CN117749465A - Encryption service providing method, electronic device and storage medium - Google Patents
Encryption service providing method, electronic device and storage medium Download PDFInfo
- Publication number
- CN117749465A CN117749465A CN202311733317.1A CN202311733317A CN117749465A CN 117749465 A CN117749465 A CN 117749465A CN 202311733317 A CN202311733317 A CN 202311733317A CN 117749465 A CN117749465 A CN 117749465A
- Authority
- CN
- China
- Prior art keywords
- client
- encryption
- server
- signature
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 230000008676 import Effects 0.000 claims description 22
- 230000002194 synthesizing effect Effects 0.000 claims description 9
- 238000004590 computer program Methods 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 238000012546 transfer Methods 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an encryption service providing method, electronic equipment and a storage medium, wherein the encryption service providing method comprises the steps of calling a CSP encryption interface, respectively generating a client cooperative key component and a server cooperative key component at a client and a server, storing the server cooperative key component at the server, and storing the client cooperative key component at the client; the CSP service interface is called, corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, the storage characteristic is split by utilizing the cooperative key, the security of private key storage is improved, the complete private key plaintext does not appear in the memory or the network of any party of the client or the server, the private key cannot be restored even if the environment of the client is at risk, the operation can be completed by the cooperation of the client and the server, and the condition that the server performs signature or decryption privately under the condition that the client is unknown is prevented in principle.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to an encryption service providing method, an electronic device, and a storage medium.
Background
The CSP (Cryptographic Service Provider, encryption service providing program) interface is a component of an encryption algorithm related function provided by microsoft Windows operating system, and an application can call the CSP interface through a CryptoAPI series of functions to implement cryptographic operation operations such as encryption, decryption, digital signature, signature verification, and data digest of data. The certificates and the private keys required by the encryption service are generally stored in a hardware USBKey medium, and the purpose is to protect the private keys from being illegally read and used by means of the safe storage function of the USBKey; on the other hand, the method is limited by the storage space of the USBKey, and more certificates cannot be stored in the same USBKey. In the related art, a certificate and a private key are stored in a remote device, or the certificate and the private key are stored in an access device in a centralized way, and once the security of the remote device is at risk when the remote device is placed in the access device, or when the network communication between the access device and the remote device has potential safety hazards, the private key is exposed at risk; when the signature and decryption operation is stored in the access device, the access device has a complete private key, so that the signature and decryption operation can be performed under the condition that the client is not participated at all, and the condition that the server performs the signature or decryption privately under the condition that the client is unknowing can occur.
Disclosure of Invention
The invention provides an encryption service providing method, electronic equipment and a storage medium, which are used for solving the defect that a private key in the traditional encryption service providing method is in risk of leakage or a server side performs signature or decryption privately under the condition that a client side is not aware.
The invention provides an encryption service providing method, which comprises the following steps:
calling a CSP encryption interface, and respectively generating a client cooperative key component and a server cooperative key component at a client and a server, wherein the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client;
and calling a CSP service interface, and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
According to the method for providing the encryption service provided by the invention, the encryption service operation comprises the steps of downloading a security certificate, calling a CSP service interface, executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, and comprising the following steps:
synthesizing a signature public key according to the client cooperative key component and the server cooperative key component;
calling a CSP to acquire a key parameter interface, and leading out the signature public key from a client;
constructing an application form according to the signature public key, calling a CSP hash signature interface, and signing the application form to obtain an application form comprising a signature value;
sending the application form comprising the signature value to a security authentication center to obtain a signature certificate;
calling a CSP to set a key parameter interface to import the signature certificate to a client, analyzing the signature certificate at the client, and verifying whether the public key of the signature certificate is identical to the signature public key;
and if the signature certificates are the same, storing the signature certificates in the client, and associating the signature certificates with a signature public key.
According to the encryption service providing method provided by the invention, the client cooperative key component comprises a client signature public key component and a client signature private key component; the server cooperative key component comprises a server signature public key component and a server signature private key component; the synthesizing the signature public key according to the client cooperative key component and the server cooperative key component comprises the following steps:
establishing a secure network channel between the client and the server;
the client signature public key component is sent to the server through the secure network channel, and the client signature public key component and the server signature public key component are used for synthesizing a complete signature public key at the server;
and transmitting the server-side signature public key component to the client-side through the secure network channel; and synthesizing a complete signature public key at the client by using the client signature private key component and the server signature public key component.
According to the method for providing the encryption service provided by the invention, when the encryption service operation comprises the downloading of the security certificate, the calling CSP service interface executes the corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, and the method further comprises the following steps:
after the signature public key is synthesized, calling the CSP encryption interface to generate an encryption key pair, wherein the encryption key pair comprises an encryption public key and an encryption private key;
calling a CSP import key interface to import the encryption key pair to a client;
constructing an application form according to the temporary public key, and sending the application form to a security authentication center to obtain an encryption certificate and an encryption key pair, wherein the encryption key pair comprises an encryption public key and an encryption private key ciphertext;
calling a CSP import key interface to import the encryption key pair to a client;
calling a CSP to set a key parameter interface to import an encryption certificate to a client;
analyzing the encryption certificate at the client, and verifying whether the public key of the encryption certificate is identical to the encryption public key;
and if the encryption certificates are the same, storing the encryption certificates in the client, and associating the encryption certificates with an encryption public key.
According to the method for providing the encryption service provided by the invention, the calling CSP importation key interface importation the encryption key pair to the client side comprises the following steps:
transmitting the encrypted private key ciphertext to a server, and decrypting the encrypted private key ciphertext by using the temporary private key at the server to obtain an encrypted private key plaintext;
the encryption private key plaintext is subjected to collaborative key splitting to obtain a client encryption public key component, a client encryption private key component, a server encryption public key component and a server encryption private key component, the client encryption public key component, the server encryption public key component and the server encryption private key component are stored in a server, and the client encryption public key component, the client encryption private key component and the server encryption public key component are sent to a client, wherein the client encryption private key component is encrypted by using a client signature public key component;
the client-side encryption private key component and the server-side encryption public key component are used at the client to synthesize an encryption public key.
According to the method for providing the encryption service provided by the invention, the encryption service operation comprises a signature operation, the CSP service interface is called, and the corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, and the method comprises the following steps:
calling a CSP to create a hash interface and a calculation hash interface to transfer in an original text to be signed and calculating a message abstract of the original text to be signed by a client, or directly calling the CSP to set the message abstract of the original text to be signed transferred in the hash interface and generating a first random number;
calculating a first intermediate result according to the message digest and the random number, and sending the first intermediate result and the message digest to a server;
generating a second random number at the server, calculating a server signature value component through the message digest, the second random number and the first intermediate result, and calculating a second intermediate result according to the server signature private key component, the signature value component and the second random number; transmitting the server-side signature value component and the second intermediate result to the client;
and calculating a client signature value component at the client according to the client signature private key component, the first random number, the second intermediate result and the server signature value component, and splicing the server signature value component and the client signature value component to serve as signature values.
According to the method for providing the encryption service provided by the invention, the encryption service operation comprises cooperative encryption, the CSP service interface is called, and the corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, and the method comprises the following steps:
the external program calls CSP to acquire context and acquire a user key interface to acquire a key handle;
the external program calls a CSP encryption interface, and takes a key handle and a plaintext to be encrypted as input parameters;
after the client acquires the key handle and the plaintext to be encrypted, generating a third random number;
calculating a key point according to the third random number and an encryption and decryption public key, wherein the encryption and decryption public key is a signature public key or an encryption public key;
and encrypting the plaintext to be encrypted by using the key point to obtain an encrypted ciphertext.
According to the method for providing the encryption service provided by the invention, the calling CSP service interface executes the corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, and the method comprises the following steps:
when the encryption and decryption public key is a signature public key, part of ciphertext of the encryption ciphertext is sent to a server, and a third intermediate result is calculated by the server through the encryption ciphertext and a server signature private key component and is sent to a client;
calculating a fourth intermediate result at the client through the client signature private key component, the third intermediate result and the encrypted ciphertext, taking the fourth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point;
when the encryption and decryption public key is an encryption public key, the encryption ciphertext is sent to a server, and a fifth intermediate result is calculated by the server through the encryption ciphertext and a server encryption private key component and is sent to a client;
and calculating a sixth intermediate result by the client through the client signature private key component, the fifth intermediate result and the encrypted ciphertext, taking the sixth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the encryption service providing method according to any one of the above when executing the program.
The present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the encryption service providing method of any one of the above.
According to the encryption service providing method, the electronic equipment and the storage medium, the CSP encryption interface is called, the client cooperative key component and the server cooperative key component are respectively generated at the client and the server, the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client; the CSP service interface is called, corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, the storage characteristic is split by utilizing the cooperative key, the security of private key storage is improved, the complete private key plaintext does not appear in the memory or the network of any party of the client or the server, the private key cannot be restored even if the environment of the client is at risk, the operation can be completed by the cooperation of the client and the server, and the condition that the server performs signature or decryption privately under the condition that the client is unknown is prevented in principle.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an encryption service providing method provided by the invention;
fig. 2 is a schematic diagram of the structure of an encryption service providing apparatus provided by the present invention;
fig. 3 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flowchart of an encryption service providing method provided by an embodiment of the present invention, where, as shown in fig. 1, the encryption service providing method provided by the embodiment of the present invention includes:
step 101, calling a CSP encryption interface, respectively generating a client cooperative key component and a server cooperative key component at a client and a server, wherein the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client;
step 102, calling a CSP service interface, and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
In the traditional encryption service providing method, certificates and private keys required by encryption service are generally stored in a hardware USBKey medium, and the purpose is to protect the private keys from being illegally read and used by means of the safe storage function of the USBKey; on the other hand, the method is limited by the storage space of the USBKey, and more certificates cannot be stored in the same USBKey. In the related art, a certificate and a private key are stored in a remote device, or the certificate and the private key are stored in an access device in a centralized way, and once the security of the remote device is at risk when the remote device is placed in the access device, or when the network communication between the access device and the remote device has potential safety hazards, the private key is exposed at risk; when the signature and decryption operation is stored in the access device, the access device has a complete private key, so that the signature and decryption operation can be performed under the condition that the client is not participated at all, and the condition that the server performs the signature or decryption privately under the condition that the client is unknowing can occur.
The invention provides an encryption service providing method, which comprises the steps of respectively generating a client cooperative key component and a server cooperative key component on a client and a server by calling a CSP encryption interface, wherein the server cooperative key component is stored in the server, and the client cooperative key component is stored in the client; the CSP service interface is called, corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, the storage characteristic is split by utilizing the cooperative key, the security of private key storage is improved, the complete private key plaintext does not appear in the memory or the network of any party of the client or the server, the private key cannot be restored even if the environment of the client is at risk, the operation can be completed by the cooperation of the client and the server, and the condition that the server performs signature or decryption privately under the condition that the client is unknown is prevented in principle.
Based on any embodiment, when the CSP interface is called and the certificate is downloaded, a key pair and a PKCS10 application form can be generated by a download control through calling the CSP interface of the client side on the certificate download platform, then the certificate is applied for and issued from the CA, and finally the certificate is imported to the client side.
Step 201, synthesizing a signature public key according to the client cooperative key component and the server cooperative key component;
step 202, calling a CSP to acquire a key parameter interface, and leading out the signature public key from a client;
step 203, constructing an application form according to the signature public key, calling a CSP hash signature interface, and signing the application form to obtain the application form comprising a signature value;
step 204, the application form including the signature value is sent to a security authentication center to obtain a signature certificate;
step 205, calling a CSP to set a key parameter interface to import the signature certificate to the client, analyzing the signature certificate at the client, and verifying whether the public key of the signature certificate is the same as the signature public key;
and step 206, if the signature certificates are the same, storing the signature certificates in the client, and associating the signature certificates with a signature public key.
Specifically, when the download certificate is a signature certificate, applying for and downloading the certificate through the CSP interface includes:
(1) The client establishes a safe network channel with the server and provides the capability of remotely calling the interface of the server;
(2) The client generates a client SM2 cooperative key component including a client signature public key component P1 and a client signature private key component d1, which are stored in a local disk in an encrypted manner.
(3) The client sends the client signature public key component P1 to the server.
(4) The server generates a server SM2 cooperative key component, which comprises a server signature public key component P2 and a server signature private key component d2, and the server signature public key component and the server signature private key component d2 are stored in the server in an encrypted manner.
(5) The server synthesizes the complete SM2 signature public key P by using the client SM2 signature public key component P1 and the server SM2 cooperative private key component d 2.
(6) The server sends the server SM2 signature public key component P2 to the client.
(7) The client synthesizes a complete SM2 signature public key P by using a client SM2 cooperative private key component d1 and a server SM2 signature public key component P2, and stores and locally, wherein the split principle of the SM2 cooperative private key component is as follows: private key d=d1d2 ≡1, public key p=d1·p2 ≡g=d2·p1 ≡g, where G is the base point of the elliptic curve in the SM2 algorithm based on the ECC elliptic curve algorithm.
(8) And after the client interface is processed, returning the interface.
(9) External program calls CrypsetSetKeyParam interface to import signature certificate to client
(10) The client analyzes the signature certificate, verifies that the public key of the signature certificate is the same as the signature public key P, and if the public key is inconsistent, the interface reports errors and returns.
(11) The client stores the signature certificate locally and associates the signature certificate with the signature key, and the interface returns.
In some embodiments of the present invention, when the encryption service operation includes downloading the security certificate, the invoking the CSP service interface performs a corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, and further includes:
after the signature public key is synthesized, calling the CSP to generate a key pair interface to generate a temporary key pair, wherein the temporary key pair comprises a temporary public key and a temporary private key;
constructing an application form according to the temporary public key, and sending the application form to a security authentication center to acquire an encryption certificate and an encryption key pair;
calling a CSP import key interface to import the encryption key pair to a client;
calling a CSP to set a key parameter interface to import an encryption certificate to a client;
analyzing the encryption certificate at the client, and verifying whether the public key of the encryption certificate is identical to the encryption public key;
and if the encryption certificates are the same, storing the encryption certificates in the client, and associating the encryption certificates with an encryption public key.
Specifically, when the download certificate is double-certificate, namely, comprises a signature certificate and an encryption certificate, the method applies for and downloads the certificate through the CSP interface comprises the following steps:
(1) The external program calls the Cryptographic AcquireContext interface to create a container, and indirectly calls the CPAcquireContext interface provided by the program according to CSP configuration registered in the system by the program (all interfaces are called in an indirect calling mode, which is not described in detail below), and the program creates a file on a local disk as a container file for storing certificate and private key components.
(2) And the external program calls the CryptoGenKey interface to generate a signature key pair, and the program is used as a client and starts to finish a collaborative key generation flow with a server.
(3) The external program calls the CryptoGenKey interface to generate an encryption key pair, which specifically comprises the following steps:
the client invokes the server-side generating temporary key pair interface, and the server-side generates a temporary key pair (including a temporary public key Pt and a temporary private key dt) for the pkcs#10 application, and the temporary public key is sent to the CA center in a subsequent flow, and is used for encrypting the certificate private key. The server sends the temporary public key Pt to the client. The client stores the temporary public key Pt and the interface returns.
(4) The external program calls the CryptotGetKeyParam, derives the public signature key, and the client returns P.
(5) The external program calls the CryptGetKeyParam, derives the encrypted public key, and the client returns Pt.
(6) The external program constructs a PKCS#10 application, calls a CrypCryptotaeHash/CryptHashData/CryptsignHash serial interface, and signs the PKCS#10 application. And after the client finishes processing, the interface returns.
(7) The external program calls the CryptSetKeyParam interface to import the signature certificate to the client, the client analyzes the signature certificate, the public key for verifying the signature certificate is the same as the signature public key P, and if the public key is inconsistent, the interface reports errors and returns. The client stores the signing certificate locally and associates the signing certificate with the signing key. The interface returns.
(8) And the external program calls the Cryptographic port Key interface to import an encryption key pair to the client, the external program calls the Cryptographic SetKeyParam interface to import an encryption certificate to the client, the client analyzes the encryption certificate, the public key of the verification encryption certificate is the same as the encryption public key P', and if the public key is inconsistent, the interface reports errors and returns. The client stores the encryption certificate locally, associates the encryption certificate with the encryption key, returns the interface, and finishes the certificate downloading process.
In the embodiment of the invention, invoking the CSP import key interface to import the encryption key pair to the client comprises the following steps:
step 301, the encrypted private key ciphertext is transmitted to a server, and the server uses a temporary private key to decrypt the encrypted private key ciphertext to obtain an encrypted private key plaintext;
step 302, performing collaborative key splitting on the encrypted private key plaintext to obtain a client encrypted public key component, a client encrypted private key component, a server encrypted public key component and a server encrypted private key component, storing the client encrypted public key component, the server encrypted public key component and the server encrypted private key component in a server, and transmitting the client encrypted public key component, the client encrypted private key component and the server encrypted public key component to a client, wherein the client encrypted private key component is encrypted by using a client signed public key component;
step 303, the client-side encryption private key component and the server-side encryption public key component are used at the client to synthesize an encryption public key.
Specifically, the received encrypted private key ciphertext is transmitted to the server. And the server decrypts the encrypted private key ciphertext by using the temporary private key dt generated before to obtain the encrypted private key plaintext. The server performs cooperative key splitting on the encrypted private key to obtain a client encrypted public key component P3, a client encrypted private key component d3, a server encrypted public key component P4 and a server encrypted private key component d4. The splitting principle is as follows: private key d '=d3d4 ≡1, public key P' =d3·p4 ≡g=d4·p3 ≡g. When splitting, firstly, one key pair P4 and d4 are generated, and then d3 and P3 are calculated reversely, specifically: d3 = (d' +1) d4 -1 P3=d3·g. The server stores P3, P4 and d4 at the server and sends P3, d3, P4 to the client (where d3 is encrypted by the client public key component). The client stores P3, d3, P4 encryption locally. The client uses d3, P4 to synthesize an encrypted public key P', stored locally.
Based on any of the above embodiments, the encryption service operation includes a signing operation, and the invoking CSP service interface executes a corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, including:
step 401, calling a CSP to create a hash interface to create a hash handle;
step 402, calling a CSP to calculate a hash interface to transfer into an original text to be signed and calculating a message digest of the original text to be signed by a client, or directly calling the CSP to set the message digest of the original text to be signed transferred into the hash interface, and then generating a first random number;
step 403, calculating a first intermediate result according to the message digest and the random number, and sending the first intermediate result and the message digest to a server;
step 404, generating a second random number at the server, calculating a server signature value component according to the message digest, the second random number and the first intermediate result, and calculating a second intermediate result according to the server signature private key component, the signature value component and the second random number; transmitting the server-side signature value component and the second intermediate result to the client;
and step 405, calculating a client signature value component at the client according to the client signature private key component, the first random number, the second intermediate result and the server signature value component, and splicing the server signature value component and the client signature value component to be used as a signature value.
In the embodiment of the invention, an external program calls a CrypCryptotaeHash interface to create a hash handle, and then calls a CryptHashData to transfer into an original text M to be signed or calls a CryptSetHashParam interface to transfer into a message digest e of the original text to be signed. And the external program calls a CryptoSignHash interface to carry out collaborative signature. The client calculates a message digest e by the original text M to be signed, and the calculation of the digest includes calculation of a Z value by using a public key. The client generates a random number k1 and calculates an intermediate result Q1, q1=k1·p2. The client sends the intermediate result Q1 and the message digest e to the server.
The server generates a random number k2, calculates a key point (x 1, y 1) =k2·g+q1 through e, k2, Q1, and then calculates a signature value component r= (e+x1) mod n according to a standard. Calculating an intermediate result s2 by d2, r, k2, (s2= (d 2) -1 (r+k2)) mod n); the signature value component r and the intermediate result s2 are sent to the client.
The client calculates a signature value component s, s= (d 1) through d1, k1, s2, r -1 (k1+s2) ≡r) mod n; and the client splices r and s as signature values and returns the signature values through the interface.
Based on any of the above embodiments, the encryption service operation includes cooperative encryption, and the invoking the CSP service interface performs a corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, including:
step 501, an external program calls a CryptoAcquireContext and a CryptoGetUserKey interface to obtain a hKey handle;
step 502, an external program calls a Cryptographic interface, and takes a hKey handle and a plaintext to be encrypted as input parameters;
step 503, after the client obtains the hKey handle and the plaintext to be encrypted, generating a third random number;
step 504, calculating a key point according to the third random number and an encryption and decryption public key, wherein the encryption and decryption public key is a signature public key or an encryption public key, and is determined by interface parameters;
and 505, encrypting the plaintext to be encrypted by using the key point to obtain an encrypted ciphertext.
In the embodiment of the invention, the external program calls the CSP to acquire the context and acquires the user key interface to acquire the key handle. And the external program calls a Cryptographic interface to encrypt data, and the input parameters are hKey and plaintext M to be encrypted.
The encryption process includes the client generating a random number k. If it is a document, the client calculates a key point (x 1, y 1) =k·p, where P is the public signature key synthesized in the process of the following document. If the key is double-certificate, the client calculates a key point (x 1, y 1) =k·p ', wherein P' is an encrypted public key synthesized in the process of the following certificate. The subsequent calculation flow is consistent with the national encryption standard encryption algorithm, finally ciphertext C1|C3|C2 is calculated through plaintext M, and the interface returns.
Based on any of the above embodiments, invoking a CSP service interface, and executing a corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, including:
step 601, when the encryption and decryption public key is a signature public key, sending a part of ciphertext of the encryption ciphertext to a server, calculating a third intermediate result by the encryption ciphertext and a server signature private key component at the server, and sending the third intermediate result to a client;
step 602, calculating a fourth intermediate result at the client through the client signature private key component, the third intermediate result and the encrypted ciphertext, using the fourth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point;
step 603, when the encryption and decryption public key is an encryption public key, sending the encryption ciphertext to a server, calculating a fifth intermediate result by the encryption ciphertext and a server encryption private key component at the server, and sending the fifth intermediate result to a client;
step 604, calculating a sixth intermediate result by the client through the client signature private key component, the fifth intermediate result and the encrypted ciphertext, using the sixth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point.
In the embodiment of the invention, an external program calls a CryptoAcquireContext interface to obtain the hProv handle. The external program calls the CryptotGetUserKey interface to obtain the hKey handle. The external program calls a Cryptocrypt interface to decrypt data, and the external program is called hKey and ciphertext C1|C3|C2 to be decrypted. And the client sends the C1 to the server. If so, the server calculates an intermediate result O1 through C1 and a server signature private key component d 2. If the result is double-certificate, the server calculates an intermediate result O1 through the C1 and the server encryption private key component d4. The server sends O1 to the client. If the result is a document, the client calculates an intermediate result O2 through the client signature private key components d1, O1 and C1. If the result is double-certificate, the client calculates an intermediate result O2 through the client encrypting private key component d3, O1 and C1. The intermediate result O2 is the key point (x 1, y 1) in the SM2 standard algorithm, and the client decrypts by the SM2 standard algorithm.
In some embodiments of the present invention, the external program may export the public key through the CryptGetKeyParam interface, and the client directly returns the synthesized public key P or P'. The external program can delete the certificate and the key in the container through the Cryptographic AcquireContext interface, and the client side can inform the server side to delete the corresponding server side key component while deleting the self key component.
The encryption service providing method provided by the embodiment of the invention combines the CSP interface with the cooperative key technology, ensures the security of downloading, storing and using the certificate private key through the CSP interface on the premise of not using special hardware equipment (such as USBKEY), and has good application suitability by adopting the standard CSP interface to enable a CSP caller to directly and seamlessly switch and use without any change.
The encryption service providing apparatus provided by the present invention will be described below, and the encryption service providing apparatus described below and the encryption service providing method described above may be referred to in correspondence with each other.
Fig. 2 is a schematic diagram of an encryption service providing apparatus according to an embodiment of the present invention, and as shown in fig. 2, the encryption service providing apparatus according to an embodiment of the present invention includes:
the generating module 201 is configured to invoke the CSP encryption interface, generate a client cooperative key component and a server cooperative key component at the client and the server, respectively, where the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client;
and the execution module 202 is used for calling the CSP service interface and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
The invention provides an encryption service providing device, which is characterized in that a client cooperative key component and a server cooperative key component are respectively generated at a client and a server by calling a CSP (compact disc) encryption interface, the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client; the CSP service interface is called, corresponding encryption service operation is executed according to the client cooperative key component and the server cooperative key component, the storage characteristic is split by utilizing the cooperative key, the security of private key storage is improved, the complete private key plaintext does not appear in the memory or the network of any party of the client or the server, the private key cannot be restored even if the environment of the client is at risk, the operation can be completed by the cooperation of the client and the server, and the condition that the server performs signature or decryption privately under the condition that the client is unknown is prevented in principle.
Fig. 3 illustrates a physical schematic diagram of an electronic device, as shown in fig. 3, where the electronic device may include: processor 310, communication interface 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320 and memory 330 communicate with each other via communication bus 340. The processor 310 may call logic instructions in the memory 330 to perform an encryption service providing method comprising: calling a CSP encryption interface, respectively generating a client cooperative key component and a server cooperative key component at a client and a server, wherein the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client; and calling the CSP service interface, and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the method of providing an encrypted service provided by the above methods, the method comprising: calling a CSP encryption interface, respectively generating a client cooperative key component and a server cooperative key component at a client and a server, wherein the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client; and calling the CSP service interface, and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
The apparatus embodiments described above are merely illustrative, wherein elements illustrated as separate elements may or may not be physically separate, and elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product, which may be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the various embodiments or methods of some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. An encryption service providing method, comprising:
calling a CSP encryption interface, and respectively generating a client cooperative key component and a server cooperative key component at a client and a server, wherein the server cooperative key component is stored at the server, and the client cooperative key component is stored at the client;
and calling a CSP service interface, and executing corresponding encryption service operation according to the client cooperative key component and the server cooperative key component.
2. The method according to claim 1, wherein the encrypting service operation includes downloading a security certificate, the calling CSP service interface performs a corresponding encrypting service operation according to the client cooperative key component and the server cooperative key component, and the method includes:
synthesizing a signature public key according to the client cooperative key component and the server cooperative key component;
calling a CSP to acquire a key parameter interface, and leading out the signature public key from a client;
constructing an application form according to the signature public key, calling a CSP hash signature interface, and signing the application form to obtain an application form comprising a signature value;
sending the application form comprising the signature value to a security authentication center to obtain a signature certificate;
calling a CSP to set a key parameter interface to import the signature certificate to a client, analyzing the signature certificate at the client, and verifying whether the public key of the signature certificate is identical to the signature public key;
and if the signature certificates are the same, storing the signature certificates in the client, and associating the signature certificates with a signature public key.
3. The encryption service providing method according to claim 2, wherein the client cooperative key component includes a client signature public key component and a client signature private key component; the server cooperative key component comprises a server signature public key component and a server signature private key component; the synthesizing the signature public key according to the client cooperative key component and the server cooperative key component comprises the following steps:
establishing a secure network channel between the client and the server;
the client signature public key component is sent to the server through the secure network channel, and the client signature public key component and the server signature public key component are used for synthesizing a complete signature public key at the server;
and transmitting the server-side signature public key component to the client-side through the secure network channel; and synthesizing a complete signature public key at the client by using the client signature public key component and the server signature public key component.
4. The method for providing encrypted services according to claim 2, wherein when the encrypted service operation includes downloading a security certificate, the step of calling a CSP service interface to perform a corresponding encrypted service operation according to the client cooperative key component and the server cooperative key component further includes:
after the signature public key is synthesized, calling the CSP encryption interface to generate a temporary key pair, wherein the temporary key pair comprises a temporary public key and a temporary private key;
constructing an application form according to the temporary public key, and sending the application form to a security authentication center to obtain an encryption certificate and an encryption key pair, wherein the encryption key pair comprises an encryption public key and an encryption private key ciphertext;
calling a CSP import key interface to import the encryption key pair to a client;
calling a CSP to set a key parameter interface to import an encryption certificate to a client;
analyzing the encryption certificate at the client, and verifying whether the public key of the encryption certificate is identical to the encryption public key;
and if the encryption certificates are the same, storing the encryption certificates in the client, and associating the encryption certificates with an encryption public key.
5. The method for providing an encrypted service according to claim 4, wherein said calling the CSP import key interface to import the encryption key pair to the client comprises:
transmitting the encrypted private key ciphertext to a server, and decrypting the encrypted private key ciphertext by using the temporary private key at the server to obtain an encrypted private key plaintext;
the encryption private key plaintext is subjected to collaborative key splitting to obtain a client encryption public key component, a client encryption private key component, a server encryption public key component and a server encryption private key component, the client encryption public key component, the server encryption public key component and the server encryption private key component are stored in a server, and the client encryption public key component, the client encryption private key component and the server encryption public key component are sent to a client, wherein the client encryption private key component is encrypted by using a client signature public key component;
the client-side encryption private key component and the server-side encryption public key component are used at the client to synthesize an encryption public key.
6. The method for providing encrypted services according to claim 2, wherein the encrypted service operation includes a signing operation, and the calling CSP service interface performs the corresponding encrypted service operation according to the client cooperative key component and the server cooperative key component, including:
calling a CSP to create a hash interface and a calculation hash interface to transfer in an original text to be signed and calculating a message abstract of the original text to be signed by a client, or directly calling the CSP to set the message abstract of the original text to be signed transferred in the hash interface and generating a first random number;
calculating a first intermediate result according to the message digest and the random number, and sending the first intermediate result and the message digest to a server;
generating a second random number at the server, calculating a server signature value component through the message digest, the second random number and the first intermediate result, and calculating a second intermediate result according to the server signature private key component, the signature value component and the second random number; transmitting the server-side signature value component and the second intermediate result to the client;
and calculating a client signature value component at the client according to the client signature private key component, the first random number, the second intermediate result and the server signature value component, and splicing the server signature value component and the client signature value component to serve as signature values.
7. The method according to claim 5, wherein the encryption service operation includes cooperative encryption, the invoking CSP service interface performs a corresponding encryption service operation according to the client cooperative key component and the server cooperative key component, and the method comprises:
the external program calls CSP to acquire context and acquire a user key interface to acquire a key handle;
the external program calls a CSP encryption interface, and takes a key handle and a plaintext to be encrypted as input parameters;
after the client acquires the key handle and the plaintext to be encrypted, generating a third random number;
calculating a key point according to the third random number and an encryption and decryption public key, wherein the encryption and decryption public key is a signature public key or an encryption public key;
and encrypting the plaintext to be encrypted by using the key point to obtain an encrypted ciphertext.
8. The method for providing encrypted services according to claim 7, wherein said invoking the CSP service interface performs corresponding encrypted service operations according to the client cooperative key component and the server cooperative key component, comprising:
when the encryption and decryption public key is a signature public key, part of ciphertext of the encryption ciphertext is sent to a server, and a third intermediate result is calculated by the server through the encryption ciphertext and a server signature private key component and is sent to a client;
calculating a fourth intermediate result at the client through the client signature private key component, the third intermediate result and the encrypted ciphertext, taking the fourth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point;
when the encryption and decryption public key is an encryption public key, the encryption ciphertext is sent to a server, and a fifth intermediate result is calculated by the server through the encryption ciphertext and a server encryption private key component and is sent to a client;
and calculating a sixth intermediate result by the client through the client signature private key component, the fifth intermediate result and the encrypted ciphertext, taking the sixth intermediate result as a key point, and decrypting the encrypted ciphertext by using the key point.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the cryptographic service providing method of any one of claims 1 to 8 when the program is executed by the processor.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the encryption service providing method according to any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311733317.1A CN117749465A (en) | 2023-12-15 | 2023-12-15 | Encryption service providing method, electronic device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311733317.1A CN117749465A (en) | 2023-12-15 | 2023-12-15 | Encryption service providing method, electronic device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117749465A true CN117749465A (en) | 2024-03-22 |
Family
ID=90258637
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311733317.1A Pending CN117749465A (en) | 2023-12-15 | 2023-12-15 | Encryption service providing method, electronic device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117749465A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932850A (en) * | 2019-11-29 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Communication encryption method and system |
| CN111404696A (en) * | 2020-03-31 | 2020-07-10 | 中国建设银行股份有限公司 | Collaborative signature method, security service middleware, related platform and system |
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | SM2 key distributed storage-based key pair generation method, collaborative signature method, decryption method, device and medium |
-
2023
- 2023-12-15 CN CN202311733317.1A patent/CN117749465A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932850A (en) * | 2019-11-29 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Communication encryption method and system |
| CN111404696A (en) * | 2020-03-31 | 2020-07-10 | 中国建设银行股份有限公司 | Collaborative signature method, security service middleware, related platform and system |
| CN115499126A (en) * | 2022-04-27 | 2022-12-20 | 河南省核芯微电子科技有限公司 | SM2 key distributed storage-based key pair generation method, collaborative signature method, decryption method, device and medium |
Non-Patent Citations (2)
| Title |
|---|
| 侯红霞;杨波;张丽娜;张明瑞;: "安全的两方协作SM2签名算法", 电子学报, no. 01, 15 January 2020 (2020-01-15) * |
| 冯琦;何德彪;罗敏;李莉;: "移动互联网环境下轻量级SM2两方协同签名", 计算机研究与发展, no. 10, 9 October 2020 (2020-10-09) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108513704B (en) | Remote distribution method and system of terminal master key | |
| CN108200028B (en) | Method and system for safely acquiring trusted data of server by using block chain | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
| EP1976322A1 (en) | An authentication method | |
| CN113162752B (en) | Data processing method and device based on hybrid homomorphic encryption | |
| CN104618120A (en) | Digital signature method for escrowing private key of mobile terminal | |
| CN107918731A (en) | Method and apparatus for controlling the authority to access to open interface | |
| CN111277417B (en) | Electronic signature implementation method based on national network security technology architecture | |
| WO2016082401A1 (en) | Conversation method and apparatus, user terminal and computer storage medium | |
| CN111865582A (en) | Private key offline storage method, system and storage medium based on zero knowledge proof | |
| CN115913672A (en) | Electronic file encryption transmission method, system, terminal equipment and computer medium | |
| CN115150821A (en) | Offline package transmission and storage method and device | |
| CN105471896B (en) | Proxy Method, apparatus and system based on SSL | |
| CN111565108B (en) | Signature processing method, device and system | |
| CN111245594B (en) | Homomorphic operation-based collaborative signature method and system | |
| WO2023174350A1 (en) | Identity authentication method, apparatus and device, and storage medium | |
| CN114785527B (en) | Data transmission method, device, equipment and storage medium | |
| CN116318654A (en) | SM2 algorithm collaborative signature system, method and equipment integrating quantum key distribution | |
| CN116232578A (en) | Multi-party collaborative signature system, method and equipment integrating quantum key distribution | |
| CN112995210B (en) | Data transmission method and device and electronic equipment | |
| CN117749465A (en) | Encryption service providing method, electronic device and storage medium | |
| CN114896608A (en) | Method, medium and device for realizing hardware password interface by adopting go language | |
| CN114500055A (en) | Password verification method and device, electronic equipment and storage medium | |
| CN112637140A (en) | Password transmission method, terminal, server and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |