[go: up one dir, main page]

CN102842005B - CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method - Google Patents

CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method Download PDF

Info

Publication number
CN102842005B
CN102842005B CN201110166272.5A CN201110166272A CN102842005B CN 102842005 B CN102842005 B CN 102842005B CN 201110166272 A CN201110166272 A CN 201110166272A CN 102842005 B CN102842005 B CN 102842005B
Authority
CN
China
Prior art keywords
key
csp
interface
tspi
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110166272.5A
Other languages
Chinese (zh)
Other versions
CN102842005A (en
Inventor
艾俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nationz Technologies Inc
Original Assignee
Nationz Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nationz Technologies Inc filed Critical Nationz Technologies Inc
Priority to CN201110166272.5A priority Critical patent/CN102842005B/en
Publication of CN102842005A publication Critical patent/CN102842005A/en
Application granted granted Critical
Publication of CN102842005B publication Critical patent/CN102842005B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明涉及一种基于TSM的TSPI接口的CSP模块和CSP实现方法,主要包括基于TSM的TSPI接口创建的CSP连接接口、CSP密钥生成和交换接口、CSP加解密接口和CSP哈希和数字签名接口。其中,CSP连接接口用于进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器;CSP密钥生成和交换接口用于进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数;CSP加解密接口用于进行CSP加密和解密;所述CSP哈希和数字签名接口用于产生与销毁哈希对象、获取与设置哈希对象参数、签名和验签。通过在TSM接口TSPI上封装上述接口,可以方便安全应用开发者快速开发TCM应用,同时方便传统应用快速移植到TCM上来。

The present invention relates to a CSP module based on a TSM-based TSPI interface and a CSP implementation method, mainly including a CSP connection interface created based on a TSM-based TSPI interface, a CSP key generation and exchange interface, a CSP encryption and decryption interface, and a CSP hash and digital signature interface. Among them, the CSP connection interface is used to obtain and clear the CSP key container, set and obtain the container parameters, and release the CSP key container; the CSP key generation and exchange interface is used to perform CSP generation and destruction of key objects, Import and export key objects, load key objects, obtain and set key object parameters, and generate random numbers; the CSP encryption and decryption interface is used for CSP encryption and decryption; the CSP hash and digital signature interface is used for generating and destroying hash hash object, get and set hash object parameters, signature and signature verification. By encapsulating the above interfaces on the TSM interface TSPI, it is convenient for security application developers to quickly develop TCM applications, and at the same time facilitate the rapid porting of traditional applications to TCM.

Description

一种基于TSM的TSPI接口的CSP模块和CSP实现方法A CSP module and CSP implementation method of TSPI interface based on TSM

技术领域 technical field

本发明涉及可信计算领域,特别涉及应用可信计算技术实现Microsoft CryptoAPI(微软公司所提供的应用程序编程接口,提供了一组函数,这些函数允许应用程序在对用户的敏感私钥数据提供保护时以灵活的方式对数据进行加密或数字签名)加密标准的CSP(Cryptographic Service Provider,加密服务提供者)的系统和方法。 The present invention relates to the field of trusted computing, in particular to the application of trusted computing technology to implement Microsoft CryptoAPI (an application programming interface provided by Microsoft Corporation, which provides a set of functions that allow applications to protect sensitive private key data of users. A system and method for encrypting or digitally signing data in a flexible manner) encryption standard CSP (Cryptographic Service Provider, encryption service provider).

背景技术 Background technique

可信密码模块(Trusted Cryptography Module,TCM)是可信计算密码支撑平台必备的关键基础部件,提供独立的密码算法运算功能,支撑可信计算平台功能体系建立。 Trusted Cryptography Module (Trusted Cryptography Module, TCM) is an essential key basic component of the trusted computing cryptographic support platform, which provides independent cryptographic algorithm operation functions and supports the establishment of the trusted computing platform functional system.

TCM构建了一个具有存储保护和执行保护的子系统,该子系统为计算平台建立信任根基,其独立的计算资源将建立严格受限的安全保护机制。为有效发挥TCM功能体系作用,将子系统中需执行保护的函数与无需执行保护的函数划分开,将无需执行保护的功能函数由计算平台主处理器执行,而这些支持函数构成了TCM服务模块,记为TSM(Trusted Services Module,可信服务模块)。 TCM builds a subsystem with storage protection and execution protection, which establishes the root of trust for the computing platform, and its independent computing resources will establish a strictly limited security protection mechanism. In order to effectively play the role of the TCM functional system, the functions that need to be protected and those that do not need to be protected are separated in the subsystem, and the functions that do not need to be protected are executed by the main processor of the computing platform, and these supporting functions constitute the TCM service module , denoted as TSM (Trusted Services Module, trusted service module).

TSM作为TCM的软件协议栈,提供规范化的函数接口,而面向应用程序的TCM服务调用接口TSPI(TSM Service Provider Interface,TSM服务提供者接口),分10类120个接口函数,可以为可信计算密码应用程序开发提供指导和调用。但由于目前大多数安全应用所采用的密码服务调用接口类型主流是CSP、CNG(Cryptography API: Next Generation下一代加密技术)和PKCS#11(PKCS#11是一个加密标准),大多数应用开发者熟悉和习惯CSP、CNG和PKCS#11接口调用模式,并且已建立成熟的产品开发支持体系。 As the software protocol stack of TCM, TSM provides a standardized function interface, and the application-oriented TCM service call interface TSPI (TSM Service Provider Interface, TSM Service Provider Interface), which is divided into 10 categories and 120 interface functions, can be used for trusted computing Cryptography app development provides guidance and calling. However, since most of the cryptographic service call interfaces currently used by most security applications are CSP, CNG (Cryptography API: Next Generation encryption technology) and PKCS#11 (PKCS#11 is an encryption standard), most application developers Familiar with and get used to CSP, CNG and PKCS#11 interface call mode, and has established a mature product development support system.

当传统安全应用的开发者转向基于TCM密码服务功能而进行应用开发时,需要重新学习TCM密码服务调用接口体系(TSPI),另外,更为甚者,传统安全应用要移植到TCM上,必须全部重新开发,给应用厂商带来资源消耗,这为TCM应用推广带来很大阻力。 When developers of traditional security applications turn to application development based on TCM cryptographic service functions, they need to relearn the TCM Cryptographic Service Invocation Interface System (TSPI). In addition, what’s more, to port traditional security applications to TCM, all Redevelopment brings resource consumption to application manufacturers, which brings great resistance to TCM application promotion.

发明内容 Contents of the invention

本发明所要解决的技术问题是提供一种基于TSM的TSPI接口的CSP模块,以方便安全应用开发者快速开发TCM应用,同时方便传统应用快速移植到TCM上来。 The technical problem to be solved by the present invention is to provide a CSP module based on the TSPI interface of TSM, so as to facilitate the rapid development of TCM applications by security application developers, and facilitate the rapid transplantation of traditional applications to TCM.

本发明解决上述技术问题的技术方案如下: The technical scheme that the present invention solves the problems of the technologies described above is as follows:

一种基于TSM的TSPI接口的CSP模块,包括: A CSP module based on the TSPI interface of TSM, comprising:

TCM芯片、所述TCM芯片的TSM、所述TSM的调用接口TSPI,以及基于所述TSPI创建的CSP连接接口、CSP密钥生成和交换接口、CSP加解密接口和CSP哈希和数字签名接口;其中 The TCM chip, the TSM of the TCM chip, the call interface TSPI of the TSM, and the CSP connection interface, CSP key generation and exchange interface, CSP encryption and decryption interface, and CSP hash and digital signature interface created based on the TSPI; in

所述CSP连接接口用于进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器; The CSP connection interface is used to obtain and clear the CSP key container, set and obtain container parameters, and release the CSP key container;

所述CSP密钥生成和交换接口用于进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数; The CSP key generation and exchange interface is used for CSP to generate and destroy key objects, import and export key objects, load key objects, obtain and set key object parameters, and generate random numbers;

所述CSP加解密接口用于进行CSP加密和解密; The CSP encryption and decryption interface is used for CSP encryption and decryption;

所述CSP哈希和数字签名接口用于产生与销毁哈希对象、获取与设置哈希对象参数、签名和验签。 The CSP hash and digital signature interface is used for generating and destroying hash objects, acquiring and setting parameters of hash objects, signing and verifying signatures.

进一步,所述CSP连接接口包括: Further, the CSP connection interface includes:

CSP环境获取模块:用于指定CSP,返回CSP密钥容器的句柄,获取TCM芯片SMK(Storage Master Key,存储主密钥)对象和TCM对象,并以SMK为父密钥生成SM2(一种非对称加解密算法)的容器密钥,该SM2容器密钥是后续所有密钥的父密钥; CSP environment acquisition module: used to specify the CSP, return the handle of the CSP key container, obtain the TCM chip SMK (Storage Master Key, storage master key) object and TCM object, and use SMK as the parent key to generate SM2 (a non- Symmetric encryption and decryption algorithm), the SM2 container key is the parent key of all subsequent keys;

密钥容器释放模块:用于销毁CSP密钥容器句柄; Key container release module: used to destroy the CSP key container handle;

CSP属性设置模块:用于设置CSP的属性; CSP attribute setting module: used to set the attributes of CSP;

CSP属性获取模块:用于获取CSP的属性。 CSP attribute acquisition module: used to acquire the attributes of CSP.

进一步,所述密钥在TCM芯片的硬件中生成和存储,并结合计算机的存储和计算资源为所述CSP密钥进行硬件保护。 Further, the key is generated and stored in the hardware of the TCM chip, and combined with the storage and computing resources of the computer, hardware protection is performed for the CSP key.

进一步,所述CSP密钥生成和交换接口包括: Further, the CSP key generation and exchange interface includes:

密钥产生模块:用于产生密钥; Key generation module: used to generate keys;

密钥对象生成模块:用于生成密钥对象; Key object generation module: used to generate key objects;

密钥销毁模块:用于销毁已产生的密钥; Key destruction module: used to destroy the generated key;

密钥导出模块:用于导出密钥,使其产生一个副本密钥; Key derivation module: used to derive the key to generate a copy key;

密钥导入模块:用于导入副本密钥到CSP中; Key import module: used to import the copy key into the CSP;

密钥参数获取模块:用于获取密钥参数; Key parameter acquisition module: used to acquire key parameters;

密钥参数设置模块:用于设置密钥参数; Key parameter setting module: used to set key parameters;

随机数产生模块:用于产生随机数。 Random number generation module: used to generate random numbers.

进一步,所述密钥导出模块调用的TSPI接口包括: Further, the TSPI interface called by the key derivation module includes:

Tspi密钥数据加载接口,用于加载指定的密钥数据块加载到TCM中; Tspi key data loading interface, used to load the specified key data block into TCM;

Tspi迁移票据提供接口,用于提供迁移过程的迁移票据; Tspi migration ticket provides an interface for providing a migration ticket for the migration process;

Tspi密钥迁移数据块创建接口,用于创建当前密钥的迁移数据块; Tspi key migration data block creation interface, used to create the migration data block of the current key;

Tspi密钥数据块卸载接口,用于卸载已加载到TCM中的密钥数据块。 The Tspi key data block unloading interface is used to unload the key data block that has been loaded into the TCM.

进一步,所述密钥导入模块调用的TSPI接口包括: Further, the TSPI interface called by the key import module includes:

Tspi密钥对象创建接口,用于创建一个密钥对象; Tspi key object creation interface, used to create a key object;

Tspi策略对象分配接口,用于为密钥对象绑定策略对象; Tspi policy object allocation interface, used to bind the key object to the policy object;

Tspi密钥对象数据设置接口,用于设置密钥对象的数据; Tspi key object data setting interface, used to set the data of the key object;

Tspi数据块转换接口,用于将迁移数据块转换为普通密钥数据块。 Tspi data block conversion interface, used to convert migration data blocks into common key data blocks.

进一步,所述随机数产生模块调用的TSPI接口包括: Further, the TSPI interface called by the random number generation module includes:

Tspi随机数生成接口,用于生成随机数。 Tspi random number generation interface, used to generate random numbers.

进一步,所述CSP加解密接口包括: Further, the CSP encryption and decryption interface includes:

数据加密模块:用于数据加密; Data encryption module: used for data encryption;

数据解密模块:用于数据解密。 Data decryption module: used for data decryption.

进一步,所述CSP哈希和数字签名接口包括: Further, the CSP hash and digital signature interface includes:

哈希对象生成模块:用于产生空的哈希对象; Hash object generation module: used to generate empty hash objects;

散列值产生模块:用于产生给定数据的散列值; Hash value generating module: for generating a hash value of given data;

哈希对象参数获取模块:用于获取哈希对象的参数; Hash object parameter acquisition module: used to obtain the parameters of the hash object;

哈希对象参数设置模块:用于设置哈希对象的参数; Hash object parameter setting module: used to set the parameters of the hash object;

哈希对象销毁模块:用于销毁哈希对象; Hash object destruction module: used to destroy hash objects;

哈希值产生模块:用于对密钥对象产生哈希值; Hash value generation module: used to generate a hash value for the key object;

哈希对象签名模块:用于对指定的哈希对象进行签名; Hash object signature module: used to sign the specified hash object;

签名验证模块:用于对签名进行验证。 Signature verification module: used to verify the signature.

进一步,所述哈希对象签名模块调用的TSPI接口包括: Further, the TSPI interface called by the hash object signature module includes:

Tspi哈希值更新接口,用于更新哈希对象的哈希值; Tspi hash value update interface, used to update the hash value of the hash object;

签名密钥句柄获取接口,用于获取签名密钥句柄; Signature key handle acquisition interface, used to obtain the signature key handle;

Tspi密钥加载接口,用于加载签名密钥到TCM中; Tspi key loading interface, used to load the signature key into TCM;

Tspi哈希值签名接口,用于使用签名密钥对哈希对象的哈希值做签名; Tspi hash value signature interface, used to sign the hash value of the hash object with the signature key;

Tspi密钥数据块卸载接口,用于卸载已加载到TCM中的密钥数据块; Tspi key data block unloading interface, used to unload the key data block loaded into TCM;

签名密钥对象释放接口,用于释放签名密钥对象。 Signature key object release interface, used to release the signature key object.

进一步,所述签名验证模块调用的TSPI接口包括: Further, the TSPI interface called by the signature verification module includes:

Tspi签名验证接口,用于对签名进行验证。 Tspi signature verification interface, used to verify the signature.

本发明还提供了一种基于TSM的TSPI接口的CSP实现方法,包括: The present invention also provides a CSP implementation method based on the TSPI interface of TSM, comprising:

通过CSP连接接口进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器; Acquiring and clearing the CSP key container, setting and obtaining container parameters, and releasing the CSP key container through the CSP connection interface;

通过CSP密钥生成和交换接口进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数; Through the CSP key generation and exchange interface, CSP generates and destroys key objects, imports and exports key objects, loads key objects, obtains and sets key object parameters, and generates random numbers;

通过CSP加解密接口进行CSP加密和解密; CSP encryption and decryption through the CSP encryption and decryption interface;

通过CSP哈希和数字签名接口进行哈希对象的产生与销毁、哈希对象参数、签名和验签的获取与设置。 Through the CSP hash and digital signature interface, the generation and destruction of hash objects, the acquisition and setting of hash object parameters, signatures and signature verification are performed.

本发明的有益效果在于,通过在TSM接口TSPI上封装CSP连接接口、CSP密钥生成和交换接口、CSP加解密接口和CSP哈希和数字签名接口,可以方便安全应用开发者快速开发TCM应用,同时方便传统应用快速移植到TCM上来。 The beneficial effect of the present invention is that by encapsulating the CSP connection interface, CSP key generation and exchange interface, CSP encryption and decryption interface, and CSP hash and digital signature interface on the TSM interface TSPI, it is convenient for security application developers to quickly develop TCM applications, At the same time, it is convenient for traditional applications to be quickly transplanted to TCM.

附图说明 Description of drawings

图1为本发明中的基于TSM的TSPI接口的CSP密码服务体系结构图; Fig. 1 is the CSP password service architecture diagram based on the TSPI interface of TSM among the present invention;

图2为本发明基于TSM的TSPI接口的CSP密码服务体系的密钥层次图; Fig. 2 is the key hierarchical figure of the CSP cryptographic service system based on the TSPI interface of TSM of the present invention;

图3为设置签名密钥或者交换密钥使用授权的流程图; Fig. 3 is the flow chart of setting signature key or exchanging key use authorization;

图4为使用签名密钥或交换密钥授权的流程图。 Figure 4 is a flowchart of authorization using a signing key or an exchange key.

具体实施方式 Detailed ways

以下结合附图对本发明的原理和特征进行描述,所举实例只用于解释本发明,并非用于限定本发明的范围。 The principles and features of the present invention are described below in conjunction with the accompanying drawings, and the examples given are only used to explain the present invention, and are not intended to limit the scope of the present invention.

如图1所示,本发明的基于TSM的TSPI接口的CSP密码服务体系,在TCM模块的TSM的基础上,利用TCM服务调用接口TSPI开发出一套新的CSP接口,通过该CSP接口,程序开发者开发的应用程序可以直接利用微软公司的CryptoSPI来使用本发明提供的CSP的加密服务。程序开发者不需要重新学习TCM密码服务调用接口体系(TSPI),并且传统的安全应用也无需进行代码修改而可以直接移植到TCM模块上。节省了大量的程序开发资源,减小了TCM应用的推广阻力。本发明中,密钥在TCM芯片硬件中生成、存储和管理,并可以结合系统平台的存储和计算机资源为算法和密钥提供基于硬件的保护。 As shown in Figure 1, the CSP cryptographic service system based on the TSPI interface of TSM of the present invention, on the basis of the TSM of TCM module, utilizes TCM service call interface TSPI to develop a set of new CSP interface, by this CSP interface, program The application program developed by the developer can directly utilize the CryptoSPI of Microsoft Corporation to use the encryption service of the CSP provided by the present invention. Program developers do not need to re-learn the TCM cryptographic service call interface system (TSPI), and traditional security applications can be directly transplanted to the TCM module without code modification. It saves a lot of program development resources and reduces the resistance to popularization of TCM applications. In the present invention, the key is generated, stored and managed in the TCM chip hardware, and can provide hardware-based protection for the algorithm and the key in combination with the storage and computer resources of the system platform.

本发明的基于TSM的TSPI接口的CSP密码服务体系中的CSP接口包括如下。 The CSP interface in the CSP cryptographic service system based on the TSPI interface of the TSM of the present invention includes the following.

基于TSM的TSPI接口,创建CSP连接接口,该CSP连接接口用于进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器。 Create a CSP connection interface based on the TSPI interface of the TSM, and the CSP connection interface is used to obtain and clear the CSP key container, set and obtain container parameters, and release the CSP key container.

该步骤在产生CSP密钥容器时,为每个CSP密钥容器产生一个与其对应的容器密钥,该容器密钥为以SMK为父密钥的SM2密钥,同时也是后续CSP为该CSP密钥容器产生的所有密钥的父密钥。CSP密钥容器的信息和CSP容器密钥的UUID(Universally Unique Identifiers,全局唯一标识符)信息可以保存在TCM芯片的NV(Non-volatile Storage,非易失性存储区)存储区或者操作系统的注册表中。 In this step, when generating the CSP key container, a corresponding container key is generated for each CSP key container. The container key is the SM2 key with SMK as the parent key. The parent key of all keys generated by the key container. The information of the CSP key container and the UUID (Universally Unique Identifiers) information of the CSP container key can be stored in the NV (Non-volatile Storage) storage area of the TCM chip or in the operating system in the registry.

上述CSP连接接口包括以下函数: The above CSP connection interface includes the following functions:

CPAcquireContext函数:用于指定CSP,返回CSP密钥容器的句柄,获取TCM芯片SMK对象和TCM对象,并以SMK为父密钥生成SM2的容器密钥,该SM2容器密钥是后续所有密钥的父密钥,密钥的层次结构如图2所示; CPAcquireContext function: used to specify the CSP, return the handle of the CSP key container, obtain the TCM chip SMK object and TCM object, and use the SMK as the parent key to generate the SM2 container key, which is the key of all subsequent keys The parent key, the hierarchical structure of the key is shown in Figure 2;

CPReleaseContext函数:用于销毁CSP密钥容器句柄; CPReleaseContext function: used to destroy the CSP key container handle;

CPSetProvParam函数:用于设置CSP的属性; CPSetProvParam function: used to set the properties of CSP;

CPGetProvParam函数:用于获取CSP的属性。 CPGetProvParam function: used to get the properties of CSP.

其中,CPAcquireContext函数的具体实现如下: Among them, the specific implementation of the CPAcquireContext function is as follows:

构建TSP上下文及全局对象,调用的TSPI接口包括: Construct the TSP context and global objects, and the TSPI interfaces called include:

Tspi_Context_Create(),用于构造TSP上下文; Tspi_Context_Create(), used to construct the TSP context;

Tspi_Context_Connect(),用于连接TCS; Tspi_Context_Connect(), used to connect to TCS;

Tspi_Context_GetTCMObject(),用于获取TCM芯片对象; Tspi_Context_GetTCMObject(), used to obtain the TCM chip object;

Tspi_Context_CreateObject(),用于生成SMK对象、默认为Policy对象; Tspi_Context_CreateObject(), used to generate SMK object, the default is Policy object;

Tspi_Policy_SetSecret(),用于设置授权数据; Tspi_Policy_SetSecret(), used to set authorization data;

Tspi_Policy_AssignToObject(),用于给需要授权的对象绑定策略对象; Tspi_Policy_AssignToObject(), used to bind policy objects to objects that require authorization;

根据容器参数操作密钥集; Manipulate the key set according to the container parameters;

记录环境配置,返回容器句柄。 Record the environment configuration and return the container handle.

CPReleaseContext函数的具体实现如下: The specific implementation of the CPReleaseContext function is as follows:

释放未能正常释放的资源,包括密钥对象与哈希对象,调用的TSPI接口包括: To release resources that cannot be released normally, including key objects and hash objects, the TSPI interfaces to call include:

Tspi_Context_CloseObject(),用于销毁上下文对象句柄所关联的对象,释放该对象的相关资源; Tspi_Context_CloseObject(), used to destroy the object associated with the context object handle and release the related resources of the object;

Tspi_Policy_FlushSecret(),用于清空授权对象的授权数据; Tspi_Policy_FlushSecret(), used to clear the authorization data of the authorization object;

Tspi_Context_CloseObject(),用于销毁SMK对象、默认为Policy对象; Tspi_Context_CloseObject(), used to destroy the SMK object, the default is the Policy object;

Tspi_Context_Close(),用于断开与TCS的连接,销毁上下文对象; Tspi_Context_Close(), used to disconnect from TCS and destroy the context object;

删除当前环境配置记录。 Delete the current environment configuration record.

CPSetProvParam函数,如图3、图4所示通过设置签名密钥或交换密钥授权数据参数设置签名密钥或交换密钥的授权数据或使用授权数据。同时,通过设置修改签名密钥或交换密钥授权数据参数更改相应密钥的授权数据。 The CPSetProvParam function, as shown in Figure 3 and Figure 4, sets the authorization data or use authorization data of the signature key or exchange key by setting the signature key or exchange key authorization data parameter. At the same time, change the authorization data of the corresponding key by setting the modification signature key or exchange key authorization data parameter.

基于TSM的TSPI接口,创建CSP密钥生成和交换接口,该CSP密钥生成和交换接口用于进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数。 Create a CSP key generation and exchange interface based on the TSPI interface of TSM. The CSP key generation and exchange interface is used for CSP generation and destruction of key objects, import and export of key objects, loading of key objects, and acquisition and setting of keys. object parameters and generate random numbers.

该步骤中,密钥在TCM芯片硬件中生成、存储和管理,并可以结合计算机系统平台的存储和计算资源为算法和CSP密钥提供硬件保护。在生成签名密钥或者交换密钥前,调用了设置容器签名密钥口令或者交换密钥口令将生成带有指定授权的相应密钥,以后再次使用该密钥需要设置密钥的使用授权。 In this step, the key is generated, stored and managed in the TCM chip hardware, and can combine the storage and computing resources of the computer system platform to provide hardware protection for the algorithm and CSP key. Before generating the signing key or exchanging key, calling the set container signing key password or exchanging key password will generate the corresponding key with the specified authorization, and you need to set the authorization of the key to use the key again later.

密钥的导入导出功能是两个可信平台之间的安全密钥迁移,在使用密钥的导入导出功能时,将验证TCM芯片的Owner授权,只有Owner授权成功才能完成密钥的导入导出,Owner授权不成功则不能完成密钥的导入导出,设置Owner授权通过调用设置容器TCM芯片所有者授权参数完成。 The key import and export function is a secure key migration between two trusted platforms. When using the key import and export function, the Owner authorization of the TCM chip will be verified. Only when the Owner authorization is successful can the key import and export be completed. If the Owner authorization is unsuccessful, the import and export of the key cannot be completed. Setting the Owner authorization is done by calling the setting container TCM chip owner authorization parameter.

上述CSP密钥生成和交换接口包括以下函数: The above CSP key generation and exchange interface includes the following functions:

CPDeriveKey函数:用于产生密钥; CPDeriveKey function: used to generate keys;

CPGenKey函数:用于生成密钥对象; CPGenKey function: used to generate a key object;

CPDestroyKey函数:用于销毁已产生的密钥; CPDestroyKey function: used to destroy the generated key;

CPExportKey函数:用于导出密钥,使其产生一个副本密钥; CPExportKey function: used to export the key to generate a copy key;

CPImportKey函数:用于导入副本密钥到CSP中; CPImportKey function: used to import the copy key into CSP;

CPGetKeyParam函数:用于获取密钥参数; CPGetKeyParam function: used to obtain key parameters;

CPSetKeyParam函数:用于设置密钥参数; CPSetKeyParam function: used to set key parameters;

CPGenRandom函数:用于产生随机数。 CPGenRandom function: used to generate random numbers.

其中,CPDeriveKey函数的具体实现如下: Among them, the specific implementation of the CPDeriveKey function is as follows:

取哈希对象的哈希值,调用的TSPI接口包括: To get the hash value of the hash object, the TSPI interface called includes:

Tspi_Hash_GetHashValue(),用于获得哈希对象的哈希值; Tspi_Hash_GetHashValue(), used to obtain the hash value of the hash object;

Tspi_Context_CreateObject(),用于创建密钥对象; Tspi_Context_CreateObject(), used to create key objects;

Tspi_Policy_AssignToObject(),用于为密钥对象分配策略对象; Tspi_Policy_AssignToObject(), used to assign a policy object to a key object;

使用哈希值填充密钥数据,调用的TSPI接口包括: Use the hash value to fill the key data, and the TSPI interface called includes:

Tspi_SetAttribData(),用于设置密钥对象的数据内容; Tspi_SetAttribData(), used to set the data content of the key object;

生成SMS4密钥,调用的TSPI接口包括: To generate an SMS4 key, the TSPI interface called includes:

Tspi_Key_WrapKey(),用于包裹密钥对象; Tspi_Key_WrapKey(), used to wrap key objects;

设置密钥对象访问权限; Set key object access permissions;

记录密钥对象,并返回它的句柄。 Record the key object, and return its handle.

CPGenKey函数的具体实现如下: The specific implementation of the CPGenKey function is as follows:

生成密钥对象,调用的TSPI接口包括: To generate a key object, the TSPI interface called includes:

Tspi_Context_CreateObject(),用于创建密钥对象; Tspi_Context_CreateObject(), used to create key objects;

Tspi_Policy_AssignToObject(),用于为密钥对象分配策略对象; Tspi_Policy_AssignToObject(), used to assign a policy object to a key object;

Tspi_Key_CreateKey(),用于创建密钥对,并用父密钥进行包裹; Tspi_Key_CreateKey(), used to create a key pair and wrap it with the parent key;

设置密钥访问权限; Set key access permissions;

若生成的是非对称密钥,则在密钥数据库中注册,调用的TSPI接口包括: If the generated asymmetric key is registered in the key database, the TSPI interface called includes:

Tspi_Context_RegisterKey(),用于在密钥数据库中注册密钥; Tspi_Context_RegisterKey(), used to register the key in the key database;

记录该密钥,并返回它的句柄。 Record the key, and return its handle.

CPDestroyKey函数的具体实现如下: The specific implementation of the CPDestroyKey function is as follows:

关闭密钥对象,调用的TSPI接口包括: To close the key object, the TSPI interface called includes:

Tspi_Context_CloseObject(),用于销毁一个密钥对象句柄所关联的对象,释放该对象的相关资源; Tspi_Context_CloseObject(), used to destroy the object associated with a key object handle and release the related resources of the object;

删除该密钥记录。 Delete the key record.

CPExportKey函数调用的TSPI接口和具体实现如下: The TSPI interface and specific implementation of the CPExportKey function call are as follows:

Tspi_Key_LoadKey(),用于加载指定的密钥数据块加载到TCM中; Tspi_Key_LoadKey(), used to load the specified key data block into the TCM;

Tspi_Key_AuthorizeMigrationKey(),用于提供迁移过程的迁移票据; Tspi_Key_AuthorizeMigrationKey(), used to provide migration tickets for the migration process;

Tspi_Key_CreateMigrationBlob(),用于创建当前密钥的迁移数据块; Tspi_Key_CreateMigrationBlob(), used to create the migration data block of the current key;

Tspi_Key_UnLoadKey(),用于卸载已加载到TCM中的密钥数据块。 Tspi_Key_UnLoadKey(), used to unload the key data block that has been loaded into the TCM.

CPImportKey函数调用的TSPI接口和具体实现如下: The TSPI interface and specific implementation of the CPImportKey function call are as follows:

Tspi_Context_Create(),用于创建一个密钥对象; Tspi_Context_Create(), used to create a key object;

Tspi_Policy_AssignToObject(),用于为密钥对象绑定策略对象; Tspi_Policy_AssignToObject(), used to bind a policy object to a key object;

Tspi_SetAttribData(),用于设置密钥对象的数据; Tspi_SetAttribData(), used to set the data of the key object;

Tspi_Key_ConvertMigrationBlob(),用于将迁移数据块转换为普通密钥数据块。 Tspi_Key_ConvertMigrationBlob(), used to convert a migration data block into a normal key data block.

CPGenRandom函数调用的TSPI接口和具体实现如下: The TSPI interface and specific implementation of the CPGenRandom function call are as follows:

Tspi_TCM_GetRandom(),用于生成随机数。 Tspi_TCM_GetRandom(), used to generate random numbers.

基于TSM的TSPI接口,创建CSP加解密接口,所述CSP加解密接口用于进行CSP加密和解密。 A CSP encryption and decryption interface is created based on the TSPI interface of the TSM, and the CSP encryption and decryption interface is used for CSP encryption and decryption.

通过该步骤中的CSP加解密接口,在TCM芯片内部进行数据的加解密,若使用的交换密钥设置了授权,则TCM芯片验证交换密钥的授权数据。 Through the CSP encryption and decryption interface in this step, data encryption and decryption are performed inside the TCM chip, and if authorization is set for the exchange key used, the TCM chip verifies the authorization data of the exchange key.

上述CSP加解密接口包括: The above CSP encryption and decryption interfaces include:

CPEncrypt函数:用于数据加密; CPEncrypt function: used for data encryption;

CPDecrypt函数:用于数据解密。 CPDecrypt function: used for data decryption.

其中,CPEncrypt函数的具体实现如下: Among them, the specific implementation of the CPEncrypt function is as follows:

对明文数据进行哈希计算,调用的TSPI接口包括: To perform hash calculation on plaintext data, the TSPI interface called includes:

Tspi_Hash_UpdateHashValue(),用于更新哈希对象的哈希值; Tspi_Hash_UpdateHashValue(), used to update the hash value of the hash object;

对明文数据进行加密,调用的TSPI接口包括: To encrypt plaintext data, the TSPI interface called includes:

Tspi_Context_CreateObject(),用于创建加密对象; Tspi_Context_CreateObject(), used to create encrypted objects;

Tspi_Key_LoadKey(),用于加载加密密钥到TCM中; Tspi_Key_LoadKey(), used to load the encryption key into the TCM;

Tspi_Data_Encrypt(),用于对明文数据进行加密; Tspi_Data_Encrypt(), used to encrypt plaintext data;

Tspi_Key_UnLoadKey(),用于卸载已加载到TCM中的密钥数据块; Tspi_Key_UnLoadKey(), used to unload the key data block that has been loaded into the TCM;

Tspi_GetAttribData(),用于获取加密对象的加密数据块; Tspi_GetAttribData(), used to obtain the encrypted data block of the encrypted object;

Tspi_Context_CloseObject(),用于销毁一个加密对象句柄所关联的对象,释放该对象的相关资源。 Tspi_Context_CloseObject(), used to destroy the object associated with an encrypted object handle and release the related resources of the object.

CPDecrypt函数的具体实现如下: The specific implementation of the CPDecrypt function is as follows:

对密文数据进行解密,调用的TSPI接口包括: To decrypt the ciphertext data, the TSPI interface called includes:

Tspi_Context_CreateObject(),用于创建加密对象; Tspi_Context_CreateObject(), used to create encrypted objects;

Tspi_SetAttribData(),用于设置加密对象的加密数据块; Tspi_SetAttribData(), used to set the encrypted data block of the encrypted object;

Tspi_Key_LoadKey(),用于加载解密密钥到TCM中; Tspi_Key_LoadKey(), used to load the decryption key into the TCM;

Tspi_Data_Decrypt(),用于对密文数据进行解密; Tspi_Data_Decrypt(), used to decrypt ciphertext data;

Tspi_Key_UnLoadKey(),用于卸载已加载到TCM中的密钥数据块; Tspi_Key_UnLoadKey(), used to unload the key data block that has been loaded into the TCM;

Tspi_Context_CloseObject(),用于销毁一个加密对象句柄所关联的对象,释放该对象的相关资源; Tspi_Context_CloseObject(), used to destroy the object associated with an encrypted object handle and release the related resources of the object;

若哈希对象存在,则对经过解密后的明文数据进行哈希计算,调用的TSPI接口包括: If the hash object exists, the hash calculation is performed on the decrypted plaintext data, and the TSPI interface called includes:

Tspi_Hash_UpdateHashValue(),用于更新哈希对象的哈希值。 Tspi_Hash_UpdateHashValue(), used to update the hash value of the hash object.

基于TSM的TSPI接口创建CSP哈希和数字签名接口,该CSP哈希和数字签名接口用于产生与销毁哈希对象、获取与设置哈希对象参数、签名和验签。 Create a CSP hash and digital signature interface based on the TSPI interface of TSM. The CSP hash and digital signature interface is used to generate and destroy hash objects, obtain and set hash object parameters, sign and verify signatures.

通过该CSP哈希和数字签名接口,在TCM芯片内部进行数据签名,若使用的签名密钥设置了授权,则TCM芯片验证签名密钥的授权数据。 Through the CSP hash and digital signature interface, data signature is performed inside the TCM chip. If the signature key used is authorized, the TCM chip verifies the authorization data of the signature key.

上述CSP哈希和数字签名接口包括以下函数: The above CSP hash and digital signature interface includes the following functions:

CPCreateHash函数:用于产生空的哈希对象; CPCreateHash function: used to generate an empty hash object;

CPHashData函数:用于产生给定数据的散列值; CPHashData function: used to generate the hash value of the given data;

CPGetHashParam函数:用于获取哈希对象的参数; CPGetHashParam function: used to obtain the parameters of the hash object;

CPSetHashParam函数:用于设置哈希对象的参数; CPSetHashParam function: used to set the parameters of the hash object;

CPDestroyHash函数:用于销毁哈希对象; CPDestroyHash function: used to destroy the hash object;

CPHashSessionKey函数:用于对密钥对象产生哈希值; CPHashSessionKey function: used to generate a hash value for the key object;

CPSignHash函数:用于对指定的哈希对象进行签名; CPSignHash function: used to sign the specified hash object;

CPVerifySignature函数:用于对签名进行验证。 CPVerifySignature function: used to verify the signature.

其中,CPCreateHash函数的具体实现如下: Among them, the specific implementation of the CPCreateHash function is as follows:

生成哈希对象,调用的TSPI接口包括: To generate a hash object, the TSPI interface called includes:

Tspi_Context_CreateObject(),用于创建一个哈希对象; Tspi_Context_CreateObject(), used to create a hash object;

记录该哈希对象,并返回它的句柄。 Record the hash object and return its handle.

CPHashData函数的具体实现如下: The specific implementation of the CPHashData function is as follows:

将数据追加到TSM哈希对象中,调用的TSPI接口包括: Append data to the TSM hash object, and the TSPI interface called includes:

Tspi_Hash_UpdateHashValue(),用于更新哈希对象的哈希值。 Tspi_Hash_UpdateHashValue(), used to update the hash value of the hash object.

CPDestroyHash函数的具体实现如下: The specific implementation of the CPDestroyHash function is as follows:

关闭TSM哈希对象,调用的TSPI接口包括: To close the TSM hash object, the TSPI interface called includes:

Tspi_Context_CloseObject(),用于销毁一个哈希对象句柄所关联的对象,释放该对象的相关资源; Tspi_Context_CloseObject(), used to destroy the object associated with a hash object handle and release the related resources of the object;

删除该哈希对象记录。 Delete the hash object record.

CPHashSessionKey函数的具体实现如下: The specific implementation of the CPHashSessionKey function is as follows:

取会话密钥的BLOB进行哈希计算,调用的TSPI接口包括: Take the BLOB of the session key for hash calculation, and the TSPI interface called includes:

Tspi_GetAttribData(),用于获取会话密钥的加密数据块; Tspi_GetAttribData(), used to obtain the encrypted data block of the session key;

Tspi_Hash_UpdateHashValue(),用于更新哈希对象的哈希值。 Tspi_Hash_UpdateHashValue(), used to update the hash value of the hash object.

CPSignHash函数调用的TSPI接口如下: The TSPI interface called by the CPSignHash function is as follows:

Tspi_Hash_UpdateHashValue(),用于更新哈希对象的哈希值; Tspi_Hash_UpdateHashValue(), used to update the hash value of the hash object;

CPGetUserKey(),用于获取签名密钥句柄; CPGetUserKey(), used to obtain the signature key handle;

Tspi_Key_LoadKey,用于加载签名密钥到TCM中; Tspi_Key_LoadKey, used to load the signature key into TCM;

Tspi_Hash_Sign(),用于使用签名密钥对哈希对象的哈希值做签名; Tspi_Hash_Sign(), used to sign the hash value of the hash object using the signature key;

Tspi_Key_UnloadKey(),用于卸载已加载到TCM中的密钥数据块; Tspi_Key_UnloadKey(), used to unload the key data block that has been loaded into the TCM;

CPDestroyKey(),用于释放签名密钥对象。 CPDestroyKey(), used to release the signing key object.

CPVerifySignature函数调用的TSPI接口和具体实现如下: The TSPI interface and specific implementation of the CPVerifySignature function call are as follows:

Tspi_Hash_VerifySignature(),用于对签名进行验证。 Tspi_Hash_VerifySignature(), used to verify the signature.

本发明利用TCM芯片、基于TCM芯片的TSM中的调用接口TSPI,开发出上述CSP连接接口、CSP密钥生成和交换接口、CSP加解密接口和CSP哈希和数字签名接口。提供了一个硬件的CSP,该CSP中所有的密钥都在TCM芯片内部产生,加解密操作和签名验签操作都是在TCM芯片内部完成,在使用CSP中的非对称密钥的私钥时都需要进行授权认证,保证了CSP密钥的安全性。并且,上述函数名称和用途与现有CSP中函数的名称和用途一致,因此,安全应用开发者不必重新学习TCM密码服务调用接口体系(TSPI)便可以利用本发明提供的硬件的CSP,也方便了传统应用快速移植到TCM上来,减小了TCM应用推广的阻力。 The invention utilizes the TCM chip and the calling interface TSPI in the TSM based on the TCM chip to develop the above-mentioned CSP connection interface, CSP key generation and exchange interface, CSP encryption and decryption interface, and CSP hash and digital signature interface. A hardware CSP is provided. All the keys in the CSP are generated inside the TCM chip, and the encryption and decryption operations and signature verification operations are all completed inside the TCM chip. When using the private key of the asymmetric key in the CSP Authorization and authentication are required to ensure the security of the CSP key. And, above-mentioned function name and purpose are consistent with the name and purpose of function in existing CSP, therefore, security application developer needn't relearn TCM cryptographic service call interface system (TSPI) and just can utilize the CSP of the hardware that the present invention provides, also convenient It facilitates the rapid transplantation of traditional applications to TCM, and reduces the resistance of TCM application promotion.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (11)

1.一种基于TSM的TSPI接口的CSP模块,其特征在于,包括:1. a CSP module based on the TSPI interface of TSM, is characterized in that, comprises: TCM芯片、所述TCM芯片的TSM、所述TSM的调用接口TSPI,以及基于所述TSPI创建的CSP连接接口、CSP密钥生成和交换接口、CSP加解密接口和CSP哈希和数字签名接口,所述CSP密钥生成和交换接口包括密钥导出模块,用于导出密钥,使其产生一个副本密钥;所述密钥导出模块调用的TSPI接口包括:The TCM chip, the TSM of the TCM chip, the call interface TSPI of the TSM, and the CSP connection interface, CSP key generation and exchange interface, CSP encryption and decryption interface, and CSP hash and digital signature interface created based on the TSPI, The CSP key generation and exchange interface includes a key derivation module for deriving a key so that it produces a copy key; the TSPI interface called by the key derivation module includes: Tspi密钥数据加载接口,用于加载指定的密钥数据块加载到TCM中;Tspi key data loading interface, used to load the specified key data block into TCM; Tspi迁移票据提供接口,用于提供迁移过程的迁移票据;Tspi migration ticket provides an interface for providing a migration ticket for the migration process; Tspi密钥迁移数据块创建接口,用于创建当前密钥的迁移数据块;Tspi key migration data block creation interface, used to create the migration data block of the current key; Tspi密钥数据块卸载接口,用于卸载已加载到TCM中的密钥数据块;Tspi key data block unloading interface, used to unload the key data block loaded into TCM; 其中,所述CSP连接接口用于进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器;Wherein, the CSP connection interface is used to obtain and clear the CSP key container, set and obtain container parameters, and release the CSP key container; 所述CSP密钥生成和交换接口用于进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数;The CSP key generation and exchange interface is used for CSP to generate and destroy key objects, import and export key objects, load key objects, obtain and set key object parameters, and generate random numbers; 所述CSP加解密接口用于进行CSP加密和解密;The CSP encryption and decryption interface is used for CSP encryption and decryption; 所述CSP哈希和数字签名接口用于产生与销毁哈希对象、获取与设置哈希对象参数、签名和验签。The CSP hash and digital signature interface is used for generating and destroying hash objects, acquiring and setting parameters of hash objects, signing and verifying signatures. 2.根据权利要求1所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述CSP连接接口包括:2. the CSP module based on the TSPI interface of TSM according to claim 1, is characterized in that, described CSP connection interface comprises: CSP环境获取模块:用于指定CSP,返回CSP密钥容器的句柄,获取TCM芯片SMK对象和TCM对象,并以SMK为父密钥生成SM2的容器密钥,该SM2容器密钥是后续所有密钥的父密钥;CSP environment acquisition module: used to specify the CSP, return the handle of the CSP key container, obtain the TCM chip SMK object and TCM object, and use the SMK as the parent key to generate the SM2 container key. The SM2 container key is all subsequent keys. key's parent key; 密钥容器释放模块:用于销毁CSP密钥容器句柄;Key container release module: used to destroy the CSP key container handle; CSP属性设置模块:用于设置CSP的属性;CSP attribute setting module: used to set the attributes of CSP; CSP属性获取模块:用于获取CSP的属性。CSP attribute acquisition module: used to acquire the attributes of CSP. 3.根据权利要求1所述的基于TSM的TSPI接口的CSP模块,其特征在于:所述密钥在TCM芯片的硬件中生成和存储,并结合计算机的存储和计算资源为所述CSP密钥进行硬件保护。3. the CSP module based on the TSPI interface of TSM according to claim 1, is characterized in that: described key is generated and stored in the hardware of TCM chip, and is described CSP key in conjunction with storage and computing resource of computer Perform hardware protection. 4.根据权利要求1所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述CSP密钥生成和交换接口还包括:4. the CSP module based on the TSPI interface of TSM according to claim 1, is characterized in that, described CSP key generation and exchange interface also comprise: 密钥产生模块:用于产生密钥;Key generation module: used to generate keys; 密钥对象生成模块:用于生成密钥对象;Key object generation module: used to generate key objects; 密钥销毁模块:用于销毁已产生的密钥;Key destruction module: used to destroy the generated key; 密钥导出模块:用于导出密钥,使其产生一个副本密钥;Key derivation module: used to derive the key to generate a copy key; 密钥导入模块:用于导入副本密钥到CSP中;Key import module: used to import the copy key into the CSP; 密钥参数获取模块:用于获取密钥参数;Key parameter acquisition module: used to acquire key parameters; 密钥参数设置模块:用于设置密钥参数;Key parameter setting module: used to set key parameters; 随机数产生模块:用于产生随机数。Random number generation module: used to generate random numbers. 5.根据权利要求4所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述密钥导入模块调用的TSPI接口包括:5. the CSP module based on the TSPI interface of TSM according to claim 4, is characterized in that, the TSPI interface that described key import module calls comprises: Tspi密钥对象创建接口,用于创建一个密钥对象;Tspi key object creation interface, used to create a key object; Tspi策略对象分配接口,用于为密钥对象绑定策略对象;Tspi policy object allocation interface, used to bind the key object to the policy object; Tspi密钥对象数据设置接口,用于设置密钥对象的数据;Tspi key object data setting interface, used to set the data of the key object; Tspi数据块转换接口,用于将迁移数据块转换为普通密钥数据块。Tspi data block conversion interface, used to convert migration data blocks into common key data blocks. 6.根据权利要求4所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述随机数产生模块调用的TSPI接口包括:6. the CSP module based on the TSPI interface of TSM according to claim 4, is characterized in that, the TSPI interface that described random number generation module calls comprises: Tspi随机数生成接口,用于生成随机数。Tspi random number generation interface, used to generate random numbers. 7.根据权利要求1所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述CSP加解密接口包括:7. the CSP module based on the TSPI interface of TSM according to claim 1, is characterized in that, described CSP encryption and decryption interface comprises: 数据加密模块:用于数据加密;Data encryption module: used for data encryption; 数据解密模块:用于数据解密。Data decryption module: used for data decryption. 8.根据权利要求1所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述CSP哈希和数字签名接口包括:8. the CSP module based on the TSPI interface of TSM according to claim 1, is characterized in that, described CSP hash and digital signature interface comprise: 哈希对象生成模块:用于产生空的哈希对象;Hash object generation module: used to generate empty hash objects; 散列值产生模块:用于产生给定数据的散列值;Hash value generating module: for generating a hash value of given data; 哈希对象参数获取模块:用于获取哈希对象的参数;Hash object parameter acquisition module: used to obtain the parameters of the hash object; 哈希对象参数设置模块:用于设置哈希对象的参数;Hash object parameter setting module: used to set the parameters of the hash object; 哈希对象销毁模块:用于销毁哈希对象;Hash object destruction module: used to destroy hash objects; 哈希值产生模块:用于对密钥对象产生哈希值;Hash value generation module: used to generate a hash value for the key object; 哈希对象签名模块:用于对指定的哈希对象进行签名;Hash object signature module: used to sign the specified hash object; 签名验证模块:用于对签名进行验证。Signature verification module: used to verify the signature. 9.根据权利要求8所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述哈希对象签名模块调用的TSPI接口包括:9. the CSP module based on the TSPI interface of TSM according to claim 8, is characterized in that, the TSPI interface that described hash object signature module calls comprises: Tspi哈希值更新接口,用于更新哈希对象的哈希值;Tspi hash value update interface, used to update the hash value of the hash object; 签名密钥句柄获取接口,用于获取签名密钥句柄;Signature key handle acquisition interface, used to obtain the signature key handle; Tspi密钥加载接口,用于加载签名密钥到TCM中;Tspi key loading interface, used to load the signature key into TCM; Tspi哈希值签名接口,用于使用签名密钥对哈希对象的哈希值做签名;Tspi hash value signature interface, used to sign the hash value of the hash object with the signature key; Tspi密钥数据块卸载接口,用于卸载已加载到TCM中的密钥数据块;Tspi key data block unloading interface, used to unload the key data block loaded into TCM; 签名密钥对象释放接口,用于释放签名密钥对象。Signature key object release interface, used to release the signature key object. 10.根据权利要求8所述的基于TSM的TSPI接口的CSP模块,其特征在于,所述签名验证模块调用的TSPI接口包括:10. the CSP module based on the TSPI interface of TSM according to claim 8, is characterized in that, the TSPI interface that described signature verification module calls comprises: Tspi签名验证接口,用于对签名进行验证。Tspi signature verification interface, used to verify the signature. 11.基于TSM的TSPI接口的CSP实现方法,包括:11. The CSP implementation method based on the TSPI interface of TSM, including: 通过CSP连接接口进行CSP密钥容器的获取与清除、容器参数的设置与获取以及释放所述CSP密钥容器;Acquiring and clearing the CSP key container, setting and obtaining container parameters, and releasing the CSP key container through the CSP connection interface; 通过CSP密钥生成和交换接口进行CSP产生与销毁密钥对象、导入导出密钥对象、加载密钥对象、获取与设置密钥对象参数以及生成随机数;Through the CSP key generation and exchange interface, CSP generates and destroys key objects, imports and exports key objects, loads key objects, obtains and sets key object parameters, and generates random numbers; 所述CSP密钥生成和交换接口包括密钥导出模块,用于导出密钥,使其产生一个副本密钥;所述密钥导出模块调用的TSPI接口包括:The CSP key generation and exchange interface includes a key derivation module for deriving a key so that it produces a copy key; the TSPI interface called by the key derivation module includes: Tspi密钥数据加载接口,用于加载指定的密钥数据块加载到TCM中;Tspi key data loading interface, used to load the specified key data block into TCM; Tspi迁移票据提供接口,用于提供迁移过程的迁移票据;Tspi migration ticket provides an interface for providing a migration ticket for the migration process; Tspi密钥迁移数据块创建接口,用于创建当前密钥的迁移数据块;Tspi key migration data block creation interface, used to create the migration data block of the current key; Tspi密钥数据块卸载接口,用于卸载已加载到TCM中的密钥数据块;Tspi key data block unloading interface, used to unload the key data block loaded into TCM; 通过CSP加解密接口进行CSP加密和解密;CSP encryption and decryption through the CSP encryption and decryption interface; 通过CSP哈希和数字签名接口进行哈希对象的产生与销毁、哈希对象参数、签名和验签的获取与设置。Through the CSP hash and digital signature interface, the generation and destruction of hash objects, the acquisition and setting of hash object parameters, signatures and signature verification are performed.
CN201110166272.5A 2011-06-21 2011-06-21 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method Expired - Fee Related CN102842005B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110166272.5A CN102842005B (en) 2011-06-21 2011-06-21 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110166272.5A CN102842005B (en) 2011-06-21 2011-06-21 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method

Publications (2)

Publication Number Publication Date
CN102842005A CN102842005A (en) 2012-12-26
CN102842005B true CN102842005B (en) 2015-06-10

Family

ID=47369355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110166272.5A Expired - Fee Related CN102842005B (en) 2011-06-21 2011-06-21 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method

Country Status (1)

Country Link
CN (1) CN102842005B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102831360B (en) * 2012-08-06 2015-01-28 江苏敏捷科技股份有限公司 Personal electronic document safety management system and management method thereof
CN104052596A (en) * 2013-03-11 2014-09-17 江苏国盾科技实业有限责任公司 Application service system based on SM2 algorithm
CN103138938B (en) * 2013-03-22 2016-01-20 中金金融认证中心有限公司 Based on SM2 certificate request and the application process of CSP
CN104050426B (en) * 2014-06-12 2017-03-22 南京理工大学 A Migration System of Confidential Information Based on TCM
CN105871539B (en) * 2016-03-18 2020-02-14 华为技术有限公司 Key processing method and device
CN106096446B (en) * 2016-06-15 2019-01-15 北京工业大学 The packaging method of cryptographic service interface in a kind of trusted computation environment
CN106775656B (en) * 2016-11-28 2020-03-31 江西金格科技股份有限公司 Scheduling method based on multiple intelligent key discs
EP3989478B1 (en) * 2020-10-22 2023-10-18 Moxa Inc. Computing system and device for handling a chain of trust

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1449527A (en) * 2000-06-28 2003-10-15 微软公司 Shared name
CN101447010A (en) * 2008-12-30 2009-06-03 北京飞天诚信科技有限公司 Login system and method for logging in
CN102055759A (en) * 2010-06-30 2011-05-11 北京飞天诚信科技有限公司 Hardware engine realization method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1449527A (en) * 2000-06-28 2003-10-15 微软公司 Shared name
CN101447010A (en) * 2008-12-30 2009-06-03 北京飞天诚信科技有限公司 Login system and method for logging in
CN102055759A (en) * 2010-06-30 2011-05-11 北京飞天诚信科技有限公司 Hardware engine realization method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
可信计算密码支撑平台功能与接口规范;国家密码管理局;《http://gm.gd.gov.cn/upfile/2009113103555609.pdf》;20071231;正文第2页至第3页 *

Also Published As

Publication number Publication date
CN102842005A (en) 2012-12-26

Similar Documents

Publication Publication Date Title
US11947681B2 (en) Cryptographic secret generation and provisioning
CN102842005B (en) CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method
JP4668619B2 (en) Device key
CN102355351B (en) Key generation, backup and migration method and system based on trusted computing
US8171295B2 (en) Information processing apparatus, a server apparatus, a method of an information processing apparatus, a method of a server apparatus, and an apparatus executable process
TWI384381B (en) Upgrading a memory card that has security mechanisms that prevent copying of secure content and applications
CN102271124B (en) Data processing equipment and data processing method
TWI701929B (en) Cryptographic calculation, method for creating working key, cryptographic service platform and equipment
CN103138939B (en) Based on the key access times management method of credible platform module under cloud memory module
KR20050035104A (en) Device bound flashing/booting for cloning prevention
TW201528751A (en) Commissioning trust processing technology digital rights management
WO2010139258A1 (en) Device, method and system for software copyright protection
JP2010514000A (en) Method for securely storing program state data in an electronic device
CN104021335B (en) Password service method based on extensible password service framework
CN116250209A (en) Data management and encryption in a distributed computing system
CN104052592B (en) A kind of cipher key backup and moving method and system based on trust computing
KR20080065661A (en) Methods for controlling access to file systems, related systems for use in file systems, SIM cards and computer program products
WO2023169409A1 (en) Model invoking method and apparatus, and storage medium
CN103077018B (en) A kind of control method of the equipment interface based on Android system and system
CN112688999B (en) TrustZone-based key use frequency management method and system in cloud storage mode
CN116340903A (en) An Android system-based function authorization method, system, and storage medium
CN112134879B (en) An authorization method based on blockchain smart contracts
CN112131597A (en) Method and device for generating encrypted information and intelligent equipment
KR100749868B1 (en) Device key
CN108809651A (en) Key pair management method and terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150610

CF01 Termination of patent right due to non-payment of annual fee