CN111698087A - Miniature cipher machine and information processing method - Google Patents

Miniature cipher machine and information processing method Download PDF

Info

Publication number
CN111698087A
CN111698087A CN202010545217.6A CN202010545217A CN111698087A CN 111698087 A CN111698087 A CN 111698087A CN 202010545217 A CN202010545217 A CN 202010545217A CN 111698087 A CN111698087 A CN 111698087A
Authority
CN
China
Prior art keywords
security chip
cryptographic
chip
slave
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010545217.6A
Other languages
Chinese (zh)
Other versions
CN111698087B (en
Inventor
赵松
陈澍
王银平
李向锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING CERTIFICATE AUTHORITY
Original Assignee
BEIJING CERTIFICATE AUTHORITY
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING CERTIFICATE AUTHORITY filed Critical BEIJING CERTIFICATE AUTHORITY
Priority to CN202010545217.6A priority Critical patent/CN111698087B/en
Publication of CN111698087A publication Critical patent/CN111698087A/en
Application granted granted Critical
Publication of CN111698087B publication Critical patent/CN111698087B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a miniature cipher machine and an information processing method, wherein the cipher machine comprises: the mainboard and the at least one password submodule are configured to communicate with the mainboard through a USB interface to acquire the service request and return password information obtained by calculation according to the service request data through the USB interface; wherein the at least one cryptographic submodule is located on the motherboard; one of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip. The micro cipher machine provided by the embodiment of the application can meet the requirement of system safety and has absolute advantages in the aspects of price, hardware facility environment and the like.

Description

Miniature cipher machine and information processing method
Technical Field
The application relates to the field of password information processing, in particular to a micro password machine and an information processing method.
Background
With the rapid development of computer networks, the problem of information security is increasingly highlighted, and therefore, server cipherers are used as basic cipher devices in many network security scenarios. The encryption machine is widely applied to scenes such as electronic government affairs, financial payment, certificate service and the like, can provide functions of data encryption and decryption and digital signature verification, and is suitable for various applications such as electronic signatures, electronic documents, CA systems and the like. In the general scenario, the traditional server crypto needs to have higher requirements on performance, so the server crypto generally adopts a hardware server form, and has a larger volume. For some scenes with low performance requirements and few users, the cryptographic machine in the form of a hardware server has great restrictions on factors such as price, machine room environment and the like.
Therefore, how to provide a suitable cipher machine in scenes with small number of users, limited project funds and simple network environment, such as photo studios, immigration institutions, hotels and the like, becomes a technical problem to be solved urgently.
Disclosure of Invention
The embodiment of the application aims to provide a micro cipher machine and an information processing method, and the micro cipher machine provided by the embodiment of the application can meet the requirement of system security and has absolute advantages in the aspects of price, hardware facility environment and the like.
In a first aspect, an embodiment of the present application provides a micro crypto engine, where the crypto engine includes: a main board; the at least one password submodule is configured to communicate with the mainboard through a USB interface to acquire the service request, and to return password information obtained through calculation according to the service request data through the USB interface; the at least one cipher sub-module is located on the mainboard, one sub-module of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip.
The volume of the cipher machine can be reduced by using the codon modules of the USB interfaces, the miniaturization of the cipher equipment is realized, and the operation speed is increased compared with a single chip by adopting a multi-chip cluster strategy.
In some embodiments, the at least one codon module comprises a first codon module and a second codon module; the first password submodule and the second password submodule are backups of each other.
The embodiment of the application adopts a mutual backup mode of the two cipher sub-modules, so that on one hand, the performance of the system is improved, and on the other hand, the problem that the whole product cannot be used due to the failure of one cipher sub-module can be solved.
In some embodiments, the micro cryptographic engine further comprises: and the application programming interface is configured to be connected with an application system to receive service request data and feed back the password information obtained based on the service request data.
The embodiment of the application adopts a multi-chip cluster strategy, and compared with a single chip, the operation speed is improved.
In some embodiments, the codon module comprises: and the command distribution submodule is configured to encapsulate the service request data to obtain command frame data, and select the security chip in an idle state from the at least one slave security chip.
The embodiment of the application ensures that the security chip in the idle state is selected to execute the password calculation, and improves the speed of processing the password service request.
In some embodiments, the micro cryptographic engine includes an embedded operating system, wherein the embedded operating system is located on the motherboard.
The size of the cipher machine can be reduced by adopting the embedded operating system.
In some embodiments, the micro crypto-engine further comprises a noise source chip, wherein the noise source chip is configured to generate and process true random numbers for the cryptographic submodule to perform cryptographic operations and key management.
According to the embodiment of the application, the cipher submodule is combined with the noise source chip, the true random source is finally generated through the internal strategy, and the performance of the equipment is improved.
In a second aspect, an embodiment of the present application further provides an information processing method, which is applied to a micro crypto-machine, where the method includes: determining at least one master security chip and at least one slave security chip from a plurality of cryptographic chips included in the slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing cryptographic operation; and performing management related to cryptographic processing business on the at least one master security chip and the at least one slave security chip in different stages.
In some embodiments, the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises: in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip; in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key.
In some embodiments, the negotiating the determination of the session key by the at least one master secure chip and the at least one slave secure chip includes: the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip; and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed.
In some embodiments, the method further comprises confirming that the at least one slave secure chip allowed by the authority of the at least one master secure chip processes the service request.
In some embodiments, the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a micro cipher machine according to an embodiment of the present application;
fig. 2 is a block diagram of the hardware components of the micro crypto-engine provided in the embodiment of the present application;
fig. 3 is a flowchart of an information processing method applied to a micro crypto engine according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
As can be seen from the description of the background art, in the current server cryptographic engine market, the core hardware components of the product are usually a server host and a cryptographic card. The traditional server encryption machine needs to have higher requirements on performance, so the server encryption machine usually adopts a hardware server form and has a larger volume.
In order to solve the above problem, an embodiment of the present application provides a micro crypto engine based on an embedded operating system (for example, an ARM processor), a micro motherboard, and a crypto sub module, for a scenario where the number of users is small. An ARM processor is embedded in a mainboard of the micro cipher machine to provide system scheduling and platform support, the mainboard is communicated with a codon module through an internal USB interface, the codon module exists as a module for replacing a cipher card, a plurality of cipher chips are carried through a USB Hub to carry out cipher operation, in addition, a cipher submodule generates and processes a true random number through a noise source chip to be used for cipher operation and key management, and interface service of the cipher machine is provided on the basis of the hardware platform.
Referring to fig. 1, fig. 1 provides a micro cryptographic engine 10, where the micro cryptographic engine 10 includes an embedded operating system 200, a management service module and a cryptographic main service module located inside the embedded operating system 200. The miniature cryptographic engine 10 further comprises hardware 100 inside the cryptographic engine, wherein the hardware 100 inside the cryptographic engine comprises at least a codon module 101 for performing cryptographic operations.
Micro-cryptographic engine 10 of fig. 1 communicates with user 20 via application programming interface 30, for example, a TCP/IP based communication protocol may be used when user 20 invokes micro-cryptographic engine 10 via application programming interface 30.
The embedded operating system 200 may include an ARM processor, and the embodiment of the present application does not limit the specific type of the embedded operating system 200.
The composition of the hardware 100 inside the miniature cryptographic engine 10 is further illustrated in connection with fig. 1 and 2.
The hardware structure 100 of the miniature cryptographic machine 10 provided by the embodiment of the present application includes a main board 190, an application programming interface 30 and a codon module 101.
An application programming interface 30 configured to interface with an application system to receive service request data and feed back cryptographic information derived based on the service request data. At least one code module 101 configured to communicate with the motherboard 190 via a USB interface (not shown) to obtain the service request, and send back the cryptographic information calculated according to the service request data to the application programming interface 30 via the USB interface (not shown). The application programming interface 30 and the at least one cryptographic submodule 101 are located on the motherboard 190, one of the at least one cryptographic submodule includes a plurality of integrated security chips, and the plurality of security chips includes a master security chip and at least one slave security chip. The size of the cipher machine can be reduced through the USB serial port, and miniaturization of cipher equipment is achieved.
In order to further improve the performance of the micro-cipher machine, as shown in fig. 2, at least one of the cipher sub-modules 101 of the embodiment of the present application may include a first cipher sub-module 140 and a second cipher sub-module 150; the first submodule 140 and the second submodule 150 are backup for each other. The embodiment of the application adopts a mode that two codon modules are mutually backed up, so that on one hand, the performance of the system is improved, and on the other hand, the problem that one codon module cannot be used by the whole product is also ensured.
In order to further improve the performance of a cryptographic submodule and further improve the performance of a micro cipher machine, at least one of the first cryptographic submodule 140 or the second cryptographic submodule 150 in fig. 2 in the embodiment of the present application includes a plurality of integrated security chips, wherein the plurality of security chips include a master security chip and at least one slave security chip. For example, the first submodule 140 includes 8 security chips, wherein the 8 security chips further include a master security chip and 7 slave security chips. The embodiment of the application adopts a multi-chip cluster strategy, and compared with a single chip, the operation speed is improved.
In order to respond to the cryptographic service proposed by the user as soon as possible when there are multiple security chips, the cryptographic submodule of the embodiment of the present application may further include a command distribution submodule (not shown in the figure) configured to encapsulate the service request data to obtain command frame data, and select a security chip in an idle state from the at least one slave security chip.
In order to generate a true random source through the content of the micro crypto engine, the micro information crypto engine of the embodiment of the present application further includes a noise source chip 160, wherein the noise source chip 160 is configured to generate and process a true random number for the cryptographic submodule to perform cryptographic operation and key management.
The micro cryptographic engine and the working process thereof according to the embodiment of the present application are further described below with reference to a specific example.
As shown in fig. 2, the components of the cryptographic hardware platform of the embodiment of the present application include: a processor 110, a memory 170 (i.e., memory), a RAM180, a motherboard 190, RTC (real time clock) circuitry 120, and a housing 130. The shell material of the miniature cipher machine provided by the embodiment of the application is an opaque hard metal shell, so that the internal components can be prevented from being snooped; the screw hole is sealed by adopting a fragile paste, and traces can be remained during disassembly.
The internal portion of the microserver cryptographic engine 10 provided by the embodiment of the present application adopts an embedded motherboard to provide a service hardware platform, and a cryptographic chip (i.e. a cryptographic submodule) and a noise source chip are integrated on the motherboard to perform cryptographic operation. The micro-crypto engine 10 implements various cryptographic service functions by calling the application programming interface 30 of the codon module 101, and the application programming interface 30 is provided to the user 20 in a target module manner, and operates in a user mode of the operating system. For example, the application programming interface 30 of the cryptographic submodule 101 encapsulates the command frame data based on the service request data of the application system and selects the secure chip in the idle state (for example, the secure chip may be selected), and transmits the command frame data to the command distribution submodule (not shown in the figure) inside the chip through the USB bus interface. After receiving the command frame data, the command management submodule (not shown in the figure) parses the command frame data to obtain the requested service function and parameter, calls an interface function of the corresponding service module to execute the service operation, takes the output value of the function as the result of the service operation, transmits the result to the main control module to package the result to obtain response data, returns the response data to the application programming interface 30 through the USB bus interface, and finally formats and processes the response data through the application programming interface 30 and returns the response data to the application system.
It should be noted that the cryptographic submodule 101 includes at least two cryptographic submodules for mutual backup. The number of the security chips included in the cryptographic submodule is not limited in the embodiment of the present application, for example, 8 security chips (for example, eight security chips may include one master security chip and 7 slave security chips) may be set inside each cryptographic submodule for performing cryptographic operation, and the codon module 101 communicates with the embedded motherboard 190 through the USB. The communication protocol between the cryptographic submodule 101 at the bottom layer of the embodiment of the present application and the embedded operating system is based on the USB protocol. The command distribution submodule (not shown in the figure) of the embodiment of the application is responsible for communication scheduling, and the command management submodule (not shown in the figure) is used for calling the security chips (for example, eight security chips included in the codon module) to perform corresponding service cryptographic operation after analyzing data, assembling the obtained service cryptographic operation data to obtain response data, and sending the response data to the upper application system (namely, the password main service and the management service of fig. 1) through the USB as response data. That is, the cryptographic service calls the cryptographic submodule application programming interface to implement various cryptographic service requests. For example, the cryptographic main service may provide cryptographic operation service based on a TCP/IP protocol, the communication data packet adopts a private data format, and is configured to send a request and request data to the cryptographic main service through the API component, the cryptographic main service parses the cryptographic operation request, distributes and schedules the cryptographic operation instruction to the cryptographic submodule to perform cryptographic operation (for example, generate a random number, asymmetric encryption/decryption, signature verification, symmetric encryption, and the like), and encapsulates the result after the operation into response data to return to the API component, so that the user completes the cryptographic service call. The password management service is used for providing system management, key management, log management functions and administrator management functions, only an authorized administrator can access the management functions after authentication through the usbkey certificate, wherein the key management is particularly important and is used for generating, destroying, updating, backing up and recovering the symmetric key and the asymmetric key pair, and therefore life cycle management of all keys is completed.
As shown in fig. 3, an embodiment of the present application further provides an information processing method applied to the micro crypto-machine 10, where the method includes: s101, determining at least one master security chip and at least one slave security chip from a plurality of password chips included in a slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing password operation; s102, the at least one master security chip and the at least one slave security chip in different stages are managed related to the cryptographic processing service.
In some embodiments, the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises: in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip; in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key. For example, the negotiating and determining the session key between the at least one master secure chip and the at least one slave secure chip includes: the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip; and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed. For example, it is confirmed that the at least one slave security chip allowed by the authority of the at least one master security chip processes the service request. For example, the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
The above information processing method is explained below with reference to a specific example (i.e., a cryptographic submodule having one master security chip and 7 slave security chips).
The main security chip is responsible for key management and application work such as key storage, key agreement, authority control, session key generation and the like. And the slave security chip is responsible for business work of the password service. The internal software of the master and slave secure chips is identical but performs different functions as described above.
In the white card stage before hardware leaves factory, a master security chip and a slave security chip respectively generate respective internal communication public and private key pairs (ICKs) internally, then a public key of the slave security chip is stored in the master security chip, and a public key of the master security chip is also stored in the slave security chip.
In an initial state and a ready state, from power-on start, at intervals, under the control of the MCU, the master security chip initiatively initiates negotiation of a session key link protection key (ICSK) to the slave security chip, sends encryption information of the session key link protection key (ICSK) key by holding a public key of the slave security chip, and attaches a signature of the master security chip to the ICSK. When the slave security chip receives the information, the private key of the slave security chip is used for decrypting the ICSK, the signature of the master security chip is authenticated, and the key ICSK is stored in the internal RAM after the authentication is passed for subsequent line protection.
When the service processing information is sent to the slave security chip, if the permission of the master security chip is not passed, the slave security chip does not perform service processing. At the moment, the MCU inquires whether the security authority of the master security chip is met, and if the security authority is met, the master security chip sends asymmetric key pair data to the slave security chip. The key-dependent transaction can be performed upon receipt of the keys from the security chip.
When the administrator changes the key, the MCU will again initiate a key update command to the slave security chip through the master security chip, and then the slave security chip will synchronize the data of the asymmetric key pair or delete the asymmetric key pair, and at this time, the previous key cannot be applied to the related service processing.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (11)

1. A miniature cryptographic engine, said cryptographic engine comprising:
a main board, a plurality of first and second connection terminals,
the at least one password submodule is configured to communicate with the mainboard through a USB interface to acquire the service request, and to return password information obtained through calculation according to the service request data through the USB interface;
wherein the at least one cryptographic submodule is located on the motherboard; one of the at least one cipher sub-module comprises a plurality of integrated safety chips, and the plurality of safety chips comprise a master safety chip and at least one slave safety chip.
2. The miniature cryptographic engine of claim 1, wherein said at least one cryptographic submodule comprises a first cryptographic submodule and a second cryptographic submodule; the first password submodule and the second password submodule are backups of each other.
3. The miniature cryptographic engine of claim 2, wherein said miniature cryptographic engine further comprises: and the application programming interface is configured to be connected with an application system to receive service request data and feed back the password information obtained based on the service request data.
4. A miniature cryptographic engine as in claim 3 wherein said cryptographic submodule comprises:
and the command distribution submodule is configured to encapsulate the service request data to obtain command frame data, and select the security chip in an idle state from the at least one slave security chip.
5. A miniature cryptographic machine according to claim 1, wherein said miniature cryptographic machine comprises an embedded operating system, wherein said embedded operating system is located on said motherboard.
6. The micro cryptographic engine of claim 1, further comprising a noise source chip, wherein the noise source chip is configured to generate and process true random numbers for cryptographic operations and key management by the cryptographic submodule.
7. An information processing method applied to a micro cipher machine is characterized by comprising the following steps:
determining at least one master security chip and at least one slave security chip from a plurality of cryptographic chips included in the slave codon module, wherein the at least one master security chip is used for storing key information, and the at least one slave security chip is used for executing cryptographic operation;
and performing management related to cryptographic processing business on the at least one master security chip and the at least one slave security chip in different stages.
8. The information processing method of claim 7, wherein the managing of the at least one master security chip and the at least one slave security chip at different stages in relation to cryptographic processing traffic comprises:
in a card white stage, the at least one master security chip and the at least one slave security chip generate respective internal communication public key and private key pairs, the at least one master security chip stores a public key of the slave security chip, and the at least one slave security chip stores a public key of the master security chip;
in an initialization and ready state, the at least one master secure chip and the at least one slave secure chip negotiate to determine a session key.
9. The information processing method of claim 8, wherein the at least one master secure chip and the at least one slave secure chip negotiating to determine a session key comprises:
the at least one master security chip carries a public key of a first slave security chip in the at least one slave security chip to send encryption information and a signature of the master security chip to the first slave security chip;
and the first slave security chip decrypts the encrypted information by adopting a private key, authenticates the signature and stores the encrypted information as the session key after the authentication is passed.
10. The information processing method of claim 8, further comprising confirming that the at least one slave security chip allowed by the authority of the at least one master security chip processes the service request.
11. The information processing method of claim 8, wherein the method further comprises: when the key is updated, an update command is initiated to the at least one slave secure chip through the at least one master secure chip.
CN202010545217.6A 2020-06-15 2020-06-15 Micro cipher machine and information processing method Active CN111698087B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010545217.6A CN111698087B (en) 2020-06-15 2020-06-15 Micro cipher machine and information processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010545217.6A CN111698087B (en) 2020-06-15 2020-06-15 Micro cipher machine and information processing method

Publications (2)

Publication Number Publication Date
CN111698087A true CN111698087A (en) 2020-09-22
CN111698087B CN111698087B (en) 2023-09-08

Family

ID=72481343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010545217.6A Active CN111698087B (en) 2020-06-15 2020-06-15 Micro cipher machine and information processing method

Country Status (1)

Country Link
CN (1) CN111698087B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116155491A (en) * 2023-02-02 2023-05-23 广州万协通信息技术有限公司 Symmetric key synchronization method of security chip and security chip device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030021417A1 (en) * 2000-10-20 2003-01-30 Ognjen Vasic Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
CN103414564A (en) * 2013-08-07 2013-11-27 成都卫士通信息产业股份有限公司 Secrete key card, secrete key device and method for protecting private key
CN105099711A (en) * 2015-08-28 2015-11-25 北京三未信安科技发展有限公司 ZYNQ-based small-sized cipher machine and data encryption method
CN206258875U (en) * 2016-12-16 2017-06-16 北京江南博仁科技有限公司 A kind of encryption equipment
CN106874792A (en) * 2016-12-28 2017-06-20 北京握奇智能科技有限公司 A kind of electric endorsement method and electronic signature terminal
CN110324358A (en) * 2019-07-31 2019-10-11 北京中安国通科技有限公司 Video data manages authentication method, module, equipment and platform

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030021417A1 (en) * 2000-10-20 2003-01-30 Ognjen Vasic Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data
CN103414564A (en) * 2013-08-07 2013-11-27 成都卫士通信息产业股份有限公司 Secrete key card, secrete key device and method for protecting private key
CN105099711A (en) * 2015-08-28 2015-11-25 北京三未信安科技发展有限公司 ZYNQ-based small-sized cipher machine and data encryption method
CN206258875U (en) * 2016-12-16 2017-06-16 北京江南博仁科技有限公司 A kind of encryption equipment
CN106874792A (en) * 2016-12-28 2017-06-20 北京握奇智能科技有限公司 A kind of electric endorsement method and electronic signature terminal
CN110324358A (en) * 2019-07-31 2019-10-11 北京中安国通科技有限公司 Video data manages authentication method, module, equipment and platform

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116155491A (en) * 2023-02-02 2023-05-23 广州万协通信息技术有限公司 Symmetric key synchronization method of security chip and security chip device
CN116155491B (en) * 2023-02-02 2024-03-08 广州万协通信息技术有限公司 Symmetric key synchronization method of security chip and security chip device

Also Published As

Publication number Publication date
CN111698087B (en) 2023-09-08

Similar Documents

Publication Publication Date Title
US11223477B2 (en) Data sharing method, client, server, computing device, and storage medium
EP3484125B1 (en) Method and device for scheduling interface of hybrid cloud
US8639940B2 (en) Methods and systems for assigning roles on a token
EP2095288B1 (en) Method for the secure storing of program state data in an electronic device
WO2019237570A1 (en) Electronic contract signing method, device and server
JP4668619B2 (en) Device key
CN111164594A (en) System and method for mapping decentralized identity to real entity
CN111654367B (en) Method for cryptographic operation and creation of working key, cryptographic service platform and device
US10623186B1 (en) Authenticated encryption with multiple contexts
CN102469080A (en) Method for pass user to realize safety login application client and system thereof
JP2008276756A (en) Web services intermediary
CN112187466B (en) Identity management method, device, equipment and storage medium
CN111476573B (en) Account data processing method, device, equipment and storage medium
US20200081998A1 (en) Performing bilateral negotiations on a blockchain
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN111127021B (en) Service request method and device based on block chain
CN113872932B (en) SGX-based micro-service interface authentication method, system, terminal and storage medium
US20200082391A1 (en) Performing bilateral negotiations on a blockchain
KR20240009957A (en) Systems and methods for secure Internet communications
CN111698087B (en) Micro cipher machine and information processing method
WO2021035295A1 (en) "secure environment for cryptographic key generation"
Bakker Mutual authentication with smart cards
CN113348452A (en) Method and system for digital rights management
CN111404901A (en) Information verification method and device
WO2024088145A1 (en) Data processing method and apparatus, and program product, computer device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant