CN114996724B - Safe operating system based on cryptographic algorithm module - Google Patents
Safe operating system based on cryptographic algorithm module Download PDFInfo
- Publication number
- CN114996724B CN114996724B CN202210438125.7A CN202210438125A CN114996724B CN 114996724 B CN114996724 B CN 114996724B CN 202210438125 A CN202210438125 A CN 202210438125A CN 114996724 B CN114996724 B CN 114996724B
- Authority
- CN
- China
- Prior art keywords
- algorithm
- module
- operating system
- encryption
- layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000013475 authorization Methods 0.000 claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 21
- 230000006870 function Effects 0.000 claims description 18
- 238000000034 method Methods 0.000 claims description 10
- 230000003068 static effect Effects 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 238000012360 testing method Methods 0.000 claims description 4
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 206010010356 Congenital anomaly Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000011017 operating method Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Power Engineering (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a safe operating system based on a national cryptographic algorithm module, which comprises a hardware encryption layer, a software encryption layer and a network encryption layer, wherein: the hardware encryption includes: an on-board TCM security chip, BIOS identity authentication authorization management and a serial port terminal based on a national cryptographic algorithm belong to a hardware module, an operating system is forcedly encrypted from hardware, and a software encryption layer comprises: the SM2 algorithm is stored in the kernel module of the operating system; the underlying library can provide support for SM2 algorithm and/or SM3 algorithm and/or SM4 algorithm; the national cipher compiling linker module is used for completing identity verification and key storage and verifying the correctness of program operation and the correctness of a national cipher algorithm; the middle layer verification module can verify the correctness of program operation and the correctness of a national encryption algorithm; the application layer module is used for verifying the correctness of program operation and the correctness of a national encryption algorithm; the network encryption layer comprises a TCP/IP module, and an SM1 algorithm/SM 2 algorithm/SM 3 algorithm/SM 4 algorithm is arranged in the TCP/IP module.
Description
Technical Field
The invention relates to a safe operating system, in particular to a safe operating system based on a cryptographic algorithm module.
Background
With the vigorous development of the economy in China, in twenty years of the beginning of the twenty-first century, china has gradually gone into the range of the strong world economy, but in the field of computing science, especially in the aspect of basic key products such as domestic operating systems, safe operating systems and the like, china is still in the category of developing countries. In the aspects of domestic operating systems and safe operating systems, china is still in the primary stage of exploration. Through years of continuous efforts and important special key planting of autonomous software in a plurality of countries, the problem of 'no-existence' in the manufacturing of an autonomous controllable operating system and an autonomous safe operating system in China at present is solved, and an autonomous way for introducing, autonomously developing and developing scientific research innovation from foreign projects to domestic projects is basically developed. Through the continuous development for many years, china gradually forms a plurality of autonomous operating system brands such as kylin, general letter, zhongkeside, red flag, general bloom and the like, and at present, the autonomous operating system brands have partial critical application in the fields of letter creation, scientific research, government, politics and banks.
In a domestic safe operating system, a key component is a cryptographic algorithm module. Compared with the traditional international general cryptographic modules such as AES, DES and the like, the national cryptographic module has the congenital security advantages such as 'autonomous research and development', 'autonomous control', 'low popularity abroad', and the like, and has an important bearing function for the basic security system of China. Since the cryptographic algorithm is an important and indispensable component of the domestic safety operation system, the correctness, the normality and the stability of the operation of the cryptographic algorithm are corresponding to and play a decisive role in the government and the authorities. Failure and error of the national encryption algorithm module can directly influence the correctness and stability of the encryption of the confidential department data, and serious information security accidents are induced. The correct cryptographic algorithm module is used in the domestic safe operating system, so that the domestic safe operating system runs correctly and robustly, and plays a role in the domestic safe operating system, thus becoming a necessary research subject to be solved.
Disclosure of Invention
The invention mainly aims to provide a safe operating system based on a national secret algorithm module, by using the system, the correctness, the safety and the confidentiality of autonomous safe operating system data of a confidential department can be ensured, and test basis, data support and safety guarantee are provided for the correctness, the safety and the robustness of the national secret code module of the operating system applied to the confidential department.
In order to accomplish the above object, the present invention provides a secure operating system based on a cryptographic algorithm module, which includes a hardware encryption layer, a software encryption layer and a network encryption layer, wherein:
The hardware encryption comprises an identity authentication and authorization management module and a cryptographic algorithm module, wherein the identity authentication and authorization management module is used for starting authentication and management of a BIOS, the cryptographic algorithm module is positioned in an on-board TCM security chip, the cryptographic algorithm module can encrypt data, the identity authentication and authorization management module and the cryptographic algorithm module are jointly used for guiding forced identity authentication and identification when an operating system is started, and after the kernel is guided, the operating system guides corresponding services and modules to carry out authorization management and the cryptographic algorithm module;
The software encryption layer comprises an operating system kernel module, a bottom library, a state secret compiling linker module, a middle layer verifying module and an application layer module, wherein an SM2 algorithm is stored in the operating system kernel module, and the operating system kernel module can control the operation of an operating system according to the feedback result of the SM2 algorithm; the underlying library can provide support for SM2 algorithm and/or SM3 algorithm and/or SM4 algorithm; the national cipher compiling linker module is used for completing identity verification and key storage and verifying the correctness of program operation and the correctness of a national cipher algorithm; the middle layer verification module can refer to an application program interface provided by the bottom layer library in a mode of calling the middleware, and the correctness of program operation and the correctness of a national encryption algorithm are ensured by using the application program interface provided by the bottom layer library; the application layer module uses the bottom layer library to call the national encryption algorithm through the application program interface framework so as to verify the correctness of the program operation and the correctness of the national encryption algorithm;
the network encryption layer comprises a TCP/IP module, and SM1 algorithm/SM 2 algorithm/SM 3 algorithm/SM 4 algorithm support is added in the TCP/IP module.
Preferably, the working method of the identity authentication authorization management module and the cryptographic algorithm module is as follows:
After the operating system is started, the BIOS completes system self-checking and initialization after being powered on, the on-board TCM security chip and the security hard disk are respectively connected with the BIOS, the identity authentication authorization management module performs forced identity authentication on a starting user, meanwhile, the identity of the user is authenticated through the basic input and output equipment, after the user identity authentication is passed, the user completes data input through the basic input and output equipment, and the identity authentication authorization management module performs forced verification on the data input by the user through key data stored in the BIOS flash memory chip, so that the identity of the user is authenticated; after the BIOS passes the authentication of the user identity, an SM3 algorithm engine in the password algorithm module calculates the hash value of the BIOS, the hash value of the BIOS is stored in a data confidentiality storage module in the on-board TCM security chip, an integrity measurement module in the on-board TCM security chip invokes an SM1 algorithm in the password algorithm module, the first 128 bits of the hash value of the BIOS are used as a backup key to carry out encryption backup of the SM1 algorithm, the encrypted backup data is stored in the on-board TCM security chip, the key data stored by the security hard disk is used for identifying and checking the user identity again, and the security hard disk is initialized and checked after the user identity passes.
Further preferably, the operating system kernel module comprises the following working methods:
The kernel module of the operating system starts to exist in an independent memory mode in the kernel system space by adding an interface called by the kernel system, calls a cryptographic algorithm in the kernel based on a kernel time sequence, compares an expected value with an actual operation value in the kernel-mode memory, feeds back correct information to a user mode if the expected value is normal, generates an interrupt signal if an operation error occurs, and displays the interrupt signal in a kernel log in error with the highest priority, and suspends the operation of the whole operating system.
Still more preferably, the working method of the underlying library is as follows:
The dynamic link library and the static library of the cryptographic algorithm of the application layer are called through Java/python/golang/shell/perl language, the cryptographic algorithm is executed by referring to the corresponding interface of the dynamic link library of the cryptographic algorithm to perform the functions of identity verification, encryption, interface and hash calculation, and the upper software encrypts and stores data and programs by calling the API interface provided by the bottom library.
Still further preferably, the working method of the cryptographic linker module includes:
the state secret compiling linker module is arranged on a user layer, calls a state secret algorithm dynamic link library and a static library of an application layer, compiles test codes into binary executable programs by compiling languages of the state secret algorithm dynamic link library by the compiling linker, and completes identity verification and key storage by combining the state secret algorithm in a bottom layer library with the encryption and decryption algorithm of an operating system, thereby verifying the correctness of program operation and the correctness of the state secret algorithm.
Still more preferably, the hardware encryption layer further comprises a security authentication serial port terminal based on a cryptographic algorithm,
The CPU of the security authentication serial port terminal comprises SMl algorithm engine, SM2 algorithm engine and SM3 algorithm engine so as to complete the function of providing algorithm support for the on-board TCM security chip and the operating system; the secret storage of the safety authentication serial port terminal is used for storing identity authentication information and a private key, and simultaneously provides a secret storage function of information interaction with the identity authentication authorization management module; the chip operating system of the security authentication serial port terminal is used for completing the digital signature function of outgoing data and the private key decryption processing function of received data by calling the national encryption algorithm engine of the CPU, and meanwhile, the security authentication serial port terminal can be accessed with a biological recognition technology, including but not limited to a fingerprint module and a face identification module.
Preferably, the network encryption layer further comprises a firewall and a gateway.
The beneficial effects of the invention are as follows:
The invention uses the cryptographic algorithm to carry out user verification in the hardware encryption layer, the software encryption layer and the network encryption layer respectively, namely, the cryptographic algorithm is respectively installed or supported in the BIOS, the on-board TCM security chip, the operating system kernel module, the bottom library, the cryptographic linker module, the middle layer verification module, the application layer module and the TCP/IP module, so that different parts in the domestic security operating system adopt different cryptographic algorithms, thereby achieving the purpose of using the correct cryptographic algorithm module and ensuring the correct and steady operation of the domestic operating system.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below in conjunction with the embodiments of the present invention. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
The embodiment provides a safe operating system based on a cryptographic algorithm module, which comprises a hardware encryption layer, a software encryption layer and a network encryption layer, wherein different cryptographic algorithms are adopted in different encryption layers so as to ensure accurate and normal operation of the domestic operating system.
Specifically, in this embodiment, the hardware layer encryption includes an identity authentication authorization management module and a cryptographic algorithm module, where the identity authentication authorization management module is used for startup authentication management of the BIOS, the cryptographic algorithm module is located in the on-board TCM security chip, and the cryptographic algorithm module is capable of encrypting data. The identity authentication authorization management module and the cryptographic algorithm module are used for guiding forced identity authentication and identification when the operating system is started, and after the kernel is guided, the operating system guides corresponding services and modules to carry out the authorization management module and the cryptographic algorithm module. The specific working method of the identity authentication authorization management module and the cryptographic algorithm module is as follows: after the operating system is started, the BIOS completes system self-checking and initialization after being powered on, the on-board TCM security chip and the security hard disk are respectively connected with the BIOS, the identity authentication authorization management module performs forced identity authentication on a starting user, meanwhile, basic input and output (namely a keyboard and a mouse) equipment authenticates the user identity, after the basic input and output equipment passes the user identity authentication, the user finishes data input by using the basic input and output equipment, and the identity authentication authorization management module performs forced verification on the data input by the user by using key data stored in the BIOS flash memory chip, so that the user identity is verified; after the BIOS passes the authentication of the user identity, an SM3 algorithm engine in the password algorithm module calculates the hash value of the BIOS, the hash value of the BIOS is stored in a data confidentiality storage module in the on-board TCM security chip, an integrity measurement module in the on-board TCM security chip calls an SM1 algorithm in the password algorithm module to take the first 128 bits of the hash value of the BIOS as a backup key to carry out encryption backup of the SM1 algorithm, the encrypted backup data is stored in the on-board TCM security chip, the key data stored by the security hard disk is used for identifying and checking the user identity again, and the security hard disk is initialized and checked after the user identity passes.
In addition, the hardware encryption layer also comprises a safety authentication serial port terminal based on a national encryption algorithm, and a CPU of the safety authentication serial port terminal comprises SMl algorithm engines, SM2 algorithm engines and SM3 algorithm engines so as to complete the function of providing algorithm support for chips and operating systems; the secret storage of the safety authentication serial port terminal is used for storing identity authentication information and a private key, and simultaneously provides a secret storage function of information interaction with the identity authentication authorization management module; the chip operating system of the security authentication serial port terminal is used for completing the digital signature function of outgoing data and the private key decryption processing function of received data by calling the national encryption algorithm engine of the CPU, and meanwhile, the serial port terminal can be accessed with a biological recognition technology, including but not limited to a fingerprint module and a face identification module.
In this embodiment, the software encryption layer includes an operating system kernel module, a bottom library, a cryptographic linker module, a middle layer verification module, and an application layer module.
The SM2 algorithm is stored in the operating system kernel module, and the operating system kernel module can control the operation of the operating system according to the feedback result of the SM2 algorithm. At present, SM2 cryptographic algorithms are accepted by kernel communities of an operating system, and the SM2 cryptographic algorithms are stored in a kernel layer and exist in a kernel module mode. Therefore, the operating method of the kernel module of the operating system is as follows: the kernel module of the operating system starts to exist in an independent memory mode in the kernel system space by adding an interface called by the kernel system, calls a cryptographic algorithm in the kernel based on a kernel time sequence, compares an expected value with an actual operation value in the kernel-mode memory, feeds back correct information to a user mode if the expected value is normal, generates an interrupt signal if an operation error occurs, and displays the interrupt signal in a kernel log in error with the highest priority, and suspends the operation of the whole operating system.
The underlying library can provide support for SM2 algorithms and/or SM3 algorithms and/or SM4 algorithms. SSL (Secure Sockets Layer ) is an internationally standardized encryption and authentication communication protocol. The SSL protocol is a secure connection technology between a browser and a WEB server, above the network transport layer. At present, the openssl supports SM2/3/4 very well, the realization of elliptic curve algorithm is examined for a long time, the implementation is very mature, the latest version also supports the national cryptographic certificate completely, and SM2/SM3/SM4 support is added in a Crypt library or an independent national cryptographic algorithm library. The working method of the secondary library module at the bottom layer of the national secret is as follows: the dynamic link library and the static library of the cryptographic algorithm of the application layer module are called through Java/python/golang/shell/perl language, the cryptographic algorithm is executed by referring to the corresponding interface of the dynamic link library of the cryptographic algorithm to perform the functions of identity verification, encryption, interface and hash calculation, and the upper software encrypts and stores data and programs by calling the API interface provided by the bottom layer library.
The national cipher compiling linker module is used for completing identity verification and key storage and simultaneously verifying the correctness of program operation and the correctness of a national cipher algorithm. The working method of the national cipher compiling linker module is as follows: the state secret compiling linker module is arranged in a user layer, calls a state secret algorithm dynamic link library and a static library of the application layer module, compiles test codes into binary executable programs by compiling the language of the linker referring to the state secret algorithm dynamic link library, and completes identity verification and key storage by combining a state secret algorithm in a bottom layer library with an encryption algorithm and a decryption algorithm of an operating system, thereby verifying the correctness of program operation and the correctness of the state secret algorithm.
The middle layer verification module exists in the user layer, can refer to the application layer cryptographic algorithm package in a way of calling the middleware, and ensures the correctness of program operation and the correctness of the cryptographic algorithm. That is, when a user opens a certain software, the middle layer authentication module starts to run, confirming the user.
The application layer module enables the user layer to call the national encryption algorithm package through the application layer framework (such as PHP, JSP and the like) so as to verify the correctness of program operation and the correctness of the national encryption algorithm.
The network encryption layer comprises a TCP/IP module, and an SM1 algorithm/SM 2 algorithm/SM 3 algorithm/SM 4 algorithm is arranged in the TCP/IP module. In addition, the network encryption layer also comprises a firewall and a gateway. The transmission control/network protocol (TCP/IP), also known as the network communication protocol. It is the most basic communication protocol in use of the network, SSL/TLS: the secure socket layer protocol and the secure transport layer protocol play a role in protecting privacy and data integrity in network data transmission, the security of the encryption mode of the international mainstream SSL/TLS is ensured by a symmetric algorithm (DES, 3 DES) and an asymmetric algorithm (RSA, DSA), and the reliability is ensured by a Hash algorithm (SHA 1, MD 5). The algorithms are international standard algorithms, and are generally implemented by software in terminal equipment (client), occupy CPU operation resources, and are generally operated at a high speed and in terms of safety. At present, the country greatly promotes a national encryption algorithm in the field of information security, and the national encryption algorithm is a set of data encryption processing series algorithms independently researched and developed and innovated in China. The SM1-SM4 algorithm realizes the functions of symmetrical, asymmetrical, abstract and other algorithms, so that the SM1-SM4 algorithm is embedded into the TCP/IP module, thereby realizing confidentiality of network security.
At present, the main functions of the control host are to isolate the system through the firewall and intrusion detection technologies such as intrusion detection, port control, access control white list and black list, IP address filtration and the like, and the isolation method is more suitable for the safety protection of computer networks of government authorities and public institutions. Therefore, a cryptographic algorithm is also provided at the firewall and gateway to prevent external attack on the computer.
In summary, when the system is just started, the user is authenticated by the BIOS and the on-board TCM security chip applying the cryptographic algorithm in this embodiment. When a user wants to use a certain software in the process of using the computer, the identity of the user is verified based on a national encryption algorithm through cooperation among an operating system kernel module, a bottom library, a national encryption linker module, a middle layer verification module and an application layer module of a software encryption layer, so that the identity of the user is confirmed. When the computer is connected with the network, the TCP/IP module based on the national cryptographic algorithm and the gateway port are used for verifying the identity, so that the stability of the domestic operating system using the national cryptographic algorithm is achieved.
It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Claims (7)
1. The safe operating system based on the cryptographic algorithm module is characterized by comprising a hardware encryption layer, a software encryption layer and a network encryption layer, wherein:
the hardware encryption comprises an identity authentication and authorization management module and a cryptographic algorithm module, wherein the identity authentication and authorization management module is used for starting authentication and management of a BIOS, the cryptographic algorithm module is positioned in an on-board TCM security chip, the cryptographic algorithm module can encrypt data, the identity authentication and authorization management module and the cryptographic algorithm module are jointly used for guiding forced identity authentication and identification when an operating system is started, and after the kernel is guided, the operating system guides corresponding services and modules to conduct authorization management;
The software encryption layer comprises an operating system kernel module, a bottom library, a state secret compiling linker module, a middle layer verifying module and an application layer module, wherein an SM2 algorithm is stored in the operating system kernel module, and the operating system kernel module can control the operation of an operating system according to the feedback result of the SM2 algorithm; the underlying library can provide support for an SM2 algorithm and/or an SM3 algorithm and/or an SM4 algorithm; the state secret compiling linker module is used for completing identity verification and key storage and verifying the correctness of program operation and the correctness of a state secret algorithm; the middle layer verification module can refer to an application program interface provided by the bottom layer library in a mode of calling the middleware, and the application program interface provided by the bottom layer library is used for ensuring the correctness of program operation and the correctness of a national encryption algorithm; the application layer module calls a national encryption algorithm through an application program interface framework of the bottom layer library so as to verify the correctness of program operation and the correctness of the national encryption algorithm;
The network encryption layer comprises a TCP/IP module, and SM1 algorithm/SM 2 algorithm/SM 3 algorithm/SM 4 algorithm support is added in the TCP/IP module.
2. The security operating system based on the cryptographic algorithm module according to claim 1, wherein the working methods of the identity authentication authorization management module and the cryptographic algorithm module are as follows:
After the operating system is started, the BIOS completes system self-checking and initialization after being powered on, the on-board TCM security chip and the security hard disk are respectively connected with the BIOS, the identity authentication authorization management module performs forced identity authentication on a starting user, meanwhile, the identity of the user is authenticated through the basic input and output equipment, after the user identity authentication is passed, the user completes data input through the basic input and output equipment, and the identity authentication authorization management module performs forced verification on the data input by the user through key data stored in the BIOS flash memory chip, so that the identity of the user is authenticated; after the BIOS passes the authentication of the user identity, an SM3 algorithm engine in the password algorithm module calculates the hash value of the BIOS, the hash value of the BIOS is stored in a data confidentiality storage module in the on-board TCM security chip, an integrity measurement module in the on-board TCM security chip invokes an SM1 algorithm in the password algorithm module, the first 128 bits of the hash value of the BIOS are used as a backup key to carry out encryption backup of the SM1 algorithm, the encrypted backup data is stored in the on-board TCM security chip, the key data stored by the security hard disk is used for identifying and checking the user identity again, and the security hard disk is initialized and checked after the user identity passes.
3. The secure operating system based on a cryptographic algorithm module according to claim 2, wherein the operating system kernel module works as follows:
the kernel module of the operating system starts an independent memory in the kernel system space by adding an interface called by the kernel system, calls a cryptographic algorithm in the kernel based on the kernel time sequence, compares an expected value with an actual operation value in the kernel-mode memory, feeds back correct information to a user mode if the expected value is normal, generates an interrupt signal if an operation error occurs, and displays the interrupt signal in a kernel log in error with the highest priority, and suspends the operation of the whole operating system.
4. The secure operating system based on a cryptographic algorithm module according to claim 3, wherein the working method of the underlying library is as follows:
The dynamic link library and the static library of the cryptographic algorithm of the application layer are called through Java/python/golang/shell/perl language, the cryptographic algorithm is executed by referring to the corresponding interface of the dynamic link library of the cryptographic algorithm to carry out the functions of identity verification, encryption and hash calculation, and the upper software encrypts and stores data and programs by calling the API interface provided by the bottom layer library.
5. The secure operating system based on a cryptographic algorithm module according to claim 4, wherein the cryptographic linker module works as follows:
the state secret compiling linker module is arranged on a user layer, calls a state secret algorithm dynamic link library and a static library of an application layer, compiles test codes into binary executable programs by compiling languages of the state secret algorithm dynamic link library by the compiling linker, and completes identity verification and key storage by combining the state secret algorithm in the bottom layer library with the encryption and decryption algorithm of an operating system, thereby verifying the correctness of program operation and the correctness of the state secret algorithm.
6. The secure operating system based on a cryptographic algorithm module according to claim 5, wherein the hardware encryption layer further comprises a secure authentication serial port terminal based on a cryptographic algorithm,
The CPU of the security authentication serial port terminal comprises SMl algorithm engine, SM2 algorithm engine and SM3 algorithm engine so as to complete the function of providing algorithm support for the on-board TCM security chip and the operating system; the secret storage of the safety authentication serial port terminal is used for storing identity authentication information and a private key, and simultaneously provides a secret storage function of information interaction with the identity authentication authorization management module; the chip operating system of the security authentication serial port terminal is used for completing the digital signature function of outgoing data and the private key decryption processing function of received data by calling a national encryption algorithm engine of the CPU, and meanwhile, the security authentication serial port terminal can be accessed with a biological recognition technology, including but not limited to a fingerprint module and a face identification module.
7. The cryptographic algorithm module based secure operating system of claim 1, wherein the network encryption layer further comprises a firewall and a gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210438125.7A CN114996724B (en) | 2022-04-25 | 2022-04-25 | Safe operating system based on cryptographic algorithm module |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210438125.7A CN114996724B (en) | 2022-04-25 | 2022-04-25 | Safe operating system based on cryptographic algorithm module |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114996724A CN114996724A (en) | 2022-09-02 |
| CN114996724B true CN114996724B (en) | 2024-05-03 |
Family
ID=83024614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210438125.7A Active CN114996724B (en) | 2022-04-25 | 2022-04-25 | Safe operating system based on cryptographic algorithm module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114996724B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115186273A (en) * | 2022-09-07 | 2022-10-14 | 北京智芯微电子科技有限公司 | Power terminal, safe starting method and device thereof and storage medium |
| CN115550042B (en) * | 2022-10-08 | 2023-06-20 | 江南信安(北京)科技有限公司 | Signature verification server for realizing national encryption algorithm based on security chip |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| WO2016107319A1 (en) * | 2014-12-30 | 2016-07-07 | 北京奇虎科技有限公司 | Method for loading secure key storage hardware, and browser client device |
| CN106506147A (en) * | 2016-10-27 | 2017-03-15 | 国网江苏省电力公司南京供电公司 | A kind of method that IPsec VPN are realized based on the close algorithm of state |
| CN106991329A (en) * | 2017-03-31 | 2017-07-28 | 山东超越数控电子有限公司 | A kind of trust calculation unit and its operation method based on domestic TCM |
| CN111435396A (en) * | 2019-01-15 | 2020-07-21 | 量子芯云(北京)微电子科技有限公司 | Intelligent safety master control |
| CN113420309A (en) * | 2021-07-01 | 2021-09-21 | 广东工业大学 | Lightweight data protection system based on state cryptographic algorithm |
| CN113452522A (en) * | 2021-06-28 | 2021-09-28 | 杭州云象网络技术有限公司 | Hardware security module software implementation method based on state password, storage medium and device |
-
2022
- 2022-04-25 CN CN202210438125.7A patent/CN114996724B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121641A1 (en) * | 2006-04-24 | 2007-11-01 | Beijing E-Henxen Authentication Technologies Co., Ltd. | A cpk credibility authentication system using chip |
| CN103490895A (en) * | 2013-09-12 | 2014-01-01 | 北京斯庄格科技有限公司 | Industrial control identity authentication method and device with state cryptographic algorithms |
| WO2016107319A1 (en) * | 2014-12-30 | 2016-07-07 | 北京奇虎科技有限公司 | Method for loading secure key storage hardware, and browser client device |
| CN106506147A (en) * | 2016-10-27 | 2017-03-15 | 国网江苏省电力公司南京供电公司 | A kind of method that IPsec VPN are realized based on the close algorithm of state |
| CN106991329A (en) * | 2017-03-31 | 2017-07-28 | 山东超越数控电子有限公司 | A kind of trust calculation unit and its operation method based on domestic TCM |
| CN111435396A (en) * | 2019-01-15 | 2020-07-21 | 量子芯云(北京)微电子科技有限公司 | Intelligent safety master control |
| CN113452522A (en) * | 2021-06-28 | 2021-09-28 | 杭州云象网络技术有限公司 | Hardware security module software implementation method based on state password, storage medium and device |
| CN113420309A (en) * | 2021-07-01 | 2021-09-21 | 广东工业大学 | Lightweight data protection system based on state cryptographic algorithm |
Non-Patent Citations (2)
| Title |
|---|
| 基于国密算法安全中间件的安全功能研究与设计;刘迪;牟鹏;董爱强;;网络安全技术与应用;20170415(第04期);全文 * |
| 支持商密算法TLS浏览器的设计与实现;项川;潘无穷;黎火荣;林锵;;信息网络安全;20170410(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114996724A (en) | 2022-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114996724B (en) | Safe operating system based on cryptographic algorithm module | |
| CN113014539B (en) | Internet of things equipment safety protection system and method | |
| US9055061B2 (en) | Process of authentication for an access to a web site | |
| CN108600268B (en) | Encryption and decryption method applied to non-credit authentication and non-credit authentication system | |
| KR20180003113A (en) | Server, device and method for authenticating user | |
| CN108616540B (en) | Platform authentication method and system based on cross-platform encryption algorithm and declarative filtering authentication | |
| JP7309261B2 (en) | Authentication method for biometric payment device, authentication device for biometric payment device, computer device, and computer program | |
| US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
| CN115580413B (en) | Zero-trust multi-party data fusion calculation method and device | |
| CN111143808B (en) | System security authentication method and device, computing equipment and storage medium | |
| CN109474431B (en) | Client authentication method and computer readable storage medium | |
| CN108292997B (en) | Authentication control system and method, server device, client device, authentication method, and recording medium | |
| CN112865965A (en) | Train service data processing method and system based on quantum key | |
| CN113297563B (en) | Method and device for accessing privileged resources of system on chip and system on chip | |
| CN111400688B (en) | Method for realizing mobile terminal voice identity verification by adopting TrustZone technology | |
| CN115455497A (en) | Computer hard disk data encryption system and method | |
| CN114817956A (en) | USB communication object verification method, system, device and storage medium | |
| CN114520735A (en) | User identity authentication method, system and medium based on trusted execution environment | |
| CN115146284A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN116451188B (en) | Software program operation safety protection method, system and storage medium | |
| CN114117553B (en) | Block chain-based control method and system for Internet of things terminal | |
| CN112637113B (en) | Cross-platform authentication method for integrated system and related components | |
| CN108600264B (en) | Encryption and decryption method applied to credit authorization and credit authorization system | |
| CN114338052B (en) | Method and device for realizing identity authentication | |
| CN107657168A (en) | A kind of electric business platform coordinated with Single Sign-On Technology Used with controlling |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |