the at least one password submodule is configured to communicate with the mainboard through a USB interface to acquire the service request, and to return password information obtained through calculation according to the service request data through the USB interface;
wherein the at least one cryptographic submodule is located on the motherboard; one of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip.
2. The miniature cryptographic engine of claim 1, wherein said at least one cryptographic submodule comprises a first cryptographic submodule and a second cryptographic submodule; the first password submodule and the second password submodule are backups of each other.
3. The miniature cryptographic engine of claim 2, wherein said miniature cryptographic engine further comprises: and the application programming interface is configured to be connected with an application system to receive service request data and feed back the password information obtained based on the service request data.
4. A miniature cryptographic engine as in claim 3 wherein said cryptographic submodule comprises:
and the command distribution submodule is configured to encapsulate the service request data to obtain command frame data, and select the security chip in an idle state from the at least one slave security chip.
5. A miniature cryptographic machine according to claim 1, wherein said miniature cryptographic machine comprises an embedded operating system, wherein said embedded operating system is located on said motherboard.
6. The micro cryptographic engine of claim 1, further comprising a noise source chip, wherein the noise source chip is configured to generate and process true random numbers for cryptographic operations and key management by the cryptographic submodule.
7. An information processing method applied to a micro cipher machine is characterized by comprising the following steps:
determining at least one master security chip and at least one slave security chip from a plurality of cryptographic chips included in the slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing cryptographic operation;
and performing management related to cryptographic processing business on the at least one master security chip and the at least one slave security chip in different stages.
8. The information processing method of claim 7, wherein the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises:
in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip;
in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key.
9. The information processing method of claim 8, wherein the at least one master secure chip and the at least one slave secure chip negotiating to determine a session key comprises:
the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip;
and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed.
10. The information processing method of claim 8, further comprising confirming that the at least one slave security chip allowed by the authority of the at least one master security chip processes the service request.
11. The information processing method of claim 8, wherein the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010545217.6A CN111698087B (en) | 2020-06-15 | 2020-06-15 | Micro cipher machine and information processing method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010545217.6A CN111698087B (en) | 2020-06-15 | 2020-06-15 | Micro cipher machine and information processing method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111698087A true CN111698087A (en) | 2020-09-22 |
CN111698087B CN111698087B (en) | 2023-09-08 |
Family
ID=72481343
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010545217.6A Active CN111698087B (en) | 2020-06-15 | 2020-06-15 | Micro cipher machine and information processing method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111698087B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116155491A (en) * | 2023-02-02 | 2023-05-23 | 广州万协通信息技术有限公司 | Symmetric key synchronization method of security chip and security chip device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030021417A1 (en) * | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
CN103414564A (en) * | 2013-08-07 | 2013-11-27 | 成都卫士通信息产业股份有限公司 | Secrete key card, secrete key device and method for protecting private key |
CN105099711A (en) * | 2015-08-28 | 2015-11-25 | 北京三未信安科技发展有限公司 | ZYNQ-based small-sized cipher machine and data encryption method |
CN206258875U (en) * | 2016-12-16 | 2017-06-16 | 北京江南博仁科技有限公司 | A kind of encryption equipment |
CN106874792A (en) * | 2016-12-28 | 2017-06-20 | 北京握奇智能科技有限公司 | A kind of electric endorsement method and electronic signature terminal |
CN110324358A (en) * | 2019-07-31 | 2019-10-11 | 北京中安国通科技有限公司 | Video data manages authentication method, module, equipment and platform |
-
2020
- 2020-06-15 CN CN202010545217.6A patent/CN111698087B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030021417A1 (en) * | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
CN103414564A (en) * | 2013-08-07 | 2013-11-27 | 成都卫士通信息产业股份有限公司 | Secrete key card, secrete key device and method for protecting private key |
CN105099711A (en) * | 2015-08-28 | 2015-11-25 | 北京三未信安科技发展有限公司 | ZYNQ-based small-sized cipher machine and data encryption method |
CN206258875U (en) * | 2016-12-16 | 2017-06-16 | 北京江南博仁科技有限公司 | A kind of encryption equipment |
CN106874792A (en) * | 2016-12-28 | 2017-06-20 | 北京握奇智能科技有限公司 | A kind of electric endorsement method and electronic signature terminal |
CN110324358A (en) * | 2019-07-31 | 2019-10-11 | 北京中安国通科技有限公司 | Video data manages authentication method, module, equipment and platform |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116155491A (en) * | 2023-02-02 | 2023-05-23 | 广州万协通信息技术有限公司 | Symmetric key synchronization method of security chip and security chip device |
CN116155491B (en) * | 2023-02-02 | 2024-03-08 | 广州万协通信息技术有限公司 | Symmetric key synchronization method of security chip and security chip device |
Also Published As
Publication number | Publication date |
---|---|
CN111698087B (en) | 2023-09-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11223477B2 (en) | Data sharing method, client, server, computing device, and storage medium | |
EP3484125B1 (en) | Method and device for scheduling interface of hybrid cloud | |
US8639940B2 (en) | Methods and systems for assigning roles on a token | |
EP2095288B1 (en) | Method for the secure storing of program state data in an electronic device | |
WO2019237570A1 (en) | Electronic contract signing method, device and server | |
JP4668619B2 (en) | Device key | |
CN111164594A (en) | System and method for mapping decentralized identity to real entity | |
CN111654367B (en) | Method for cryptographic operation and creation of working key, cryptographic service platform and device | |
US10623186B1 (en) | Authenticated encryption with multiple contexts | |
CN102469080A (en) | Method for pass user to realize safety login application client and system thereof | |
JP2008276756A (en) | Web services intermediary | |
CN112187466B (en) | Identity management method, device, equipment and storage medium | |
CN111476573B (en) | Account data processing method, device, equipment and storage medium | |
US20200081998A1 (en) | Performing bilateral negotiations on a blockchain | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
CN111127021B (en) | Service request method and device based on block chain | |
CN113872932B (en) | SGX-based micro-service interface authentication method, system, terminal and storage medium | |
US20200082391A1 (en) | Performing bilateral negotiations on a blockchain | |
KR20240009957A (en) | Systems and methods for secure Internet communications | |
CN111698087B (en) | Micro cipher machine and information processing method | |
WO2021035295A1 (en) | "secure environment for cryptographic key generation" | |
Bakker | Mutual authentication with smart cards | |
CN113348452A (en) | Method and system for digital rights management | |
CN111404901A (en) | Information verification method and device | |
WO2024088145A1 (en) | Data processing method and apparatus, and program product, computer device and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |