[go: up one dir, main page]

CN118606925A - Host, password service management method, storage medium and program - Google Patents

Host, password service management method, storage medium and program Download PDF

Info

Publication number
CN118606925A
CN118606925A CN202410850327.1A CN202410850327A CN118606925A CN 118606925 A CN118606925 A CN 118606925A CN 202410850327 A CN202410850327 A CN 202410850327A CN 118606925 A CN118606925 A CN 118606925A
Authority
CN
China
Prior art keywords
virtual
cryptographic
machine
key
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410850327.1A
Other languages
Chinese (zh)
Inventor
陈善
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Yunxin Integrated Circuit Design Shanghai Co ltd
Original Assignee
Hygon Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hygon Information Technology Co Ltd filed Critical Hygon Information Technology Co Ltd
Priority to CN202410850327.1A priority Critical patent/CN118606925A/en
Publication of CN118606925A publication Critical patent/CN118606925A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本申请实施例提供一种主机、密码服务管理方法、存储介质及程序,其中主机包括多台虚拟机以及密码模块;多台虚拟机包括至少一台虚拟密码机和至少一台虚拟业务机;其中,虚拟密码机运行密码服务,虚拟业务机运行密码应用系统;虚拟密码机为采用安全保护机制的安全虚拟机,以使密码服务运行于可信执行环境;虚拟业务机为普通虚拟机,以使密码应用系统运行于通用计算环境;密码模块包括数量与所述至少一台虚拟密码机相应的虚拟密码模块,且一个虚拟密码模块对应一台虚拟密码机;虚拟密码模块为对应的虚拟密码机运行的密码服务提供密钥管理和密码运算支持。本申请实施例可以提升密码服务的性能,且利于密码服务的推广和普及。

The embodiment of the present application provides a host, a cryptographic service management method, a storage medium and a program, wherein the host includes multiple virtual machines and a cryptographic module; the multiple virtual machines include at least one virtual cryptographic machine and at least one virtual business machine; wherein the virtual cryptographic machine runs the cryptographic service, and the virtual business machine runs the cryptographic application system; the virtual cryptographic machine is a secure virtual machine using a security protection mechanism, so that the cryptographic service runs in a trusted execution environment; the virtual business machine is a common virtual machine, so that the cryptographic application system runs in a general computing environment; the cryptographic module includes a number of virtual cryptographic modules corresponding to the at least one virtual cryptographic machine, and one virtual cryptographic module corresponds to one virtual cryptographic machine; the virtual cryptographic module provides key management and cryptographic operation support for the cryptographic service run by the corresponding virtual cryptographic machine. The embodiment of the present application can improve the performance of the cryptographic service and is conducive to the promotion and popularization of the cryptographic service.

Description

主机、密码服务管理方法、存储介质及程序Host, password service management method, storage medium and program

技术领域Technical Field

本申请实施例涉及密码技术领域,具体涉及一种主机、密码服务管理方法、存储介质及程序。The embodiments of the present application relate to the field of cryptographic technology, and specifically to a host, a cryptographic service management method, a storage medium, and a program.

背景技术Background Art

为保障数据安全,使用密码保护数据已成为多行业(例如金融、通信等行业)的普遍需求。密码服务作为提供数据保护功能的一种服务,可以对数据执行密码运算,从而保障数据在存储和使用过程中的安全性、完整性等。To ensure data security, using passwords to protect data has become a common requirement in many industries (such as finance, communications, etc.). As a service that provides data protection functions, cryptographic services can perform cryptographic operations on data to ensure the security and integrity of data during storage and use.

基于密码服务在保障数据安全方面的重要性,如何提升密码服务的性能,成为了本领域技术人员亟需解决的技术问题。Given the importance of cryptographic services in ensuring data security, how to improve the performance of cryptographic services has become a technical problem that technical personnel in this field urgently need to solve.

发明内容Summary of the invention

有鉴于此,本申请实施例提供一种主机、密码服务管理方法、存储介质及程序,以提升密码服务的性能。In view of this, embodiments of the present application provide a host, a cryptographic service management method, a storage medium, and a program to improve the performance of cryptographic services.

为实现上述目的,本申请实施例提供如下技术方案。To achieve the above objectives, the embodiments of the present application provide the following technical solutions.

第一方面,本申请实施例提供一种主机,包括:多台虚拟机以及密码模块;In a first aspect, an embodiment of the present application provides a host, including: a plurality of virtual machines and a cryptographic module;

所述多台虚拟机包括至少一台虚拟密码机和至少一台虚拟业务机;其中,所述虚拟密码机运行密码服务,所述虚拟业务机运行密码应用系统,所述密码应用系统使用所述密码服务为所述密码应用系统的待运算数据执行密码运算;所述虚拟密码机为采用安全保护机制的安全虚拟机,以使所述密码服务运行于可信执行环境;所述虚拟业务机为普通虚拟机,以使所述密码应用系统运行于通用计算环境;The multiple virtual machines include at least one virtual cryptographic machine and at least one virtual business machine; wherein the virtual cryptographic machine runs a cryptographic service, the virtual business machine runs a cryptographic application system, and the cryptographic application system uses the cryptographic service to perform cryptographic operations on the data to be operated by the cryptographic application system; the virtual cryptographic machine is a secure virtual machine using a security protection mechanism so that the cryptographic service runs in a trusted execution environment; the virtual business machine is a common virtual machine so that the cryptographic application system runs in a general computing environment;

所述密码模块包括数量与所述至少一台虚拟密码机相应的虚拟密码模块,且一个虚拟密码模块对应一台虚拟密码机;所述虚拟密码模块为对应的虚拟密码机运行的密码服务提供密钥管理和密码运算支持。The cryptographic module includes virtual cryptographic modules whose number corresponds to the at least one virtual cryptographic machine, and one virtual cryptographic module corresponds to one virtual cryptographic machine; the virtual cryptographic module provides key management and cryptographic operation support for the cryptographic service run by the corresponding virtual cryptographic machine.

第二方面,本申请实施例提供一种密码服务管理方法,所述方法基于上述第一方面所述的主机,所述方法由主机管理程序执行,所述方法包括:In a second aspect, an embodiment of the present application provides a cryptographic service management method, the method is based on the host described in the first aspect above, the method is executed by a host management program, and the method includes:

向密码模块发送虚拟密码模块创建命令,以指示密码模块创建虚拟密码模块;Sending a virtual cryptographic module creation command to the cryptographic module to instruct the cryptographic module to create a virtual cryptographic module;

启动虚拟密码机并在虚拟密码机启动后,将密码模块创建的虚拟密码模块分配给虚拟密码机,以建立虚拟密码机与虚拟密码模块的对应关系;Starting the virtual cryptographic machine and after the virtual cryptographic machine is started, assigning the virtual cryptographic module created by the cryptographic module to the virtual cryptographic machine to establish a corresponding relationship between the virtual cryptographic machine and the virtual cryptographic module;

以及,向虚拟密码机发送虚拟机关闭指令,以指示虚拟密码机进行关闭,且在虚拟密码机关闭后,向密码模块发送虚拟密码模块销毁命令,以指示密码模块将关闭的虚拟密码机所对应的虚拟密码模块进行销毁。And, sending a virtual machine shutdown instruction to the virtual cryptographic machine to instruct the virtual cryptographic machine to shut down, and after the virtual cryptographic machine is shut down, sending a virtual cryptographic module destruction command to the cryptographic module to instruct the cryptographic module to destroy the virtual cryptographic module corresponding to the shut down virtual cryptographic machine.

第三方面,本申请实施例提供一种密码服务管理方法,所述方法基于上述第一方面所述的主机,所述方法由虚拟密码机执行,所述方法包括:In a third aspect, an embodiment of the present application provides a cryptographic service management method, the method is based on the host described in the first aspect above, the method is executed by a virtual cryptographic machine, and the method includes:

在虚拟密码机启动,且分配对应的虚拟密码模块之后,向对应的虚拟密码模块发送密钥管理信息,以使虚拟密码模块保存密码服务的密钥;After the virtual cryptographic machine is started and the corresponding virtual cryptographic module is allocated, key management information is sent to the corresponding virtual cryptographic module so that the virtual cryptographic module stores the key of the cryptographic service;

以及,获取主机管理程序发送的虚拟机关闭指令,向虚拟密码模块发送密钥导出请求,以请求导出密码服务的密钥。And, obtaining a virtual machine shutdown instruction sent by a host management program, and sending a key export request to a virtual cryptographic module to request export of a key of a cryptographic service.

第四方面,本申请实施例提供一种密码服务管理方法,所述方法基于上述第一方面所述的主机,所述方法由虚拟密码模块执行,所述方法包括:In a fourth aspect, an embodiment of the present application provides a cryptographic service management method, the method is based on the host described in the first aspect above, the method is executed by a virtual cryptographic module, and the method includes:

在所述虚拟密码模块创建,并分配对应的虚拟密码机之后,获取对应的虚拟密码机发送的密钥管理信息,响应所述密钥管理信息,保存密码服务的密钥;After the virtual cryptographic module is created and the corresponding virtual cryptographic machine is allocated, obtaining key management information sent by the corresponding virtual cryptographic machine, responding to the key management information, and saving the key of the cryptographic service;

以及,获取对应的虚拟密码机发送的密钥导出请求,响应所述密钥导出请求,导出密码服务的密钥。And, obtaining a key export request sent by the corresponding virtual cryptographic machine, responding to the key export request, and exporting the key of the cryptographic service.

第五方面,本申请实施例提供一种存储介质,所述存储介质存储计算机指令,所述计算机指令被执行时实现如上述第二方面所述的密码服务管理方法,或者,如上述第三方面所述的密码服务管理方法,或者,如上述第四方面所述的密码服务管理方法。In a fifth aspect, an embodiment of the present application provides a storage medium, which stores computer instructions, and when the computer instructions are executed, the cryptographic service management method as described in the second aspect above is implemented, or the cryptographic service management method as described in the third aspect above is implemented, or the cryptographic service management method as described in the fourth aspect above is implemented.

第六方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括计算机指令,所述计算机指令被执行时实现如上述第二方面所述的密码服务管理方法,或者,如上述第三方面所述的密码服务管理方法,或者,如上述第四方面所述的密码服务管理方法。In a sixth aspect, an embodiment of the present application provides a computer program product, which includes computer instructions, and when the computer instructions are executed, the cryptographic service management method as described in the second aspect above is implemented, or the cryptographic service management method as described in the third aspect above is implemented, or the cryptographic service management method as described in the fourth aspect above is implemented.

本申请实施例可以在同一主机内通过虚拟化技术实现多台虚拟机;多台虚拟机中采用安全保护机制的安全虚拟机可以作为虚拟密码机,以在主机内实现至少一台虚拟密码机,从而虚拟密码机的密码服务可以运行于可信执行环境;多台虚拟机中未采用安全保护机制的普通虚拟机可以作为虚拟业务机,以在主机内实现至少一台虚拟业务机,从而虚拟业务机的密码应用系统可以运行于通用计算环境。通过上述设置可以满足密码服务和密码应用系统的计算环境需求,并且密码应用系统和密码服务之间可以通过主机内的虚拟机通信机制实现通信交互,从而避免密码应用系统和密码服务采用网络通信带来的网络带宽占用,提升密码服务对于密码应用系统的响应及时性,提升密码服务的性能。也就是说,密码应用系统访问密码服务可以在同一主机内完成,无需通过网络通信,能够提升密码服务的性能。The embodiment of the present application can realize multiple virtual machines in the same host through virtualization technology; the secure virtual machine using the security protection mechanism among the multiple virtual machines can be used as a virtual cryptographic machine to realize at least one virtual cryptographic machine in the host, so that the cryptographic service of the virtual cryptographic machine can run in a trusted execution environment; the ordinary virtual machine without the security protection mechanism among the multiple virtual machines can be used as a virtual business machine to realize at least one virtual business machine in the host, so that the cryptographic application system of the virtual business machine can run in a general computing environment. The above settings can meet the computing environment requirements of the cryptographic service and the cryptographic application system, and the cryptographic application system and the cryptographic service can realize communication interaction through the virtual machine communication mechanism in the host, thereby avoiding the network bandwidth occupation caused by the cryptographic application system and the cryptographic service using network communication, improving the timeliness of the response of the cryptographic service to the cryptographic application system, and improving the performance of the cryptographic service. In other words, the cryptographic application system can access the cryptographic service in the same host without network communication, which can improve the performance of the cryptographic service.

同时,主机内可以实现密码模块,密码模块可以包括数量与所述至少一台虚拟密码机相应的虚拟密码模块,且一个虚拟密码模块对应一台虚拟密码机;从而虚拟密码模块可以为对应的虚拟密码机运行的密码服务提供密钥管理和密码运算支持。也就是说,以安全虚拟机实现的虚拟密码机和对应的虚拟密码模块可以联合提供安全、可信的密码服务,以保障密码服务的安全性和可信性。At the same time, a cryptographic module can be implemented in the host, and the cryptographic module can include virtual cryptographic modules corresponding to the number of the at least one virtual cryptographic machine, and one virtual cryptographic module corresponds to one virtual cryptographic machine; thus, the virtual cryptographic module can provide key management and cryptographic operation support for the cryptographic service run by the corresponding virtual cryptographic machine. In other words, the virtual cryptographic machine implemented by the secure virtual machine and the corresponding virtual cryptographic module can jointly provide secure and reliable cryptographic services to ensure the security and reliability of the cryptographic services.

因此,本申请实施例提供的方案能够提升密码服务对于密码应用系统的响应及时性,提升密码服务的性能,同时保障密码服务的安全性和可信性;并且,密码服务和密码应用系统处于同一主机内,可以避免为密码服务设置专门的物理主机,可以降低密码服务的成本,有利于密码服务的推广和普及。Therefore, the solution provided in the embodiment of the present application can improve the timeliness of the response of the cryptographic service to the cryptographic application system, improve the performance of the cryptographic service, and at the same time ensure the security and reliability of the cryptographic service; and, the cryptographic service and the cryptographic application system are in the same host, which can avoid setting up a dedicated physical host for the cryptographic service, can reduce the cost of the cryptographic service, and is conducive to the promotion and popularization of the cryptographic service.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are merely embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on the provided drawings without paying any creative work.

图1为密码服务和密码应用的关系示例图。Figure 1 is an example diagram of the relationship between cryptographic services and cryptographic applications.

图2为密码服务和密码应用的分布示例图。Figure 2 is a diagram showing an example of the distribution of cryptographic services and cryptographic applications.

图3为本申请实施例提供的主机的示例图。FIG. 3 is an example diagram of a host provided in an embodiment of the present application.

图4为本申请实施例提供的密码服务管理方法的流程图。FIG4 is a flowchart of a cryptographic service management method provided in an embodiment of the present application.

图5为本申请实施例提供的密码服务运行的流程图。FIG5 is a flow chart of the operation of the cryptographic service provided in an embodiment of the present application.

图6为本申请实施例提供的密码服务管理方法的另一流程图。FIG6 is another flow chart of the cryptographic service management method provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

密码服务作为提供数据保护功能的服务,可以受密码应用系统的调用,对密码应用系统的数据执行密码运算。为便于理解,图1示例性的示出了密码服务和密码应用的关系示例图,如图1所示,密码应用系统110是具有数据安全需求的系统,以软件系统为例,密码应用系统例如密码应用程序等。密码服务120是提供数据保护功能的服务,服务可以是软件服务形式、或者软件服务结合硬件服务的形式,对于密码服务的服务形式本申请实施例并不限制。As a service that provides data protection functions, the cryptographic service can be called by the cryptographic application system to perform cryptographic operations on the data of the cryptographic application system. For ease of understanding, FIG1 exemplarily shows an example diagram of the relationship between the cryptographic service and the cryptographic application. As shown in FIG1 , the cryptographic application system 110 is a system with data security requirements. Taking the software system as an example, the cryptographic application system is such as a cryptographic application program. The cryptographic service 120 is a service that provides data protection functions. The service can be in the form of a software service or a software service combined with a hardware service. The service form of the cryptographic service is not limited in the embodiment of the present application.

示例的,密码应用系统的数据可以作为待运算数据,待运算数据需要依赖密码服务执行密码运算,从而保障密码应用系统的数据在存储和使用过程中的安全性、完整性等数据安全需求。比如,结合图1所示,密码应用系统可以将待运算数据传输给密码服务;从而,基于待运算数据的数据安全需求,密码服务可以为待运算数据执行密码运算,并且将密码运算结果反馈给密码应用系统。For example, the data of the cryptographic application system can be used as the data to be operated, and the data to be operated needs to rely on the cryptographic service to perform cryptographic operations, so as to ensure the data security requirements such as security and integrity of the data of the cryptographic application system during storage and use. For example, in combination with Figure 1, the cryptographic application system can transmit the data to be operated to the cryptographic service; thus, based on the data security requirements of the data to be operated, the cryptographic service can perform cryptographic operations for the data to be operated, and feed back the cryptographic operation results to the cryptographic application system.

需要说明的是,基于不同的数据安全需求,密码服务需要提供与数据安全需求相匹配的密码运算,比如,密码服务可以提供加密、解密、生成和验证数字签名、生成时间戳等密码运算。从而,基于密码服务的密码运算的不同类型,密码服务可以具有不同的类型。以加密、解密、生成和验证数字签名、生成时间戳等不同类型的密码运算为例,作为示例,密码服务可以包括但不限于如下任一项:It should be noted that based on different data security requirements, cryptographic services need to provide cryptographic operations that match the data security requirements. For example, cryptographic services can provide cryptographic operations such as encryption, decryption, generation and verification of digital signatures, and generation of timestamps. Therefore, based on the different types of cryptographic operations of cryptographic services, cryptographic services can have different types. Taking different types of cryptographic operations such as encryption, decryption, generation and verification of digital signatures, and generation of timestamps as examples, cryptographic services can include but are not limited to any of the following:

加解密服务;其中,加密服务对数据进行加密以保证数据在存储或传输过程中的机密性,解密服务将加密后的数据还原为明文形式;Encryption and decryption services; the encryption service encrypts data to ensure the confidentiality of the data during storage or transmission, and the decryption service restores the encrypted data to plain text;

数字签名和验证服务;其中,数字签名服务可以生成数据的数字签名,以证明数据的完整性、数据发送者的身份等;验证服务可以验证数据的数字签名,以验证数据在传输过程中是否被篡改、数据来源(比如数据发送者的身份)是否可靠等;Digital signature and verification services; the digital signature service can generate a digital signature of data to prove the integrity of the data and the identity of the data sender; the verification service can verify the digital signature of data to verify whether the data has been tampered with during transmission and whether the source of the data (such as the identity of the data sender) is reliable;

时间戳服务,用于为数据提供时间标记,以证明数据所存在的时间点。Timestamp service is used to provide a time stamp for data to prove the time point when the data exists.

当然,密码服务的类型可以视具体的数据安全需求而定,上述举例仅是作为示例说明。Of course, the type of cryptographic service may depend on the specific data security requirements, and the above examples are only for illustration.

作为示例,密码应用系统(比如密码应用程序)的待运算数据可以是密码应用系统的业务数据,业务数据可能使用一种或多种类型的密码服务(比如业务数据同时需要加密服务和数字签名服务等),以满足业务数据的数据安全需求。密码应用系统的待运算数据(比如业务数据)所使用的密码服务的类型和数量,可以根据实际情况配置,本申请实施例并不限制。As an example, the data to be calculated by the cryptographic application system (such as a cryptographic application program) may be the business data of the cryptographic application system, and the business data may use one or more types of cryptographic services (such as business data requiring both encryption services and digital signature services, etc.) to meet the data security requirements of the business data. The types and quantity of cryptographic services used by the data to be calculated by the cryptographic application system (such as business data) can be configured according to actual conditions, and the embodiments of the present application are not limited.

以通信行业的数据加解密为例,密码应用系统可以是需求通信数据加密的通信应用程序(比如通信客户端程序等),密码服务可以是加密服务;从而,通信应用程序可以使用加密服务为通信数据进行加密,例如加密服务可以基于密钥为通信数据执行加密操作,实现通信数据的加密通信。Taking data encryption and decryption in the communications industry as an example, the cryptographic application system can be a communications application (such as a communications client program, etc.) that requires communication data encryption, and the cryptographic service can be an encryption service; thus, the communications application can use the encryption service to encrypt the communication data. For example, the encryption service can perform encryption operations on the communication data based on the key to achieve encrypted communication of the communication data.

以金融行业的数字签名和验证为例,密码应用系统可以是需求验证金融数据真实性的金融应用程序,密码服务可以是数字签名服务;从而,金融应用程序可以使用数字签名服务来签署金融数据,例如数字签名服务可以使用私钥,生成金融数据的数字签名,以便金融数据的验证方可以通过数字签名来验证金融数据的真实性。Taking digital signatures and verification in the financial industry as an example, the cryptographic application system can be a financial application that needs to verify the authenticity of financial data, and the cryptographic service can be a digital signature service; thus, the financial application can use the digital signature service to sign the financial data. For example, the digital signature service can use a private key to generate a digital signature for the financial data, so that the verifier of the financial data can verify the authenticity of the financial data through the digital signature.

可以看出,密码应用系统是密码服务的消费者(即使用者),并且密码服务涉及到用于密码运算的密钥等敏感信息,因此密码服务本身的安全需要保障。基于此,密码服务可以运行于安全计算环境,从而与密码应用系统的通用计算环境分离,以确保密码服务不受通用计算环境中各种潜在安全威胁的影响。It can be seen that the cryptographic application system is the consumer (i.e. user) of the cryptographic service, and the cryptographic service involves sensitive information such as keys used for cryptographic operations, so the security of the cryptographic service itself needs to be guaranteed. Based on this, the cryptographic service can be run in a secure computing environment, thereby being separated from the general computing environment of the cryptographic application system to ensure that the cryptographic service is not affected by various potential security threats in the general computing environment.

示例的,图2示出了一种密码服务和密码应用的分布示例图,如图2所示,密码应用系统运行于业务主机210中,业务主机可以视为是运行密码应用系统(比如密码应用程序)的物理主机,物理主机例如物理服务器、终端等计算机,并且业务主机处于通用计算环境中。通用计算环境可以视为是具有广泛的用户访问权限和标准的网络连接功能的计算系统环境。For example, FIG2 shows a distribution diagram of a cryptographic service and cryptographic application. As shown in FIG2, the cryptographic application system runs in a business host 210. The business host can be regarded as a physical host running the cryptographic application system (such as a cryptographic application program), such as a physical server, a terminal, and other computers, and the business host is in a general computing environment. The general computing environment can be regarded as a computing system environment with a wide range of user access rights and standard network connection functions.

为与密码应用系统的通用计算环境进行分离,密码服务可以运行于专用的密码主机220中,密码主机可以视为是运行密码服务的物理主机,物理主机例如物理服务器等计算机,并且密码主机处于安全计算环境。安全计算环境是专门设计和管理的用于处理敏感数据或执行机密任务的计算系统环境,安全计算环境具有严格的访问控制、安全措施和可能的物理或逻辑隔离机制,以最大限度地减少安全威胁。To separate the cryptographic service from the general computing environment of the cryptographic application system, the cryptographic service can be run in a dedicated cryptographic host 220, which can be regarded as a physical host running the cryptographic service, such as a physical server or other computer, and the cryptographic host is in a secure computing environment. A secure computing environment is a computing system environment specially designed and managed for processing sensitive data or performing confidential tasks, and has strict access control, security measures, and possible physical or logical isolation mechanisms to minimize security threats.

在图2所示中,密码主机与通用计算环境存在物理隔离,比如密码主机与业务主机不处于同一台物理设备和同一个物理网络中,从而针对通用计算环境的攻击并不会直接影响到密码主机。As shown in FIG2 , the cryptographic host is physically isolated from the general computing environment. For example, the cryptographic host and the business host are not in the same physical device or the same physical network, so attacks against the general computing environment will not directly affect the cryptographic host.

进一步的,为实现密码主机与业务主机之间的交互,密码主机与业务主机可以通过网络进行安全访问,以便密码应用系统可以使用密码服务。比如,通过安全通信协议和网络桥接设备,实现密码主机与业务主机之间可以通过网络进行安全访问。此处所指的网络可以例如互联网或者VPN(Virtual Private Network,虚拟私人网络)网络等通信网络。Furthermore, to achieve interaction between the cryptographic host and the service host, the cryptographic host and the service host can be securely accessed through a network so that the cryptographic application system can use the cryptographic service. For example, through a secure communication protocol and a network bridging device, secure access can be achieved between the cryptographic host and the service host through a network. The network referred to here can be, for example, a communication network such as the Internet or a VPN (Virtual Private Network) network.

进一步结合图2所示,密码主机分为硬件部分和软件部分,硬件部分主要包括CPU(Central Processing Unit,中央处理器)、网卡、以及密码模块;软件部分主要包括密码服务和操作系统。As shown in FIG. 2 , the cryptographic host is divided into a hardware part and a software part. The hardware part mainly includes a CPU (Central Processing Unit), a network card, and a cryptographic module; the software part mainly includes a cryptographic service and an operating system.

硬件部分的密码模块主要用于配合软件部分的密码服务实现密码运算;密码模块作为密码主机提供密码服务的核心器件,密码模块需要具有较高的安全级别,比如密码模块需要通过安全资质认证,以确保密码模块本身的安全性和可靠性。The cryptographic module of the hardware part is mainly used to cooperate with the cryptographic service of the software part to realize cryptographic operations; as the core component of the cryptographic host to provide cryptographic services, the cryptographic module needs to have a high security level. For example, the cryptographic module needs to pass security qualification certification to ensure the security and reliability of the cryptographic module itself.

硬件部分的CPU主要用于运行和解释程序指令,比如软件部分的密码服务和操作系统可以基于CPU运行。硬件部分的网卡主要用于网络通信,网卡可设置有网络接口,从而密码主机可以通过网卡的网络接口与网络进行通信。进一步的,网卡可以配置防火墙和流量监控系统,以监控所有进出的网络流量,并且经过验证和授权的网络通信可以通过网络接口传入密码主机。The CPU of the hardware part is mainly used to run and interpret program instructions. For example, the cryptographic service and operating system of the software part can run based on the CPU. The network card of the hardware part is mainly used for network communication. The network card can be provided with a network interface, so that the cryptographic host can communicate with the network through the network interface of the network card. Furthermore, the network card can be configured with a firewall and a traffic monitoring system to monitor all inbound and outbound network traffic, and the verified and authorized network communication can be transmitted to the cryptographic host through the network interface.

软件部分的密码服务主要是密码服务程序,涉及实现各类密码服务(一类或多类密码服务)的软件套件。基于密码主机的安全计算环境,密码主机的软件安装及配置需要具有严格的权限控制,比如通过授权的软件才可被安装和配置;另外,密码主机安装的软件需要经过严格验证,比如密码主机安全的操作系统和应用程序需要经过验证才可被安装,以确保密码主机中的软件没有安全漏洞或恶意代码。The cryptographic services in the software part are mainly cryptographic service programs, involving software suites that implement various cryptographic services (one or more types of cryptographic services). Based on the secure computing environment of the cryptographic host, the software installation and configuration of the cryptographic host need to have strict permission control, such as only authorized software can be installed and configured; in addition, the software installed on the cryptographic host needs to be strictly verified, such as the secure operating system and application of the cryptographic host need to be verified before they can be installed, to ensure that the software in the cryptographic host has no security vulnerabilities or malicious code.

图2示例方式通过将密码主机与业务主机所处的通用计算环境进行物理隔离,使得密码主机与业务主机不处于同一台物理设备和同一个物理网络,可以降低密码主机运行的密码服务不受通用计算环境中各种潜在安全威胁的影响,从而保障密码服务本身的安全。但是,这种方式的密码服务的性能有待提升,表现在以下方面:The example method in Figure 2 physically isolates the general computing environment where the cryptographic host and the business host are located, so that the cryptographic host and the business host are not in the same physical device and the same physical network, which can reduce the impact of various potential security threats on the cryptographic service running on the cryptographic host in the general computing environment, thereby ensuring the security of the cryptographic service itself. However, the performance of the cryptographic service in this way needs to be improved, as shown in the following aspects:

网络带宽占用导致密码服务的性能降低;具体的,密码应用系统访问密码服务需要通过网络,这影响了密码服务的响应时间,导致密码服务的性能降低;进一步的,网络延迟和网络不稳定均可能导致密码应用系统与密码服务之间的通信延迟,致使密码服务的性能降低;另外,在密码应用系统访问密码服务的需求较高时,可能占用大量的网络带宽,影响网络中其它业务的流量;The occupation of network bandwidth leads to the degradation of the performance of cryptographic services. Specifically, the cryptographic application system needs to access the cryptographic service through the network, which affects the response time of the cryptographic service and leads to the degradation of the performance of the cryptographic service. Furthermore, network delay and network instability may lead to communication delay between the cryptographic application system and the cryptographic service, resulting in the degradation of the performance of the cryptographic service. In addition, when the demand for the cryptographic application system to access the cryptographic service is high, it may occupy a large amount of network bandwidth and affect the traffic of other services in the network.

需要设置专用的密码主机,导致提供密码服务的成本较高;具体的,需要专门部署密码主机来运行密码服务,这导致设备的采购和维护成本较高,影响密码服务的推广和普及。A dedicated cryptographic host needs to be set up, resulting in a high cost for providing cryptographic services; specifically, a cryptographic host needs to be specially deployed to run cryptographic services, which results in high equipment procurement and maintenance costs, affecting the promotion and popularization of cryptographic services.

基于此,本申请实施例提供改进的技术方案,以提升密码服务的性能。Based on this, the embodiments of the present application provide an improved technical solution to enhance the performance of cryptographic services.

作为可选实现,图3示例性的示出了本申请实施例提供的主机的示例图,如图3所示,主机可以通过虚拟化技术虚拟化出多台虚拟机,例如,主机内的处理器(比如CPU)可以运行虚拟化软件,以虚拟化出多台虚拟机;该多台虚拟机可以包括至少一台虚拟密码机(Virtual Cryptographic Machine)310和至少一台虚拟业务机320。As an optional implementation, Figure 3 exemplarily shows an example diagram of a host provided in an embodiment of the present application. As shown in Figure 3, the host can virtualize multiple virtual machines through virtualization technology. For example, the processor (such as CPU) in the host can run virtualization software to virtualize multiple virtual machines; the multiple virtual machines may include at least one virtual cryptographic machine (Virtual Cryptographic Machine) 310 and at least one virtual business machine 320.

其中,虚拟密码机310为主机中运行密码服务的虚拟机,实现类似于密码主机的功能;虚拟密码机的数量可以为至少一台(一台或多台),虚拟密码机的数量可以根据实际情况配置(例如,虚拟密码机的数量可以根据需要动态创建),本申请实施例并不设限。虚拟业务机320为主机中运行密码应用系统的虚拟机,实现类似于业务主机的功能;虚拟业务机的数量可以为至少一台(一台或多台),虚拟业务机的数量可以根据实际情况配置,本申请实施例并不设限。Among them, the virtual cryptographic machine 310 is a virtual machine running a cryptographic service in the host, and realizes functions similar to the cryptographic host; the number of virtual cryptographic machines can be at least one (one or more), and the number of virtual cryptographic machines can be configured according to actual conditions (for example, the number of virtual cryptographic machines can be dynamically created as needed), and the embodiments of the present application are not limited. The virtual business machine 320 is a virtual machine running a cryptographic application system in the host, and realizes functions similar to the business host; the number of virtual business machines can be at least one (one or more), and the number of virtual business machines can be configured according to actual conditions, and the embodiments of the present application are not limited.

需要说明是,由于虚拟机是通过模拟计算机系统实现,因此虚拟机可以安装和运行操作系统以及程序软件。相应的,虚拟密码机可以具有相应的操作系统以及程序软件,虚拟密码机的程序软件可以包括密码服务程序,比如实现各类密码服务(一类或多类密码服务)的软件套件。相应的,虚拟业务机可以具有相应的操作系统以及程序软件,虚拟业务机的程序软件可以包括密码应用程序;示例的,密码应用程序可以是业务处理程序,比如在虚拟业务机的业务处理过程中,业务数据具有数据安全需求,从而虚拟业务机的密码应用程序需要调用虚拟密码机的密码服务进行密码运算。It should be noted that, since the virtual machine is implemented by simulating a computer system, the virtual machine can install and run an operating system and program software. Accordingly, the virtual cryptographic machine can have a corresponding operating system and program software, and the program software of the virtual cryptographic machine can include a cryptographic service program, such as a software suite that implements various types of cryptographic services (one or more types of cryptographic services). Accordingly, the virtual business machine can have a corresponding operating system and program software, and the program software of the virtual business machine can include a cryptographic application program; for example, the cryptographic application program can be a business processing program, such as in the business processing process of the virtual business machine, the business data has data security requirements, so the cryptographic application program of the virtual business machine needs to call the cryptographic service of the virtual cryptographic machine to perform cryptographic operations.

在可选实现中,由于虚拟密码机和虚拟业务机位于同一主机,因此为保障虚拟密码机运行的密码服务的安全,虚拟密码机可以是采用安全保护机制的安全虚拟机,从而使得密码服务可以运行于可信执行环境(Trusted Execution Environment,TEE)中,可信执行环境可以视为是一种安全计算环境。也就是说,安全虚拟机可以视为是一种可信执行环境,从而在安全虚拟机中运行密码服务(此时,运行密码服务的安全虚拟机可以视为是虚拟密码机),可以保障密码服务的安全和可信。In an optional implementation, since the virtual cryptographic machine and the virtual business machine are located on the same host, in order to ensure the security of the cryptographic service running on the virtual cryptographic machine, the virtual cryptographic machine can be a secure virtual machine that uses a security protection mechanism, so that the cryptographic service can run in a trusted execution environment (Trusted Execution Environment, TEE), which can be regarded as a secure computing environment. In other words, the secure virtual machine can be regarded as a trusted execution environment, so that the cryptographic service is run in the secure virtual machine (in this case, the secure virtual machine running the cryptographic service can be regarded as a virtual cryptographic machine), which can ensure the security and trustworthiness of the cryptographic service.

作为可选实现,本申请实施例可以采用安全虚拟化技术,以在主机中实现安全虚拟机,从而通过在一台或多台安全虚拟机运行密码服务,以得到一台或多台虚拟密码机。需要说明的是,安全虚拟化技术是可对虚拟机的内存空间进行安全保护的虚拟化技术。例如,安全虚拟化技术通过专用安全器件(比如安全处理器)为部分或所有虚拟机分配虚拟机密钥,并且不同虚拟机分配的虚拟机密钥不同;进而,针对分配虚拟机密钥的虚拟机,虚拟机的内存空间可以通过虚拟机密钥进行加密保护(比如,虚拟机写入所分配的内存空间的数据,可以通过虚拟机密钥进行加密保护),而且不同虚拟机的内存空间可以通过不同的虚拟机密钥进行加密,即使虚拟机管理器也无法访问虚拟机密钥。As an optional implementation, the embodiment of the present application may adopt secure virtualization technology to implement a secure virtual machine in the host, so as to obtain one or more virtual cryptographic machines by running cryptographic services on one or more secure virtual machines. It should be noted that secure virtualization technology is a virtualization technology that can securely protect the memory space of a virtual machine. For example, secure virtualization technology assigns virtual machine keys to some or all virtual machines through a dedicated security device (such as a security processor), and different virtual machines have different virtual machine keys assigned; further, for virtual machines to which virtual machine keys are assigned, the memory space of the virtual machine can be encrypted and protected by the virtual machine key (for example, data written to the allocated memory space by the virtual machine can be encrypted and protected by the virtual machine key), and the memory space of different virtual machines can be encrypted by different virtual machine keys, and even the virtual machine manager cannot access the virtual machine key.

从而,在安全虚拟化技术下,安全虚拟机可以是内存空间采用虚拟机密钥进行加密的加密虚拟机(安全虚拟机的一种示例),相应的,加密虚拟机对应的内存空间可以视为是加密内存空间;进而,在一台或多台加密虚拟机(安全虚拟机的一种示例)运行密码服务,可以得到一台或多台虚拟密码机。Therefore, under the secure virtualization technology, the secure virtual machine can be an encrypted virtual machine (an example of a secure virtual machine) whose memory space is encrypted using a virtual machine key, and accordingly, the memory space corresponding to the encrypted virtual machine can be regarded as an encrypted memory space; furthermore, by running cryptographic services on one or more encrypted virtual machines (an example of a secure virtual machine), one or more virtual cryptographic machines can be obtained.

需要说明的是,加密虚拟机通过内存空间加密和虚拟机密钥的隔离,可以提供隔离的执行环境,因此视为是可信执行环境。也就是说,安全虚拟化技术通过为加密虚拟机提供独立的虚拟机密钥并对分配的内存空间进行加密,为加密虚拟机创建了与外部环境隔离的安全执行环境,视为是可信执行环境。从而,虚拟密码机通过加密虚拟机(安全虚拟机的一种示例)实现,可以使得密码服务运行于可信执行环境。It should be noted that the encrypted virtual machine can provide an isolated execution environment through memory space encryption and virtual machine key isolation, so it is considered a trusted execution environment. In other words, the secure virtualization technology creates a secure execution environment isolated from the external environment for the encrypted virtual machine by providing an independent virtual machine key for the encrypted virtual machine and encrypting the allocated memory space, which is considered a trusted execution environment. Therefore, the virtual cryptographic machine is implemented through the encrypted virtual machine (an example of a secure virtual machine), which can enable the cryptographic service to run in a trusted execution environment.

相对的,虚拟业务机可以是未采用安全保护机制的普通虚拟机。例如,以安全虚拟化技术为例,普通虚拟机可以是不具有虚拟机密钥的虚拟机,即普通虚拟机的内存空间没有以虚拟机密钥进行加密,普通虚拟机的内存空间是以明文形式存储数据。从而,通过在一台或多台普通虚拟机运行密码应用系统(例如密码应用程序),可以得到一台或多台虚拟业务机。In contrast, a virtual business machine may be an ordinary virtual machine that does not use a security protection mechanism. For example, taking secure virtualization technology as an example, an ordinary virtual machine may be a virtual machine that does not have a virtual machine key, that is, the memory space of the ordinary virtual machine is not encrypted with the virtual machine key, and the memory space of the ordinary virtual machine stores data in plain text. Thus, by running a cryptographic application system (such as a cryptographic application program) on one or more ordinary virtual machines, one or more virtual business machines can be obtained.

基于虚拟业务机通过未采用安全保护机制的普通虚拟机实现,因此虚拟业务机可以视为是通用计算环境。也就是说,在本申请实施例中,主机内部区分了虚拟密码机的安全计算环境(比如可信执行环境),以及虚拟业务机的通用计算环境,从而可以适应于密码服务的安全、可信需求(密码服务运行于虚拟密码机),以及密码应用系统的通用计算需求(密码应用系统运行于虚拟业务机)。在进一步的可选实现中,本申请实施例提供的主机(运行虚拟密码机和虚拟业务机)可以处于通用计算环境,从而处于通用计算环境的主机可以通过安全虚拟化等虚拟机的安全保护机制,实现处于安全计算环境(比如可信执行环境)的安全虚拟机,进而通过安全虚拟机运行密码服务来作为虚拟密码机,可以在通用计算环境下隔离出适应于密码服务的安全计算环境。Since the virtual business machine is implemented by an ordinary virtual machine without a security protection mechanism, the virtual business machine can be regarded as a general computing environment. That is to say, in the embodiment of the present application, the host internally distinguishes between the secure computing environment of the virtual cryptographic machine (such as a trusted execution environment) and the general computing environment of the virtual business machine, so as to adapt to the security and trust requirements of the cryptographic service (the cryptographic service runs on the virtual cryptographic machine) and the general computing requirements of the cryptographic application system (the cryptographic application system runs on the virtual business machine). In a further optional implementation, the host provided by the embodiment of the present application (running the virtual cryptographic machine and the virtual business machine) can be in a general computing environment, so that the host in the general computing environment can realize a secure virtual machine in a secure computing environment (such as a trusted execution environment) through the security protection mechanism of the virtual machine such as secure virtualization, and then run the cryptographic service as a virtual cryptographic machine through the secure virtual machine, and can isolate a secure computing environment adapted to the cryptographic service in the general computing environment.

需要说明的是,安全虚拟化技术仅是提供虚拟机的安全保护机制的一种可选实现方式(即安全虚拟化技术仅是实现具有可信执行环境的安全虚拟机的一种可选实现方式),本申请实施例也可采用其他安全保护机制实现安全虚拟机,并不限于安全虚拟化技术的虚拟机内存空间加密机制。例如,通过安全虚拟机的内存空间的物理隔离和逻辑隔离方式,使得安全虚拟机的内存空间仅可被安全虚拟机访问,而不允许普通虚拟机访问,从而通过安全虚拟机在内存空间的数据隔离保护,实现安全虚拟机的安全保护机制。It should be noted that the secure virtualization technology is only an optional implementation method for providing a security protection mechanism for a virtual machine (i.e., the secure virtualization technology is only an optional implementation method for implementing a secure virtual machine with a trusted execution environment). The embodiments of the present application may also use other security protection mechanisms to implement a secure virtual machine, and are not limited to the virtual machine memory space encryption mechanism of the secure virtualization technology. For example, through the physical isolation and logical isolation of the memory space of the secure virtual machine, the memory space of the secure virtual machine can only be accessed by the secure virtual machine, and ordinary virtual machines are not allowed to access it, thereby implementing a security protection mechanism for the secure virtual machine through data isolation protection in the memory space of the secure virtual machine.

在进一步的可选实现中,基于虚拟密码机的安全性要求,本申请实施例需保障虚拟密码机运行的软件程序是安全可靠的,例如,虚拟密码机可以通过安全启动方式,以确保运行的软件程序是安全可靠且不被篡改的。其中,针对于虚拟密码机,安全启动方式是虚拟密码机的一种启动安全机制,用于在虚拟密码机的启动过程中验证所加载的软件的完整性和可信性,从而确保从虚拟密码机的开机到操作系统完全加载的过程中,虚拟密码机所加载的软件是未经篡改的、经过验证的软件。In a further optional implementation, based on the security requirements of the virtual cryptographic machine, the embodiment of the present application needs to ensure that the software program running on the virtual cryptographic machine is safe and reliable. For example, the virtual cryptographic machine can use a secure boot method to ensure that the running software program is safe, reliable and not tampered with. Among them, for the virtual cryptographic machine, the secure boot method is a startup security mechanism of the virtual cryptographic machine, which is used to verify the integrity and credibility of the loaded software during the startup process of the virtual cryptographic machine, thereby ensuring that the software loaded by the virtual cryptographic machine is untampered and verified software from the start of the virtual cryptographic machine to the complete loading of the operating system.

在可选实现中,本申请实施例可以基于虚拟机通信机制,实现虚拟业务机和虚拟密码机之间的通信。比如,结合图3所示,本申请实施例可以通过主机内的虚拟网络,实现虚拟业务机和虚拟密码机之间的通信。虚拟网络可以是主机内部的允许虚拟机之间进行通信的网络,比如可以通过虚拟交换机连接主机内部的虚拟机,并且实现虚拟机之间的通信。In an optional implementation, the embodiment of the present application can realize the communication between the virtual business machine and the virtual cryptographic machine based on the virtual machine communication mechanism. For example, in conjunction with FIG3, the embodiment of the present application can realize the communication between the virtual business machine and the virtual cryptographic machine through the virtual network in the host. The virtual network can be a network inside the host that allows communication between virtual machines. For example, the virtual machines inside the host can be connected through a virtual switch, and communication between virtual machines can be realized.

在其他可能的实现中,虚拟业务机和虚拟密码机也可以通过共享内存空间进行通信,比如,虚拟业务机传输给虚拟密码机的数据,可以先传递到共享内存空间,并由虚拟密码机从共享内存空间获取;虚拟密码机传输的数据可以先传递到共享内存空间,并由虚拟业务机从共享内存空间获取。In other possible implementations, the virtual business machine and the virtual cryptographic machine may also communicate through a shared memory space. For example, data transmitted from the virtual business machine to the virtual cryptographic machine may first be passed to the shared memory space and then obtained by the virtual cryptographic machine from the shared memory space; data transmitted by the virtual cryptographic machine may first be passed to the shared memory space and then obtained by the virtual business machine from the shared memory space.

需要说明是,虚拟业务机和虚拟密码机之间的通信机制的实现方式,本申请实施例并不设限,上述描述的虚拟网络、共享内存空间等可能的通信机制仅是示例性的说明。It should be noted that the implementation method of the communication mechanism between the virtual business machine and the virtual cryptographic machine is not limited in the embodiments of the present application, and the possible communication mechanisms such as the virtual network and shared memory space described above are only exemplary descriptions.

需要进一步说明的是,在虚拟密码机实现为加密虚拟机的情况下,虚拟密码机保存在对应的加密内存空间的数据是以虚拟机密钥进行加密的密文。从而,作为示例,密码应用系统的待运算数据在使用密码服务进行加密时,虚拟密码机可以使用密码服务的密钥对待运算数据进行加密,如果加密的数据需要保存到虚拟密码机对应的加密内存空间,则加密的数据还需以虚拟密码机的虚拟机密钥进行加密,然后再保存到虚拟密码机对应的加密内存空间;进而,虚拟密码机如果是从对应的加密内存空间中读取数据并传输给虚拟业务机,则本申请实施例是采用虚拟密码机对应的虚拟机密钥,将虚拟密码机的加密内存空间中的数据进行解密,以得到以密码服务的密钥加密的数据(即待运算数据被密码服务加密后的结果),然后再传输给虚拟业务机。It should be further explained that, when the virtual cryptographic machine is implemented as an encrypted virtual machine, the data stored in the corresponding encrypted memory space by the virtual cryptographic machine is a ciphertext encrypted with the virtual machine key. Thus, as an example, when the data to be calculated of the cryptographic application system is encrypted using the cryptographic service, the virtual cryptographic machine can use the key of the cryptographic service to encrypt the data to be calculated. If the encrypted data needs to be saved in the encrypted memory space corresponding to the virtual cryptographic machine, the encrypted data also needs to be encrypted with the virtual machine key of the virtual cryptographic machine, and then saved in the encrypted memory space corresponding to the virtual cryptographic machine; further, if the virtual cryptographic machine reads data from the corresponding encrypted memory space and transmits it to the virtual business machine, the embodiment of the present application uses the virtual machine key corresponding to the virtual cryptographic machine to decrypt the data in the encrypted memory space of the virtual cryptographic machine to obtain data encrypted with the key of the cryptographic service (i.e., the result of the data to be calculated being encrypted by the cryptographic service), and then transmits it to the virtual business machine.

可见,在虚拟密码机实现为加密虚拟机的情况下,虚拟密码机运行的密码服务的密钥是对密码应用系统的数据进行加密等密码运算操作;而虚拟密码机的虚拟机密钥是对虚拟密码机保存到对应加密内存空间的数据进行加密,对从对应加密内存空间读取的数据进行解密。也就是说,虚拟密码机运行的密码服务的密钥,和虚拟密码机对应的虚拟机密钥的处理对象并不一样。It can be seen that when the virtual cryptographic machine is implemented as an encryption virtual machine, the key of the cryptographic service running the virtual cryptographic machine is used to perform cryptographic operations such as encrypting the data of the cryptographic application system; while the virtual machine key of the virtual cryptographic machine is used to encrypt the data saved by the virtual cryptographic machine to the corresponding encrypted memory space and decrypt the data read from the corresponding encrypted memory space. In other words, the key of the cryptographic service running the virtual cryptographic machine and the key of the virtual machine corresponding to the virtual cryptographic machine are not the same in terms of the processing objects.

继续参照图3,主机除包括多台虚拟机外,还包括密码模块(Crypto Module,CM)330;密码模块可以是主机内配合密码服务实现密码运算的硬件单元。在可能的实现中,密码模块可以例如密码协处理器等。需要说明的是,密码协处理器是一种专用硬件设备,设计用于执行加密、解密、生成数字签名等密码运算操作,以提高对数据执行密码运算的安全性和效率;示例的,密码协处理器可以是物理芯片的形式,内置于主机中。Continuing to refer to FIG. 3 , in addition to multiple virtual machines, the host also includes a cryptographic module (Crypto Module, CM) 330; the cryptographic module can be a hardware unit in the host that cooperates with the cryptographic service to implement cryptographic operations. In a possible implementation, the cryptographic module can be, for example, a cryptographic coprocessor. It should be noted that the cryptographic coprocessor is a dedicated hardware device designed to perform cryptographic operations such as encryption, decryption, and generation of digital signatures to improve the security and efficiency of performing cryptographic operations on data; for example, the cryptographic coprocessor can be in the form of a physical chip built into the host.

在本申请实施例中,密码模块内部可以实现至少一个虚拟密码模块(VirtualizedCrypto Module,VCM)331,虚拟密码模块331可以用于密钥管理和执行密码运算。其中,虚拟密码模块进行的密钥管理例如密钥生成、密钥导入、密钥存储、密文和密钥的导出等;虚拟密码模块执行的密码运算例如加密、解密、生成和验证数字签名、生成时间戳等。In the embodiment of the present application, at least one virtual cryptographic module (VCM) 331 can be implemented inside the cryptographic module, and the virtual cryptographic module 331 can be used for key management and cryptographic operations. Among them, the key management performed by the virtual cryptographic module includes key generation, key import, key storage, ciphertext and key export, etc.; the cryptographic operations performed by the virtual cryptographic module include encryption, decryption, generation and verification of digital signatures, generation of timestamps, etc.

需要说明的是,虚拟密码模块可以执行至少一种类型的密码运算(一种类型或多种类型的密码运算),密码运算的类型可以参照前文相应部分的描述,此处不再展开;虚拟密码模块管理的密钥形式可以与密钥支持的密码运算的类型相应,包括但不限于加解密对应的密钥、数字签名和验证对应的私钥和公钥等。It should be noted that the virtual cryptographic module can perform at least one type of cryptographic operation (one type or multiple types of cryptographic operations). The type of cryptographic operation can refer to the description in the corresponding part of the previous text and will not be expanded here; the key form managed by the virtual cryptographic module can correspond to the type of cryptographic operation supported by the key, including but not limited to the keys corresponding to encryption and decryption, the private keys and public keys corresponding to digital signatures and verification, etc.

作为可选实现,密码模块内部实现的虚拟密码模块的数量可以与虚拟密码机的数量相对应,从而一个虚拟密码模块可以分配给一台虚拟密码机,即一台虚拟密码机对应一个虚拟密码模块,从而虚拟密码模块可以为对应的虚拟密码机的密码服务提供密钥管理和密码运算支持。As an optional implementation, the number of virtual cryptographic modules implemented inside the cryptographic module can correspond to the number of virtual cryptographic machines, so that one virtual cryptographic module can be assigned to one virtual cryptographic machine, that is, one virtual cryptographic machine corresponds to one virtual cryptographic module, so that the virtual cryptographic module can provide key management and cryptographic operation support for the cryptographic services of the corresponding virtual cryptographic machine.

在可选实现中,虚拟密码模块可以视为是密码模块内部虚拟化创建的逻辑单元,比如可以通过软件定义方式,在密码模块内部创建虚拟密码模块,并且每个虚拟密码模块能够独立执行密钥管理和密码运算。密码模块内部创建的虚拟密码模块可以使用密码模块的硬件资源,以实现虚拟密码模块的功能。In an optional implementation, the virtual cryptographic module can be regarded as a logical unit virtualized and created inside the cryptographic module. For example, a virtual cryptographic module can be created inside the cryptographic module in a software-defined manner, and each virtual cryptographic module can independently perform key management and cryptographic operations. The virtual cryptographic module created inside the cryptographic module can use the hardware resources of the cryptographic module to implement the functions of the virtual cryptographic module.

可以看出,本申请实施例提供的主机可以包括多台虚拟机以及密码模块;多台虚拟机包括至少一台虚拟密码机和至少一台虚拟业务机;其中,虚拟密码机运行密码服务,虚拟业务机运行密码应用系统,密码应用系统使用密码服务为密码应用系统的待运算数据执行密码运算;并且虚拟密码机为采用安全保护机制的安全虚拟机,以使密码服务运行于可信执行环境;虚拟业务机为普通虚拟机,以使密码应用系统运行于通用计算环境;密码模块包括数量与所述至少一台虚拟密码机相应的虚拟密码模块,且一个虚拟密码模块对应一台虚拟密码机;从而,虚拟密码模块可以为对应的虚拟密码机运行的密码服务提供密钥管理和密码运算支持。It can be seen that the host provided in the embodiment of the present application may include multiple virtual machines and cryptographic modules; the multiple virtual machines include at least one virtual cryptographic machine and at least one virtual business machine; wherein the virtual cryptographic machine runs a cryptographic service, the virtual business machine runs a cryptographic application system, and the cryptographic application system uses the cryptographic service to perform cryptographic operations on the data to be operated by the cryptographic application system; and the virtual cryptographic machine is a secure virtual machine that adopts a security protection mechanism, so that the cryptographic service runs in a trusted execution environment; the virtual business machine is an ordinary virtual machine, so that the cryptographic application system runs in a general computing environment; the cryptographic module includes a number of virtual cryptographic modules corresponding to the at least one virtual cryptographic machine, and one virtual cryptographic module corresponds to one virtual cryptographic machine; thereby, the virtual cryptographic module can provide key management and cryptographic operation support for the cryptographic service run by the corresponding virtual cryptographic machine.

本申请实施例可以在同一主机内通过虚拟化技术实现多台虚拟机;多台虚拟机中采用安全保护机制的安全虚拟机可以作为虚拟密码机,以在主机内实现至少一台虚拟密码机,从而虚拟密码机的密码服务可以运行于可信执行环境;多台虚拟机中未采用安全保护机制的普通虚拟机可以作为虚拟业务机,以在主机内实现至少一台虚拟业务机,从而虚拟业务机的密码应用系统可以运行于通用计算环境。通过上述设置可以满足密码服务和密码应用系统的计算环境需求,并且密码应用系统和密码服务之间可以通过主机内的虚拟机通信机制实现通信交互,从而避免密码应用系统和密码服务采用网络通信带来的网络带宽占用,提升密码服务对于密码应用系统的响应及时性,提升密码服务的性能。也就是说,密码应用系统访问密码服务可以在同一主机内完成,无需通过网络通信,能够提升密码服务的性能。The embodiment of the present application can realize multiple virtual machines in the same host through virtualization technology; the secure virtual machine using the security protection mechanism among the multiple virtual machines can be used as a virtual cryptographic machine to realize at least one virtual cryptographic machine in the host, so that the cryptographic service of the virtual cryptographic machine can run in a trusted execution environment; the ordinary virtual machine without the security protection mechanism among the multiple virtual machines can be used as a virtual business machine to realize at least one virtual business machine in the host, so that the cryptographic application system of the virtual business machine can run in a general computing environment. The above settings can meet the computing environment requirements of the cryptographic service and the cryptographic application system, and the cryptographic application system and the cryptographic service can realize communication interaction through the virtual machine communication mechanism in the host, thereby avoiding the network bandwidth occupation caused by the cryptographic application system and the cryptographic service using network communication, improving the timeliness of the response of the cryptographic service to the cryptographic application system, and improving the performance of the cryptographic service. In other words, the cryptographic application system can access the cryptographic service in the same host without network communication, which can improve the performance of the cryptographic service.

同时,主机内可以实现密码模块,密码模块可以包括数量与所述至少一台虚拟密码机相应的虚拟密码模块,且一个虚拟密码模块对应一台虚拟密码机;从而虚拟密码模块可以为对应的虚拟密码机运行的密码服务提供密钥管理和密码运算支持。也就是说,以安全虚拟机实现的虚拟密码机和对应的虚拟密码模块可以联合提供安全、可信的密码服务,以保障密码服务的安全性和可信性。At the same time, a cryptographic module can be implemented in the host, and the cryptographic module can include virtual cryptographic modules corresponding to the number of the at least one virtual cryptographic machine, and one virtual cryptographic module corresponds to one virtual cryptographic machine; thus, the virtual cryptographic module can provide key management and cryptographic operation support for the cryptographic service run by the corresponding virtual cryptographic machine. In other words, the virtual cryptographic machine implemented by the secure virtual machine and the corresponding virtual cryptographic module can jointly provide secure and reliable cryptographic services to ensure the security and reliability of the cryptographic services.

因此,本申请实施例提供的方案能够提升密码服务对于密码应用系统的响应及时性,提升密码服务的性能,同时保障密码服务的安全性和可信性;并且,密码服务和密码应用系统处于同一主机内,可以避免为密码服务设置专门的物理主机,可以降低密码服务的成本,有利于密码服务的推广和普及。Therefore, the solution provided in the embodiment of the present application can improve the timeliness of the response of the cryptographic service to the cryptographic application system, improve the performance of the cryptographic service, and at the same time ensure the security and reliability of the cryptographic service; and, the cryptographic service and the cryptographic application system are in the same host, which can avoid setting up a dedicated physical host for the cryptographic service, can reduce the cost of the cryptographic service, and is conducive to the promotion and popularization of the cryptographic service.

在进一步的可选实现中,从主机的硬件层面来看,虚拟机主要通过处理器(比如CPU)运行虚拟化软件实现,因此在硬件层面,主机主要包括处理器和密码模块;其中,处理器可以运行多台虚拟机,多台虚拟机可以包括上述所述的至少一台虚拟密码机和至少一台虚拟业务机。In a further optional implementation, from the hardware level of the host, the virtual machine is mainly implemented by running virtualization software through a processor (such as a CPU), so at the hardware level, the host mainly includes a processor and a cryptographic module; wherein the processor can run multiple virtual machines, and the multiple virtual machines can include at least one virtual cryptographic machine and at least one virtual business machine described above.

作为可选实现,基于一个虚拟密码模块分配给一台虚拟密码机(即一个虚拟密码模块对应一台虚拟密码机),虚拟密码模块为所分配的虚拟密码机提供密钥管理和密码运算支持,因此为进一步保障各个虚拟密码机运行的密码服务的密钥的安全性,密码模块内部的各个虚拟密码模块可以相互隔离,以保障一个虚拟密码模块内存储的密码服务的密钥无法被其他虚拟密码模块所访问。As an optional implementation, based on one virtual cryptographic module being assigned to one virtual cryptographic machine (i.e., one virtual cryptographic module corresponds to one virtual cryptographic machine), the virtual cryptographic module provides key management and cryptographic operation support for the assigned virtual cryptographic machine. Therefore, to further ensure the security of the keys of the cryptographic services run by each virtual cryptographic machine, the virtual cryptographic modules within the cryptographic module can be isolated from each other to ensure that the keys of the cryptographic services stored in one virtual cryptographic module cannot be accessed by other virtual cryptographic modules.

在可选实现中,本申请实施例可以在密码模块内部为创建的每个虚拟密码模块部署独立的虚拟环境,以实现密码模块内部的各个虚拟密码模块之间的相互隔离。在可选实现中,本申请实施例也可以在密码模块内部为每个虚拟密码模块配置独立的密钥存储区域,通过虚拟密码模块的密钥存储区域的物理隔离和/或逻辑隔离,保障密钥存储区域只可被所配置的虚拟密码模块访问,而无法被其他虚拟密码模块访问。In an optional implementation, the embodiment of the present application can deploy an independent virtual environment for each virtual cryptographic module created inside the cryptographic module to achieve mutual isolation between the virtual cryptographic modules inside the cryptographic module. In an optional implementation, the embodiment of the present application can also configure an independent key storage area for each virtual cryptographic module inside the cryptographic module, and through the physical isolation and/or logical isolation of the key storage area of the virtual cryptographic module, ensure that the key storage area can only be accessed by the configured virtual cryptographic module, and cannot be accessed by other virtual cryptographic modules.

在可选实现中,虚拟密码机可以通过通信通道,访问对应的虚拟密码模块,以使用虚拟密码模块的密钥管理和密码运算功能。例如多台虚拟密码机和多个虚拟密码模块之间具有多个通信信道,一个通信信道用于一台虚拟密码机与对应的虚拟密码模块之间的通信。示例的,虚拟密码机与虚拟密码模块之间的通信信道可以是逻辑实现的通信信道,例如多个通信信道可以共享相同的硬件资源,但在逻辑上被隔离(即多个通信信道在逻辑上是被隔离的)。In an optional implementation, the virtual cryptographic machine can access the corresponding virtual cryptographic module through a communication channel to use the key management and cryptographic operation functions of the virtual cryptographic module. For example, there are multiple communication channels between multiple virtual cryptographic machines and multiple virtual cryptographic modules, and one communication channel is used for communication between a virtual cryptographic machine and the corresponding virtual cryptographic module. For example, the communication channel between the virtual cryptographic machine and the virtual cryptographic module can be a logically implemented communication channel, for example, multiple communication channels can share the same hardware resources, but are logically isolated (that is, multiple communication channels are logically isolated).

在可选实现中,为保障虚拟密码机与对应的虚拟密码模块之间的通信安全,虚拟密码模块可以通过采用安全通信机制的通信信道,访问对应的虚拟密码模块,采用安全通信机制的通信信道可以视为是安全通信信道。安全通信信道采用的安全通信机制例如数据加密保护机制等,以数据加密保护机制为例,通信信道传输的数据可以使用通信信道的密钥进行加解密(不同通信信道可以具有不同密钥),从而虚拟密码机与对应的虚拟密码模块通过通信信道传输的数据,可以通过通信信道的密钥进行加密。In an optional implementation, in order to ensure the communication security between the virtual cryptographic machine and the corresponding virtual cryptographic module, the virtual cryptographic module can access the corresponding virtual cryptographic module through a communication channel using a secure communication mechanism, and the communication channel using a secure communication mechanism can be regarded as a secure communication channel. The secure communication mechanism used by the secure communication channel is, for example, a data encryption protection mechanism, etc. Taking the data encryption protection mechanism as an example, the data transmitted through the communication channel can be encrypted and decrypted using the key of the communication channel (different communication channels can have different keys), so that the data transmitted through the communication channel between the virtual cryptographic machine and the corresponding virtual cryptographic module can be encrypted using the key of the communication channel.

在进一步的可选实现中,通信信道的安全通信机制还可以例如数据完整性保护机制、通信双方的身份验证机制等。示例的,数据完整性保护机制可以例如基于HMAC(Hash-Based Message Authentication Code,基于散列的消息认证码)等消息认证码的数据完整性效验机制,以确保数据在通信信道的传输过程中未被篡改。示例的,通信双方的身份验证机制例如验证通信信道的数据接收方和数据发送方是否是相对应的虚拟密码机与虚拟密码模块,以保障虚拟密码模块不会响应其他虚拟密码机(非虚拟密码模块对应的虚拟密码机)的访问。当然,通信信道的安全通信机制还可以具有其他可能的实现机制,并不限于上述示例描述。In further optional implementations, the secure communication mechanism of the communication channel may also include, for example, a data integrity protection mechanism, an identity verification mechanism for both communicating parties, and the like. For example, the data integrity protection mechanism may be, for example, a data integrity verification mechanism based on a message authentication code such as HMAC (Hash-Based Message Authentication Code) to ensure that the data has not been tampered with during the transmission process of the communication channel. For example, the identity verification mechanism for both communicating parties may verify whether the data receiver and the data sender of the communication channel are the corresponding virtual cryptographic machine and virtual cryptographic module to ensure that the virtual cryptographic module will not respond to access by other virtual cryptographic machines (virtual cryptographic machines corresponding to non-virtual cryptographic modules). Of course, the secure communication mechanism of the communication channel may also have other possible implementation mechanisms, and is not limited to the above example description.

基于本申请实施例提供的主机架构,本申请实施例可以提供密码服务管理方法,以对虚拟密码模块和虚拟密码机的生命周期进行管理,并进一步的对密码应用系统的待运算数据进行安全保护。Based on the host architecture provided by the embodiment of the present application, the embodiment of the present application can provide a cryptographic service management method to manage the life cycle of the virtual cryptographic module and the virtual cryptographic machine, and further securely protect the data to be calculated in the cryptographic application system.

需要说明的是,下文描述的方法内容中各器件模块所执行步骤和步骤的可选实现方式可以视为是各器件模块的相应功能,从而本申请实施例提供的主机架构内的各器件模块的功能内容可与下文描述的方法内容进行相互对应参照。It should be noted that the steps performed by each device module in the method content described below and the optional implementation methods of the steps can be regarded as the corresponding functions of each device module, so that the functional content of each device module in the host architecture provided by the embodiment of the present application can be referenced to each other with the method content described below.

作为可选实现,图4示例性的示出了本申请实施例提供的密码服务管理方法的可选流程图,参照图4,该方法流程可以包括如下步骤。As an optional implementation, FIG4 exemplarily shows an optional flow chart of the cryptographic service management method provided in an embodiment of the present application. Referring to FIG4 , the method flow may include the following steps.

在步骤S410中,主机管理程序向密码模块发送虚拟密码模块创建命令。In step S410, the host management program sends a virtual cryptographic module creation command to the cryptographic module.

主机管理程序可以是主机的虚拟化管理程序,例如虚拟机管理器(VirtualMachine Manager,VMM)。主机管理程序(例如虚拟机管理器)可以运行于处理器。The host hypervisor may be a virtualization hypervisor of the host, such as a virtual machine manager (VMM). The host hypervisor (such as a virtual machine manager) may run on a processor.

作为可选实现,在虚拟密码机启动之前或者启动之时或者启动之后,主机管理程序可以给密码模块发送虚拟密码模块创建命令,以指示密码模块创建虚拟密码模块。可选的,针对任一台虚拟密码机,主机管理程序可以给密码模块发送一个虚拟密码模块创建命令,以使得各台虚拟密码机均可具有对应创建的虚拟密码模块。As an optional implementation, before, during, or after the virtual cryptographic machine is started, the host management program may send a virtual cryptographic module creation command to the cryptographic module to instruct the cryptographic module to create a virtual cryptographic module. Optionally, for any virtual cryptographic machine, the host management program may send a virtual cryptographic module creation command to the cryptographic module so that each virtual cryptographic machine may have a correspondingly created virtual cryptographic module.

在步骤S411中,密码模块创建虚拟密码模块。In step S411, the cryptographic module creates a virtual cryptographic module.

在初始状态下,密码模块内部并无虚拟密码模块(即密码模块的内部初始状态为空),随着主机管理程序向密码模块发送虚拟密码模块创建命令,密码模块可以在内部相应的创建虚拟密码模块,并且随着虚拟密码模块创建命令的增多(相应的,主机需启动的虚拟密码机的数量增多),密码模块内部创建的虚拟密码模块的数量随之增多,以实现一台虚拟密码机对应创建一个虚拟密码模块。In the initial state, there is no virtual cryptographic module inside the cryptographic module (that is, the internal initial state of the cryptographic module is empty). As the host management program sends a virtual cryptographic module creation command to the cryptographic module, the cryptographic module can create a virtual cryptographic module internally accordingly. As the number of virtual cryptographic module creation commands increases (correspondingly, the number of virtual cryptographic machines that the host needs to start increases), the number of virtual cryptographic modules created inside the cryptographic module increases accordingly, so as to achieve one virtual cryptographic machine corresponding to one virtual cryptographic module.

密码模块在获取到主机管理程序发送的虚拟密码模块创建命令之后,可以响应虚拟密码模块创建命令,在内部创建一个虚拟密码模块。在可选实现中,密码模块可以在内部虚拟化创建一个虚拟密码模块,并为创建的虚拟密码模块配置硬件资源(例如密钥存储区域等存储资源、用于密码运算的计算资源等)。After receiving the virtual cryptographic module creation command sent by the host management program, the cryptographic module can respond to the virtual cryptographic module creation command and create a virtual cryptographic module internally. In an optional implementation, the cryptographic module can create a virtual cryptographic module by virtualization internally and configure hardware resources (such as storage resources such as key storage areas, computing resources for cryptographic operations, etc.) for the created virtual cryptographic module.

作为示例,密码模块可以创建虚拟密码模块对应的逻辑分区,并且为虚拟密码模块对应的逻辑分区配置计算资源、密钥存储区域等硬件资源,使得虚拟密码模块可以独立的执行密钥管理和密码运算任务。As an example, the cryptographic module may create a logical partition corresponding to the virtual cryptographic module, and configure hardware resources such as computing resources and key storage areas for the logical partition corresponding to the virtual cryptographic module, so that the virtual cryptographic module can independently perform key management and cryptographic operation tasks.

在可选实现中,基于不同虚拟密码模块之间相互隔离,密码模块在创建虚拟密码模块时,可以为创建的虚拟密码模块部署独立的虚拟环境,从而使得创建的虚拟密码模块具有隔离的、安全的操作空间。例如,可以为虚拟密码模块配置独立的逻辑分区,并且不同虚拟密码模块的逻辑分区不同;又例如,可以为虚拟密码模块配置沙盒环境,使得虚拟密码模块可以在沙盒环境安全的进行密钥管理和密码运算。也就是说,在可能的实现方式中,密码模块可以通过逻辑隔离和资源管理方式,实现创建虚拟密码模块,且不同虚拟密码模块之间相互隔离。In an optional implementation, based on the isolation between different virtual cryptographic modules, when creating a virtual cryptographic module, the cryptographic module can deploy an independent virtual environment for the created virtual cryptographic module, so that the created virtual cryptographic module has an isolated and secure operating space. For example, an independent logical partition can be configured for the virtual cryptographic module, and the logical partitions of different virtual cryptographic modules are different; for another example, a sandbox environment can be configured for the virtual cryptographic module, so that the virtual cryptographic module can safely perform key management and cryptographic operations in the sandbox environment. That is to say, in a possible implementation, the cryptographic module can create a virtual cryptographic module through logical isolation and resource management, and different virtual cryptographic modules are isolated from each other.

作为可选实现,在密码模块创建虚拟密码模块之后,如果虚拟密码模块需分配的虚拟密码机已启动,则主机管理程序可以将虚拟密码模块分配给虚拟密码机,以建立虚拟密码模块与虚拟密码机的对应关系。可选的,密码模块在创建虚拟密码模块之后,可以向主机管理程序反馈虚拟密码模块创建完成响应,以便主机管理程序进行虚拟密码模块和虚拟密码机之间的分配绑定;可选的,虚拟密码模块创建完成响应作为一种响应信息,除携带虚拟密码模块已创建完成的通知外,还可携带创建的虚拟密码模块的信息,比如虚拟密码模块的标识信息等。As an optional implementation, after the cryptographic module creates the virtual cryptographic module, if the virtual cryptographic machine to which the virtual cryptographic module needs to be assigned has been started, the host management program can assign the virtual cryptographic module to the virtual cryptographic machine to establish a corresponding relationship between the virtual cryptographic module and the virtual cryptographic machine. Optionally, after creating the virtual cryptographic module, the cryptographic module can feedback a virtual cryptographic module creation completion response to the host management program so that the host management program can perform the allocation and binding between the virtual cryptographic module and the virtual cryptographic machine; optionally, the virtual cryptographic module creation completion response is a response information, which, in addition to carrying a notification that the virtual cryptographic module has been created, can also carry information about the created virtual cryptographic module, such as identification information of the virtual cryptographic module.

进一步的,主机管理程序可以配置虚拟密码模块与虚拟密码机之间的通信信道处于连通状态,例如,为虚拟密码机与对应的虚拟密码模块分配通信信道,且配置通信信道处于连通状态,以使得虚拟密码机与对应的虚拟密码模块可以通过通信信道进行通信。Furthermore, the host management program can configure the communication channel between the virtual cryptographic module and the virtual cryptographic machine to be in a connected state, for example, allocate a communication channel to the virtual cryptographic machine and the corresponding virtual cryptographic module, and configure the communication channel to be in a connected state, so that the virtual cryptographic machine and the corresponding virtual cryptographic module can communicate through the communication channel.

作为可选实现,在密码模块创建虚拟密码模块之后,如果虚拟密码模块需分配的虚拟密码机还未启动,则主机管理程序可以在虚拟密码机启动之后,再将虚拟密码模块分配给虚拟密码机,以建立虚拟密码模块与虚拟密码机的对应关系。下述流程以在虚拟密码机启动之前,创建虚拟密码模块为例进行流程的示例说明。As an optional implementation, after the cryptographic module creates the virtual cryptographic module, if the virtual cryptographic machine to which the virtual cryptographic module is to be assigned has not yet started, the host management program can assign the virtual cryptographic module to the virtual cryptographic machine after the virtual cryptographic machine is started, so as to establish a corresponding relationship between the virtual cryptographic module and the virtual cryptographic machine. The following process takes the creation of a virtual cryptographic module before the virtual cryptographic machine is started as an example to illustrate the process.

在步骤S412中,主机管理程序启动虚拟密码机。In step S412, the host hypervisor starts the virtual cryptographic machine.

在可选实现中,主机管理程序可以通过虚拟密码机启动流程,实现启动虚拟密码机。虚拟密码机启动流程可以视为是从虚拟密码机的硬件资源分配到操作系统加载的各个阶段流程,包括但不限于为虚拟密码机分配硬件资源(比如处理器资源、内存资源等)、加载虚拟密码机的配置文件、加载虚拟密码机的操作系统和应用程序等。基于虚拟密码机是采用安全保护机制的安全虚拟机,在虚拟密码机的启动过程中,还可以为虚拟密码机配置安全保护机制;例如,以安全虚拟化技术为例,主机管理程序可以通知主机的专用安全器件(比如安全处理器)为虚拟密码机分配虚拟机密钥等。In an optional implementation, the host management program can start the virtual cryptographic machine through the virtual cryptographic machine startup process. The virtual cryptographic machine startup process can be regarded as a process of various stages from the allocation of hardware resources of the virtual cryptographic machine to the loading of the operating system, including but not limited to the allocation of hardware resources (such as processor resources, memory resources, etc.) for the virtual cryptographic machine, loading the configuration file of the virtual cryptographic machine, loading the operating system and application of the virtual cryptographic machine, etc. Based on the fact that the virtual cryptographic machine is a secure virtual machine using a security protection mechanism, during the startup process of the virtual cryptographic machine, a security protection mechanism can also be configured for the virtual cryptographic machine; for example, taking the secure virtualization technology as an example, the host management program can notify the host's dedicated security device (such as a security processor) to allocate a virtual machine key to the virtual cryptographic machine, etc.

进一步的,为保障虚拟密码机启动过程的安全性,本申请实施例可以通过安全启动方式来启动虚拟密码机的软件环境,以确保虚拟密码机的启动过程中,加载的软件是受信任的软件。进一步的,本申请实施例还可以使用磁盘加密功能,来保护虚拟密码机的磁盘镜像的机密性,从而确保虚拟密码机的数据不被外部窃取;其中,虚拟密码机的磁盘镜像包含虚拟密码机的操作系统、应用程序、以及其他敏感数据,使用磁盘加密功能来保护虚拟密码机的磁盘镜像,可以保障虚拟密码机在磁盘中的数据在未解密时无法正确读取。相应的,虚拟密码机在启动时,可以通过解密虚拟密码机的磁盘镜像,以加载虚拟密码机的操作系统、应用程序等磁盘数据。Furthermore, in order to ensure the security of the virtual cryptographic machine startup process, the embodiment of the present application can start the software environment of the virtual cryptographic machine through a secure startup method to ensure that the software loaded during the startup of the virtual cryptographic machine is trusted software. Furthermore, the embodiment of the present application can also use a disk encryption function to protect the confidentiality of the disk image of the virtual cryptographic machine, thereby ensuring that the data of the virtual cryptographic machine is not stolen from the outside; wherein, the disk image of the virtual cryptographic machine contains the operating system, application program, and other sensitive data of the virtual cryptographic machine, and the use of the disk encryption function to protect the disk image of the virtual cryptographic machine can ensure that the data of the virtual cryptographic machine on the disk cannot be correctly read without decryption. Accordingly, when the virtual cryptographic machine is started, the disk image of the virtual cryptographic machine can be decrypted to load the disk data such as the operating system and application program of the virtual cryptographic machine.

在可选实现中,将虚拟密码机的安全启动机制和磁盘加密相结合使用,可以为虚拟密码机提供综合的安全防护,即安全启动机制保证了虚拟密码机在启动流程中的安全,可以防止恶意代码执行;磁盘加密功能保护了虚拟密码机在磁盘中的静态数据的安全。In an optional implementation, the secure boot mechanism of the virtual cipher machine and disk encryption are used in combination to provide comprehensive security protection for the virtual cipher machine, that is, the secure boot mechanism ensures the security of the virtual cipher machine during the boot process and can prevent the execution of malicious code; the disk encryption function protects the security of the static data of the virtual cipher machine on the disk.

在虚拟密码机启动后,主机管理程序可以将密码模块创建的虚拟密码模块,分配给虚拟密码机,以建立虚拟密码机与虚拟密码模块的对应关系,即实现虚拟密码机与虚拟密码模块的绑定。也就是说,在虚拟密码机启动之前,创建虚拟密码模块的情况下,主机管理程序可以在虚拟密码机启动之前,先给密码模块发送虚拟密码模块创建命令,进而在虚拟密码机启动后,虚拟密码模块创建命令对应创建的虚拟密码模块,可以分配给启动的虚拟密码机,以建立虚拟密码机与虚拟密码模块的对应关系。After the virtual cryptographic machine is started, the host management program can assign the virtual cryptographic module created by the cryptographic module to the virtual cryptographic machine to establish a corresponding relationship between the virtual cryptographic machine and the virtual cryptographic module, that is, to achieve the binding of the virtual cryptographic machine and the virtual cryptographic module. That is, before the virtual cryptographic machine is started, in the case of creating a virtual cryptographic module, the host management program can send a virtual cryptographic module creation command to the cryptographic module before the virtual cryptographic machine is started, and then after the virtual cryptographic machine is started, the virtual cryptographic module created corresponding to the virtual cryptographic module creation command can be assigned to the started virtual cryptographic machine to establish a corresponding relationship between the virtual cryptographic machine and the virtual cryptographic module.

作为可选实现示例,密码模块在响应主机管理程序的虚拟密码模块创建命令,并创建虚拟密码模块后,可以将创建的虚拟密码模块的标识信息反馈给主机管理程序,从而主机管理程序可以记录虚拟密码模块创建命令对应创建的虚拟密码模块的标识信息;进而,主机管理程序在启动虚拟密码机后,可以建立虚拟密码机的标识信息与虚拟密码模块的标识信息的对应关系,从而将该对应关系反馈给启动的虚拟密码机,以使得虚拟密码机可以得知所分配的虚拟密码模块,实现虚拟密码机与虚拟密码模块的绑定。进一步的,主机管理程序可以将虚拟密码机与对应的虚拟密码模块之间的通信信道进行连通,以使得虚拟密码机可以通过通信信道,与对应的虚拟密码模块进行通信。As an optional implementation example, after the cryptographic module responds to the host management program's virtual cryptographic module creation command and creates the virtual cryptographic module, it can feed back the identification information of the created virtual cryptographic module to the host management program, so that the host management program can record the identification information of the virtual cryptographic module created corresponding to the virtual cryptographic module creation command; further, after the host management program starts the virtual cryptographic machine, it can establish a correspondence between the identification information of the virtual cryptographic machine and the identification information of the virtual cryptographic module, and then feed back the correspondence to the started virtual cryptographic machine, so that the virtual cryptographic machine can know the assigned virtual cryptographic module, and realize the binding of the virtual cryptographic machine and the virtual cryptographic module. Furthermore, the host management program can connect the communication channel between the virtual cryptographic machine and the corresponding virtual cryptographic module, so that the virtual cryptographic machine can communicate with the corresponding virtual cryptographic module through the communication channel.

需要说明的是,在虚拟密码机启动之前,创建虚拟密码模块仅是一种可选实现示例,本申请实施例也可支持在虚拟密码机启动之时或者启动之后,创建虚拟密码模块,并且由于虚拟密码模块创建后,虚拟密码机已启动,则可直接将创建的虚拟密码模块分配给虚拟密码机。It should be noted that creating a virtual cryptographic module before the virtual cryptographic machine is started is only an optional implementation example. The embodiment of the present application can also support creating a virtual cryptographic module when the virtual cryptographic machine is started or after it is started. And since the virtual cryptographic machine has been started after the virtual cryptographic module is created, the created virtual cryptographic module can be directly assigned to the virtual cryptographic machine.

在步骤S413中,虚拟密码机向虚拟密码模块发送密钥管理信息,以使虚拟密码模块保存密码服务的密钥。In step S413, the virtual cryptographic machine sends key management information to the virtual cryptographic module so that the virtual cryptographic module saves the key of the cryptographic service.

在步骤S414中,虚拟密码模块响应密钥管理信息,保存密码服务的密钥。In step S414, the virtual cryptographic module responds to the key management information and saves the key of the cryptographic service.

在虚拟密码机与对应的虚拟密码模块之间的通信信道连通后,虚拟密码机可以通过虚拟密码模块的密钥管理功能,在虚拟密码模块内部保存用于密码服务的密钥。在可选实现中,虚拟密码机可以通过密钥管理的密钥导入功能,将用于密码服务的密钥导入虚拟密码模块,以使虚拟密码模块保存密码服务的密钥。在其他可选实现中,虚拟密码机可以通过密钥管理的密钥生成功能,请求虚拟密码模块生成密码服务的密钥,以使虚拟密码模块保存密码服务的密钥。After the communication channel between the virtual cryptographic machine and the corresponding virtual cryptographic module is connected, the virtual cryptographic machine can save the key for the cryptographic service inside the virtual cryptographic module through the key management function of the virtual cryptographic module. In an optional implementation, the virtual cryptographic machine can import the key for the cryptographic service into the virtual cryptographic module through the key import function of the key management, so that the virtual cryptographic module saves the key for the cryptographic service. In other optional implementations, the virtual cryptographic machine can request the virtual cryptographic module to generate the key for the cryptographic service through the key generation function of the key management, so that the virtual cryptographic module saves the key for the cryptographic service.

在可选实现中,基于虚拟密码机是否保存有历史使用过的密码服务的密钥,虚拟密码机可以选择是使用密钥导入功能,还是密钥生成功能,以实现在虚拟密码模块内部保存密码服务的密钥。In an optional implementation, based on whether the virtual cryptographic machine stores keys of cryptographic services that have been used historically, the virtual cryptographic machine may choose whether to use a key import function or a key generation function to store keys of cryptographic services inside the virtual cryptographic module.

可选的,虚拟密码机可以判断虚拟密码机的文件系统中是否保存有密码服务的密钥,如果虚拟密码机的文件系统中保存有密码服务的密钥,则说明虚拟密码机历史运行过,虚拟密码机使用过历史分配的虚拟密码模块进行过密码服务的密钥管理,比如虚拟密码机使用过历史分配的虚拟密码模块进行过密码服务的密钥生成,且生成的密码服务的密钥保存在虚拟密码机的文件系统中(比如虚拟密码机在历史关闭之前,历史分配的虚拟密码模块所生成的密码服务的密钥,被保存在虚拟密码机的文件系统中);从而,虚拟密码机可以从虚拟密码机的文件系统读取密码服务的密钥,并将密码服务的密钥,导入虚拟密码模块;此时,虚拟密码机向虚拟密码模块发送的密钥管理信息可以是密钥导入信息,携带有密码服务的密钥。Optionally, the virtual cryptographic machine can determine whether the key of the cryptographic service is saved in the file system of the virtual cryptographic machine. If the key of the cryptographic service is saved in the file system of the virtual cryptographic machine, it means that the virtual cryptographic machine has been run in the past, and the virtual cryptographic machine has used the historically assigned virtual cryptographic module to perform key management of the cryptographic service. For example, the virtual cryptographic machine has used the historically assigned virtual cryptographic module to generate the key of the cryptographic service, and the generated key of the cryptographic service is saved in the file system of the virtual cryptographic machine (for example, before the virtual cryptographic machine is historically closed, the key of the cryptographic service generated by the historically assigned virtual cryptographic module is saved in the file system of the virtual cryptographic machine); thus, the virtual cryptographic machine can read the key of the cryptographic service from the file system of the virtual cryptographic machine, and import the key of the cryptographic service into the virtual cryptographic module; at this time, the key management information sent by the virtual cryptographic machine to the virtual cryptographic module may be key import information, carrying the key of the cryptographic service.

在进一步的可选实现中,为保障密码服务的密钥的安全性,密码服务的密钥在保存时,可以使用预设的虚拟密码模块内置密钥进行加密。也就是说,虚拟密码模块内置密钥可以是对密码服务的密钥进行加解密的一种密钥,用于保证密码服务的密钥在虚拟密码机的文件系统保存时的安全性。示例的,虚拟密码模块内置密钥可以预先设置,多个虚拟密码模块的虚拟密码模块内置密钥可以保持统一。In a further optional implementation, in order to ensure the security of the key of the cryptographic service, the key of the cryptographic service can be encrypted using a preset virtual cryptographic module built-in key when it is saved. That is, the virtual cryptographic module built-in key can be a key for encrypting and decrypting the key of the cryptographic service, and is used to ensure the security of the key of the cryptographic service when it is saved in the file system of the virtual cryptographic machine. For example, the virtual cryptographic module built-in key can be pre-set, and the virtual cryptographic module built-in keys of multiple virtual cryptographic modules can be kept unified.

相应的,虚拟密码机可以将使用预设的虚拟密码模块内置密钥进行加密的密码服务的密钥,导入虚拟密码模块;此时,虚拟密码机向虚拟密码模块发送的密钥管理信息可以是密钥导入信息,携带有加密后的密码服务的密钥;进而,虚拟密码模块可以响应虚拟密码机的密钥导入信息,使用预设的虚拟密码模块内置密钥,对导入的加密后的密码服务的密钥进行解密,从而得到解密的密码服务的密钥,并保存在虚拟密码模块内部,比如保存在虚拟密码模块的密钥存储区域。Correspondingly, the virtual cryptographic machine can import the key of the cryptographic service encrypted by using the preset virtual cryptographic module built-in key into the virtual cryptographic module; at this time, the key management information sent by the virtual cryptographic machine to the virtual cryptographic module can be key import information, carrying the encrypted key of the cryptographic service; further, the virtual cryptographic module can respond to the key import information of the virtual cryptographic machine, use the preset virtual cryptographic module built-in key, decrypt the imported encrypted key of the cryptographic service, thereby obtaining the decrypted key of the cryptographic service, and save it inside the virtual cryptographic module, such as in the key storage area of the virtual cryptographic module.

在可选实现中,如果虚拟密码机的文件系统中未保存有密码服务的密钥,则虚拟密码机可以请求虚拟密码模块生成密码服务的密钥,此时虚拟密码机向虚拟密码模块发送的密钥管理信息可以是密钥生成请求信息,用于请求虚拟密码模块生成密码服务的密钥。可选的,虚拟密码模块可以利用密钥生成算法,生成密码服务的密钥;例如,虚拟密码模块可以利用随机数生成密码服务的密钥。示例的,密码服务的密钥可以是对称密钥,比如随机生成的固定长度的比特串;示例的,密码服务的密钥可以是非对称密钥,比如由密码服务的私钥和公钥组成的一对密钥。In an optional implementation, if the key of the cryptographic service is not stored in the file system of the virtual cryptographic machine, the virtual cryptographic machine may request the virtual cryptographic module to generate the key of the cryptographic service. At this time, the key management information sent by the virtual cryptographic machine to the virtual cryptographic module may be a key generation request information for requesting the virtual cryptographic module to generate the key of the cryptographic service. Optionally, the virtual cryptographic module may generate the key of the cryptographic service using a key generation algorithm; for example, the virtual cryptographic module may generate the key of the cryptographic service using a random number. For example, the key of the cryptographic service may be a symmetric key, such as a randomly generated fixed-length bit string; for example, the key of the cryptographic service may be an asymmetric key, such as a pair of keys consisting of a private key and a public key of the cryptographic service.

在其他可能的实现方式中,本申请实施例也可支持虚拟密码机每次启动,并与虚拟密码模块建立对应关系后,通过请求虚拟密码模块生成密码服务的密钥的方式,来在虚拟密码模块保存密码服务的密钥。In other possible implementations, the embodiments of the present application may also support saving the key of the cryptographic service in the virtual cryptographic module by requesting the virtual cryptographic module to generate the key of the cryptographic service each time the virtual cryptographic machine is started and a corresponding relationship is established with the virtual cryptographic module.

在其他可能的实现方式中,本申请实施例也可支持对密码服务的密钥进行更新,比如可以定期或者受管理人员的控制,对密码服务的密钥进行更新。示例的,在密码服务的密钥的使用时间达到预设时间时,虚拟密码机可以请求虚拟密码模块重新生成密码服务的密钥,以实现对密码服务的密钥进行更新。In other possible implementations, the embodiments of the present application may also support updating the cryptographic service key, such as updating the cryptographic service key periodically or under the control of an administrator. For example, when the usage time of the cryptographic service key reaches a preset time, the virtual cryptographic machine may request the virtual cryptographic module to regenerate the cryptographic service key to update the cryptographic service key.

在步骤S415中,虚拟密码机启动密码服务。In step S415, the virtual cryptographic machine starts the cryptographic service.

在步骤S416中,虚拟密码机运行密码服务。In step S416, the virtual cryptographic machine runs the cryptographic service.

在虚拟密码模块保存密码服务的密钥后,虚拟密码机可以启动密码服务,从而运行密码服务;进而,虚拟密码机的密码服务可以被虚拟业务机的密码应用系统进行调用。例如,在密码服务的运行过程中,虚拟业务机的密码应用系统可以向虚拟密码机的密码服务发送待运算数据,从而虚拟密码机可以将待运算数据发送给对应的虚拟密码模块;进而,虚拟密码模块可以利用密码服务的密钥,对待运算数据进行密码运算,并将密码运算结果反馈给虚拟密码机;虚拟密码机的密码服务可以将密码运算结果反馈给虚拟业务机的密码应用系统,以满足密码应用系统的待运算数据的数据安全需求。After the virtual cryptographic module saves the key of the cryptographic service, the virtual cryptographic machine can start the cryptographic service, thereby running the cryptographic service; further, the cryptographic service of the virtual cryptographic machine can be called by the cryptographic application system of the virtual business machine. For example, during the operation of the cryptographic service, the cryptographic application system of the virtual business machine can send the data to be calculated to the cryptographic service of the virtual cryptographic machine, so that the virtual cryptographic machine can send the data to be calculated to the corresponding virtual cryptographic module; further, the virtual cryptographic module can use the key of the cryptographic service to perform cryptographic calculations on the data to be calculated, and feed back the cryptographic calculation results to the virtual cryptographic machine; the cryptographic service of the virtual cryptographic machine can feed back the cryptographic calculation results to the cryptographic application system of the virtual business machine to meet the data security requirements of the cryptographic application system for the data to be calculated.

作为可选实现,图5示例性的示出了本申请实施例提供的密码服务运行的可选流程图,参照图5,该流程可以包括如下步骤。As an optional implementation, FIG5 exemplarily shows an optional flow chart of the operation of the cryptographic service provided in an embodiment of the present application. Referring to FIG5 , the flow may include the following steps.

在步骤S510中,虚拟业务机向虚拟密码机发送密码应用请求,密码应用请求携带有待运算数据。In step S510, the virtual business machine sends a cryptographic application request to the virtual cryptographic machine, and the cryptographic application request carries data to be calculated.

在可选实现中,虚拟业务机的密码应用系统在具有业务数据的数据安全需求(比如加密、解密、数字签名等数据安全需求)时,可以将业务数据作为待运算数据,并向虚拟密码机的密码服务发送密码应用请求,以请求对待运算数据执行与数据安全需求相对应的密码运算。In an optional implementation, when the cryptographic application system of the virtual business machine has data security requirements for business data (such as encryption, decryption, digital signature and other data security requirements), it can use the business data as data to be calculated and send a cryptographic application request to the cryptographic service of the virtual cryptographic machine to request that cryptographic operations corresponding to the data security requirements be performed on the data to be calculated.

在步骤S511中,虚拟密码机向虚拟密码模块发送密码运算请求,密码运算请求携带有待运算数据。In step S511, the virtual cryptographic machine sends a cryptographic operation request to the virtual cryptographic module, and the cryptographic operation request carries data to be operated.

虚拟密码机在获取到虚拟业务机的密码应用请求后,可以利用对应的虚拟密码模块对待运算数据执行密码运算;从而,虚拟密码机可以生成对待运算数据执行密码运算的密码运算请求,并发送给对应的虚拟密码模块。在可选实现中,密码运算请求还可以指示密码运算的类型(密码运算的类型与待运算数据的数据安全需求相适配),以便虚拟密码模块可以使用相应类型的密码运算,对待运算数据执行密码运算。After obtaining the cryptographic application request of the virtual business machine, the virtual cryptographic machine can use the corresponding virtual cryptographic module to perform cryptographic operations on the data to be operated; thus, the virtual cryptographic machine can generate a cryptographic operation request for performing cryptographic operations on the data to be operated, and send it to the corresponding virtual cryptographic module. In an optional implementation, the cryptographic operation request can also indicate the type of cryptographic operation (the type of cryptographic operation is compatible with the data security requirements of the data to be operated), so that the virtual cryptographic module can use the corresponding type of cryptographic operation to perform cryptographic operations on the data to be operated.

在步骤S512中,虚拟密码模块利用密码服务的密钥,对待运算数据执行密码运算,得到密码运算结果。In step S512, the virtual cryptographic module uses the key of the cryptographic service to perform cryptographic operations on the operation data to obtain a cryptographic operation result.

在步骤S513中,虚拟密码模块将密码运算结果反馈给虚拟密码机。In step S513, the virtual cryptographic module feeds back the cryptographic operation result to the virtual cryptographic machine.

虚拟密码模块在获取到虚拟密码机的密码运算请求后,可以使用虚拟密码模块中保存的密码服务的密钥,对待运算数据执行密码运算,并将密码运算结果反馈给虚拟密码机。在可选实现中,虚拟密码模块可以使用与待运算数据的数据安全需求相应类型的密码运算以及密码服务的密钥,对待运算数据执行密码运算,从而得到满足待运算数据的数据安全需求的密码运算结果。After obtaining the cryptographic operation request of the virtual cryptographic machine, the virtual cryptographic module can use the cryptographic service key stored in the virtual cryptographic module to perform cryptographic operations on the data to be operated, and feed back the cryptographic operation results to the virtual cryptographic machine. In an optional implementation, the virtual cryptographic module can use the cryptographic operation type corresponding to the data security requirements of the data to be operated and the cryptographic service key to perform cryptographic operations on the data to be operated, thereby obtaining a cryptographic operation result that meets the data security requirements of the data to be operated.

密码运算的类型、密码服务的类型与数据安全需求的适配对应关系可以参照前文相应部分的描述,此处不再展开。The adaptation correspondence between the types of cryptographic operations, the types of cryptographic services and the data security requirements can be referred to the description in the corresponding part of the previous text and will not be expanded here.

在步骤S514中,虚拟密码机向虚拟业务机发送密码运算结果。In step S514, the virtual cryptographic machine sends the cryptographic operation result to the virtual business machine.

虚拟密码机在得到对应虚拟密码模块的密码运算结果后,可以将密码运算结果发送给虚拟业务机,以完成虚拟业务机的密码应用系统在调用虚拟密码机的密码服务时的处理响应。After obtaining the cryptographic operation result of the corresponding virtual cryptographic module, the virtual cryptographic machine can send the cryptographic operation result to the virtual business machine to complete the processing response of the cryptographic application system of the virtual business machine when calling the cryptographic service of the virtual cryptographic machine.

在进一步的可选实现中,本申请实施例还提供虚拟密码机关闭时的密码服务管理方案。可选的,图6示例性的示出了本申请实施例提供的密码服务管理方法的另一可选流程图,参照图6,该方法流程可以包括如下步骤。In a further optional implementation, the embodiment of the present application also provides a cryptographic service management solution when the virtual cryptographic machine is turned off. Optionally, FIG6 exemplarily shows another optional flow chart of the cryptographic service management method provided by the embodiment of the present application. Referring to FIG6 , the method flow may include the following steps.

在步骤S610中,主机管理程序向虚拟密码机发送虚拟机关闭指令。In step S610, the host hypervisor sends a virtual machine shutdown instruction to the virtual cryptographic machine.

在虚拟密码机需要关闭时,主机管理程序可以向虚拟密码机发送虚拟机关闭指令,以控制虚拟密码机进行关闭。在可选实现中,虚拟密码机的关闭可由管理人员主动触发或者通过自动化脚本触发;例如,管理人员可以通过虚拟机管理界面进行虚拟密码机的关闭操作,从而主机管理程序可以响应管理人员对于虚拟密码机的关闭操作,产生虚拟机关闭指令并发送给虚拟密码机;又例如,虚拟密码机的关闭可以根据特定的策略或触发条件自动执行,比如可以在自动化脚本定义虚拟密码机的关闭条件,从而在满足虚拟密码机的关闭条件时,主机管理程序可以产生虚拟机关闭指令并发送给虚拟密码机。When the virtual cryptographic machine needs to be shut down, the host management program can send a virtual machine shutdown instruction to the virtual cryptographic machine to control the virtual cryptographic machine to shut down. In an optional implementation, the shutdown of the virtual cryptographic machine can be actively triggered by the administrator or triggered by an automated script; for example, the administrator can shut down the virtual cryptographic machine through the virtual machine management interface, so that the host management program can respond to the administrator's shutdown operation on the virtual cryptographic machine, generate a virtual machine shutdown instruction and send it to the virtual cryptographic machine; for another example, the shutdown of the virtual cryptographic machine can be automatically executed according to a specific strategy or trigger condition, such as the shutdown condition of the virtual cryptographic machine can be defined in the automated script, so that when the shutdown condition of the virtual cryptographic machine is met, the host management program can generate a virtual machine shutdown instruction and send it to the virtual cryptographic machine.

在步骤S611中,虚拟密码机向虚拟密码模块发送密钥导出请求,以请求导出密码服务的密钥。In step S611, the virtual cryptographic machine sends a key export request to the virtual cryptographic module to request export of the key of the cryptographic service.

在步骤S612中,虚拟密码模块向虚拟密码机发送导出的密码服务的密钥。In step S612, the virtual cryptographic module sends the exported cryptographic service key to the virtual cryptographic machine.

在步骤S613中,虚拟密码模块清除所保存的密码服务的密钥。In step S613, the virtual cryptographic module clears the stored cryptographic service key.

在虚拟密码机需要关闭时(例如虚拟密码机获取到主机管理程序的虚拟机关闭指令,则视为虚拟密码机需要关闭),本申请实施例可以从虚拟密码机对应的虚拟密码模块,导出虚拟密码模块所保存的密码服务的密钥,并保存到虚拟密码机的文件系统中。在可选实现中,虚拟密码模块在导出密码服务的密钥时,可以响应虚拟密码机的密钥导出请求,使用预设的虚拟密码模块内置密钥对密码服务的密钥进行加密,从而将加密后的密码服务的密钥进行导出;也就是说,虚拟密码模块导出的密码服务的密钥是加密后的密码服务的密钥,且密码服务的密钥使用预设的虚拟密码模块内置密钥进行加密。通过将密码服务的密钥加密后再导出,可以保证密码服务的密钥在虚拟密码机的文件系统保存时的安全性。When the virtual cryptographic machine needs to be shut down (for example, the virtual cryptographic machine obtains the virtual machine shutdown instruction of the host management program, which is deemed that the virtual cryptographic machine needs to be shut down), the embodiment of the present application can export the key of the cryptographic service stored in the virtual cryptographic module from the virtual cryptographic module corresponding to the virtual cryptographic machine, and save it to the file system of the virtual cryptographic machine. In an optional implementation, when exporting the key of the cryptographic service, the virtual cryptographic module can respond to the key export request of the virtual cryptographic machine, use the preset virtual cryptographic module built-in key to encrypt the key of the cryptographic service, and thus export the encrypted key of the cryptographic service; that is, the key of the cryptographic service exported by the virtual cryptographic module is the encrypted key of the cryptographic service, and the key of the cryptographic service is encrypted using the preset virtual cryptographic module built-in key. By encrypting the key of the cryptographic service and then exporting it, the security of the key of the cryptographic service when it is stored in the file system of the virtual cryptographic machine can be guaranteed.

相应的,虚拟密码机在向对应的虚拟密码模块发送密钥导出请求后,可以获得对应的虚拟密码模块导出的密码服务的密钥,且虚拟密码模块导出的密码服务的密钥为上述加密后的密码服务的密钥;从而,虚拟密码机可以将对应的虚拟密码模块导出的加密后的密码服务的密钥,保存在虚拟密码机的文件系统中。进而,虚拟密码机可以退出。Correspondingly, after sending a key export request to the corresponding virtual cryptographic module, the virtual cryptographic machine can obtain the key of the cryptographic service exported by the corresponding virtual cryptographic module, and the key of the cryptographic service exported by the virtual cryptographic module is the encrypted key of the cryptographic service; thus, the virtual cryptographic machine can save the encrypted key of the cryptographic service exported by the corresponding virtual cryptographic module in the file system of the virtual cryptographic machine. Then, the virtual cryptographic machine can exit.

虚拟密码模块在导出密码服务的密钥之后,可以将虚拟密码模块内部所保存的密码服务的密钥进行清除,以使得后续虚拟密码模块销毁时,密码模块内部不留存虚拟密码模块对应的虚拟密码机的密码服务的密钥,从而进一步保障密码服务的密钥的安全性。After exporting the key of the cryptographic service, the virtual cryptographic module can clear the key of the cryptographic service stored inside the virtual cryptographic module, so that when the virtual cryptographic module is destroyed subsequently, the key of the cryptographic service of the virtual cryptographic machine corresponding to the virtual cryptographic module is not retained inside the cryptographic module, thereby further ensuring the security of the key of the cryptographic service.

在步骤S614中,虚拟密码机将导出的密码服务的密钥,保存在虚拟密码机的文件系统中。In step S614, the virtual cryptographic machine saves the exported cryptographic service key in the file system of the virtual cryptographic machine.

可选的,保存在虚拟密码机的文件系统中的密码服务的密钥可以是,加密后的密码服务的密钥;密码服务的密钥使用预设的虚拟密码模块内置密钥进行加密。Optionally, the key of the cryptographic service stored in the file system of the virtual cryptographic machine may be an encrypted key of the cryptographic service; the key of the cryptographic service is encrypted using a preset virtual cryptographic module built-in key.

在步骤S615中,虚拟密码机退出。In step S615, the virtual cryptographic machine exits.

在从虚拟密码模块导出密码服务的密钥(使用虚拟密码模块内置密钥进行加密),并保存到虚拟密码机的文件系统之后,虚拟密码机可以退出,以实现虚拟密码机的关闭。虚拟密码机退出可以涉及虚拟密码机的资源回收(比如回收虚拟密码机的处理器资源、内存资源等硬件资源)、状态更新(更新虚拟密码机的状态为关闭状态)等阶段,从而终止虚拟密码机的运行,完成虚拟密码机的关闭。After the key of the cryptographic service is exported from the virtual cryptographic module (encrypted using the virtual cryptographic module's built-in key) and saved to the file system of the virtual cryptographic machine, the virtual cryptographic machine can exit to close the virtual cryptographic machine. The virtual cryptographic machine exit may involve stages such as resource recovery of the virtual cryptographic machine (such as recovery of hardware resources such as processor resources and memory resources of the virtual cryptographic machine) and state update (updating the state of the virtual cryptographic machine to a closed state), thereby terminating the operation of the virtual cryptographic machine and completing the closing of the virtual cryptographic machine.

在进一步的可选实现中,在虚拟密码机关闭后,虚拟密码机与对应的虚拟密码模块之间的通信信道可以断开,直至该虚拟密码机(即当前关闭的虚拟密码机)重新启动、且该虚拟密码机分配对应的虚拟密码模块后,该虚拟密码机与虚拟密码模块之间的通信信道再恢复连通。通过断开虚拟密码机与对应的虚拟密码模块之间的通信信道,可以在虚拟密码机关闭之后,虚拟密码模块销毁之前,避免虚拟密码模块被其他虚拟密码机所访问。In a further optional implementation, after the virtual cryptographic machine is shut down, the communication channel between the virtual cryptographic machine and the corresponding virtual cryptographic module can be disconnected until the virtual cryptographic machine (i.e., the currently shut down virtual cryptographic machine) is restarted and the corresponding virtual cryptographic module is assigned to the virtual cryptographic machine, and then the communication channel between the virtual cryptographic machine and the virtual cryptographic module is restored. By disconnecting the communication channel between the virtual cryptographic machine and the corresponding virtual cryptographic module, it is possible to prevent the virtual cryptographic module from being accessed by other virtual cryptographic machines after the virtual cryptographic machine is shut down and before the virtual cryptographic module is destroyed.

在步骤S616中,主机管理程序向密码模块发送虚拟密码模块销毁命令。In step S616, the host management program sends a virtual cryptographic module destruction command to the cryptographic module.

在步骤S617中,密码模块销毁虚拟密码模块。In step S617, the cryptographic module destroys the virtual cryptographic module.

在虚拟密码机关闭之后(进一步的,具体可以是虚拟密码机关闭,且虚拟密码机与虚拟密码模块之间的通信信道断开之后),主机管理程序可以向密码模块发送虚拟密码模块销毁命令,以指示密码模块将当前关闭的虚拟密码机所对应的虚拟密码模块进行销毁。示例的,虚拟密码模块销毁命令可以携带需销毁的虚拟密码模块的标识信息,需销毁的虚拟密码模块为当前关闭的虚拟密码机所对应的虚拟密码模块,从而便于密码模块将当前关闭的虚拟密码机对应的虚拟密码模块进行销毁。After the virtual cryptographic machine is shut down (more specifically, the virtual cryptographic machine is shut down and the communication channel between the virtual cryptographic machine and the virtual cryptographic module is disconnected), the host management program may send a virtual cryptographic module destruction command to the cryptographic module to instruct the cryptographic module to destroy the virtual cryptographic module corresponding to the currently shut down virtual cryptographic machine. For example, the virtual cryptographic module destruction command may carry identification information of the virtual cryptographic module to be destroyed, and the virtual cryptographic module to be destroyed is the virtual cryptographic module corresponding to the currently shut down virtual cryptographic machine, so that the cryptographic module can destroy the virtual cryptographic module corresponding to the currently shut down virtual cryptographic machine.

在可选实现中,密码模块可以通过回收虚拟密码模块的硬件资源,并清除虚拟密码模块的逻辑分区等过程,完成销毁虚拟密码模块。In an optional implementation, the cryptographic module may destroy the virtual cryptographic module by reclaiming the hardware resources of the virtual cryptographic module and clearing the logical partition of the virtual cryptographic module.

需要说明的是,上述描述的密码服务管理方法中,虚拟密码机与虚拟密码模块之间的交互是通过通信信道实现,通信信道可以是采用安全通信机制的安全通信信道;虚拟密码机与虚拟业务机之间的交互是通过虚拟机通信机制(比如虚拟网络)实现。关于通信信道、虚拟机通信机制的相关内容可以参照前文相应部分的描述。It should be noted that in the cryptographic service management method described above, the interaction between the virtual cryptographic machine and the virtual cryptographic module is achieved through a communication channel, which may be a secure communication channel using a secure communication mechanism; the interaction between the virtual cryptographic machine and the virtual business machine is achieved through a virtual machine communication mechanism (such as a virtual network). For the relevant contents about the communication channel and the virtual machine communication mechanism, please refer to the description of the corresponding part above.

本申请实施例提供的方案可以在同一主机内实现密码服务和密码应用系统,可以避免为密码服务设置专门的物理主机,可以降低密码服务的成本,有利于密码服务的推广和普及。并且,密码服务运行于虚拟密码机,虚拟密码机为采用安全保护机制的安全虚拟机;密码应用系统运行于虚拟业务机,虚拟业务机为普通虚拟机;从而,本申请实施例可以满足密码服务和密码应用系统的计算环境需求,并且密码应用系统和密码服务之间可以通过主机内的虚拟机通信机制实现通信交互,提升密码服务对于密码应用系统的响应及时性,提升密码服务的性能。并且,虚拟密码机和对应的虚拟密码模块可以联合提供安全、可信的密码服务,以保障密码服务的安全性和可信性。可见,本申请实施例提供的方案可以提升密码服务的性能,且利于密码服务的推广和普及。The solution provided by the embodiment of the present application can realize the cryptographic service and the cryptographic application system in the same host, which can avoid setting up a special physical host for the cryptographic service, can reduce the cost of the cryptographic service, and is conducive to the promotion and popularization of the cryptographic service. In addition, the cryptographic service runs on a virtual cryptographic machine, which is a secure virtual machine using a security protection mechanism; the cryptographic application system runs on a virtual business machine, which is an ordinary virtual machine; thus, the embodiment of the present application can meet the computing environment requirements of the cryptographic service and the cryptographic application system, and the cryptographic application system and the cryptographic service can realize communication interaction through the virtual machine communication mechanism in the host, improve the timeliness of the response of the cryptographic service to the cryptographic application system, and improve the performance of the cryptographic service. In addition, the virtual cryptographic machine and the corresponding virtual cryptographic module can jointly provide a secure and reliable cryptographic service to ensure the security and reliability of the cryptographic service. It can be seen that the solution provided by the embodiment of the present application can improve the performance of the cryptographic service and is conducive to the promotion and popularization of the cryptographic service.

在进一步的可选实现中,基于主机管理程序、虚拟密码机、虚拟密码模块的功能可以通过软件配置,例如通过软件指令配置主机管理程序、虚拟密码机、虚拟密码模块在密码服务管理方案中的相关功能,本申请实施例进一步提供一种存储介质。该存储介质可以存储计算机指令,计算机指令被执行时实现如本申请实施例提供的主机管理程序执行的密码服务管理方法,或者,如本申请实施例提供的虚拟密码机执行的密码服务管理方法,或者,如本申请实施例提供的虚拟密码模块执行的密码服务管理方法。In a further optional implementation, the functions of the host management program, the virtual cryptographic machine, and the virtual cryptographic module can be configured by software, for example, the relevant functions of the host management program, the virtual cryptographic machine, and the virtual cryptographic module in the cryptographic service management solution are configured by software instructions. The embodiment of the present application further provides a storage medium. The storage medium can store computer instructions, and when the computer instructions are executed, the cryptographic service management method performed by the host management program as provided in the embodiment of the present application, or the cryptographic service management method performed by the virtual cryptographic machine as provided in the embodiment of the present application, or the cryptographic service management method performed by the virtual cryptographic module as provided in the embodiment of the present application is implemented.

在进一步的可选实现中,本申请实施例还提供一种计算机程序产品,该计算机程序产品包括计算机指令,计算机指令被执行时实现如本申请实施例提供的主机管理程序执行的密码服务管理方法,或者,如本申请实施例提供的虚拟密码机执行的密码服务管理方法,或者,如本申请实施例提供的虚拟密码模块执行的密码服务管理方法。In a further optional implementation, the embodiment of the present application also provides a computer program product, which includes computer instructions, which, when executed, implement a cryptographic service management method executed by a host management program as provided in the embodiment of the present application, or a cryptographic service management method executed by a virtual cryptographic machine as provided in the embodiment of the present application, or a cryptographic service management method executed by a virtual cryptographic module as provided in the embodiment of the present application.

上文描述了本申请实施例提供的多个实施例方案,各实施例方案介绍的各可选方式可在不冲突的情况下相互结合、交叉引用,从而延伸出多种可能的实施例方案,这些均可认为是本申请实施例披露、公开的实施例方案。The above describes multiple implementation schemes provided by the embodiments of the present application. The various optional methods introduced in each implementation scheme can be combined and cross-referenced with each other without conflict, thereby extending a variety of possible implementation schemes, which can all be considered as implementation schemes disclosed and open in the embodiments of the present application.

虽然本申请实施例披露如上,但本申请并非限定于此。任何本领域技术人员,在不脱离本申请的精神和范围内,均可作各种更动与修改,因此本申请的保护范围应当以权利要求所限定的范围为准。Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Any person skilled in the art may make various changes and modifications without departing from the spirit and scope of the present application. Therefore, the scope of protection of the present application shall be subject to the scope defined by the claims.

Claims (19)

1. A host computer, which comprises a host computer, characterized by comprising the following steps: a plurality of virtual machines and a password module;
The virtual machines comprise at least one virtual password machine and at least one virtual service machine; the virtual password machine runs password service, the virtual business machine runs password application system, and the password application system uses the password service to execute password operation for data to be operated of the password application system; the virtual password machine is a safe virtual machine adopting a safe protection mechanism, so that the password service runs in a trusted execution environment; the virtual service machine is a common virtual machine, so that the password application system operates in a general computing environment;
The password modules comprise virtual password modules, the number of which corresponds to that of the at least one virtual password machine, and one virtual password module corresponds to one virtual password machine; the virtual password module provides key management and password operation support for password service operated by the corresponding virtual password machine.
2. The host of claim 1, further comprising: a host management program;
The host management program is used for sending a virtual password module creation command to the password module so as to instruct the password module to create the virtual password module; after the virtual password machine is started, the virtual password module created by the password module is distributed to the virtual password machine so as to establish the corresponding relation between the virtual password machine and the virtual password module; and after the virtual cipher machine is closed, sending a virtual cipher module destroying command to the cipher module to instruct the cipher module to destroy the virtual cipher module corresponding to the closed virtual cipher machine.
3. The host of claim 2, wherein the virtual cryptographic machine is configured to send key management information to a corresponding virtual cryptographic module after the virtual cryptographic machine is started and the corresponding virtual cryptographic module is assigned, so that the virtual cryptographic module stores a key of a cryptographic service;
And when the virtual cryptographic machine needs to be shut down, sending a key derivation request to a virtual cryptographic module to request derivation of a key of a cryptographic service.
4. The host of claim 3, wherein the virtual cryptographic machine configured to send key management information to a corresponding virtual cryptographic module to cause the virtual cryptographic module to store a key for a cryptographic service comprises:
judging whether a file system of the virtual cipher machine stores a cipher key of the cipher service or not;
if the file system of the virtual cipher machine stores the cipher service cipher key, sending cipher key import information to the corresponding virtual cipher module, wherein the cipher key import information carries the cipher service cipher key stored in the file system of the virtual cipher machine;
and if the key of the password service is not stored in the file system of the virtual password machine, sending key generation request information to the corresponding virtual password module so as to request the virtual password module to generate the key of the password service.
5. The host of claim 4, wherein the cryptographic services stored in the file system of the virtual cryptographic machine have keys of: a key of the encrypted cryptographic service; the key of the encrypted password service is encrypted by adopting a preset built-in key of a virtual password module;
the virtual cryptographic machine is configured to send key import information to a corresponding virtual cryptographic module, where the key import information carries a key of a cryptographic service stored in a file system of the virtual cryptographic machine, and the key includes:
transmitting key import information to the corresponding virtual cryptographic module, wherein the key import information carries the key of the encrypted cryptographic service;
The virtual cipher module is used for responding to the key import information, decrypting the imported key of the encrypted cipher service by using the built-in key of the virtual cipher module, and storing the decrypted key of the cipher service.
6. The host of claim 5, wherein the virtual cryptographic module is further configured to encrypt a key of the stored cryptographic service using a key built in the virtual cryptographic module in response to the key derivation request, and derive a key of the encrypted cryptographic service; and after deriving the key of the encrypted cryptographic service, clearing the stored key of the cryptographic service;
The key of the encrypted password service derived by the virtual password module is stored in a file system corresponding to the virtual password machine.
7. The host of claim 3, wherein the virtual cryptographic machine is further configured to initiate and run a cryptographic service after the corresponding virtual cryptographic module holds a key for the cryptographic service;
In the process of running the password service, acquiring a password application request sent by the virtual service machine, wherein the password application request carries data to be operated of a password application system of the virtual service machine; sending a password operation request to a corresponding virtual password module, wherein the password operation request carries the data to be operated; obtaining a password operation result fed back by the corresponding virtual password module, and feeding back the password operation result to the virtual service machine;
The virtual cryptographic module is used for responding to a cryptographic operation request sent by a corresponding virtual cryptographic machine, and executing cryptographic operation on the data to be operated by utilizing a key of a cryptographic service to obtain a cryptographic operation result; and feeding the password operation result back to the corresponding virtual password machine.
8. The host of claim 2, wherein the at least one virtual cryptographic machine is a plurality of virtual cryptographic machines, the plurality of virtual cryptographic machines and the plurality of virtual cryptographic modules having a plurality of communication channels therebetween, one communication channel being for communication between one virtual cryptographic machine and a corresponding virtual cryptographic module; the communication channels adopt a safe communication mechanism, and a plurality of communication channels are mutually isolated;
the communication channel between the virtual cipher machine and the corresponding virtual cipher module is communicated when the virtual cipher module is distributed to the virtual cipher machine, and is disconnected after the virtual cipher machine is closed and before the virtual cipher module is destroyed;
the password module is internally provided with a plurality of virtual password modules which are mutually isolated; and the virtual password machine and the virtual service machine are communicated through a virtual machine communication mechanism.
9. The host of any one of claims 1-8, wherein the secure virtual machine comprises an encrypted virtual machine, a memory space of the encrypted virtual machine is encrypted with a virtual machine key of the encrypted virtual machine, and virtual machine keys of different encrypted virtual machines are different; the common virtual machine is a virtual machine without a virtual machine key.
10. A cryptographic service management method, wherein the method is based on the host of any one of claims 1-9, the method being performed by a host hypervisor, the method comprising:
sending a virtual cryptographic module creation command to the cryptographic module to instruct the cryptographic module to create a virtual cryptographic module;
Starting a virtual password machine, and after the virtual password machine is started, distributing the virtual password module created by the password module to the virtual password machine so as to establish the corresponding relation between the virtual password machine and the virtual password module;
and sending a virtual machine closing instruction to the virtual cipher machine to instruct the virtual cipher machine to close, and sending a virtual cipher module destroying command to the cipher module after the virtual cipher machine is closed to instruct the cipher module to destroy the virtual cipher module corresponding to the closed virtual cipher machine.
11. A cryptographic service management method, wherein the method is based on the host of any one of claims 1-9, the method being performed by a virtual cryptographic machine, the method comprising:
after the virtual cipher machine is started and the corresponding virtual cipher module is distributed, key management information is sent to the corresponding virtual cipher module so that the virtual cipher module can store the cipher key of the cipher service;
And obtaining a virtual machine closing instruction sent by the host management program, and sending a key export request to the virtual cryptographic module to request export of a key of the cryptographic service.
12. The method of claim 11, wherein the sending key management information to the corresponding virtual cryptographic module to cause the virtual cryptographic module to store the key of the cryptographic service comprises:
judging whether a file system of the virtual cipher machine stores a cipher key of the cipher service or not;
if the file system of the virtual cipher machine stores the cipher service cipher key, sending cipher key import information to the corresponding virtual cipher module, wherein the cipher key import information carries the cipher service cipher key stored in the file system of the virtual cipher machine;
and if the key of the password service is not stored in the file system of the virtual password machine, sending key generation request information to the corresponding virtual password module so as to request the virtual password module to generate the key of the password service.
13. The method of claim 12, wherein the cryptographic services stored in the file system of the virtual cryptographic machine have keys of: a key of the encrypted cryptographic service; the key of the encrypted password service is encrypted by adopting a preset built-in key of a virtual password module;
the sending the key import information to the corresponding virtual cryptographic module, where the key import information carries a cryptographic service key stored in a file system of the virtual cryptographic machine, and the key includes:
transmitting key import information to the corresponding virtual cryptographic module, wherein the key import information carries the key of the encrypted cryptographic service;
The key of the cipher service derived by the virtual cipher module is as follows: a key of the encrypted cryptographic service; the method further comprises the steps of:
Storing the key of the encrypted password service derived by the corresponding virtual password module in a file system of the virtual password machine;
and exiting the virtual crypto machine.
14. The method of claim 11, wherein the method further comprises:
starting and running the password service after the corresponding virtual password module stores the secret key of the password service;
In the process of running the password service, acquiring a password application request sent by the virtual service machine, wherein the password application request carries data to be operated of a password application system of the virtual service machine; sending a password operation request to a corresponding virtual password module, wherein the password operation request carries the data to be operated; and obtaining a password operation result fed back by the corresponding virtual password module, and feeding back the password operation result to the virtual service machine.
15. A cryptographic service management method, wherein the method is based on the host of any one of claims 1-9, the method being performed by a virtual cryptographic module, the method comprising:
After the virtual password module is created and the corresponding virtual password machine is distributed, key management information sent by the corresponding virtual password machine is obtained, the key management information is responded, and the key of the password service is saved;
And obtaining a key derivation request sent by the corresponding virtual cipher machine, and responding to the key derivation request to derive a key of the cipher service.
16. The method of claim 15, wherein the maintaining the key of the cryptographic service in response to the key management information comprises:
responding to key import information sent by a corresponding virtual cipher machine, decrypting a key of the encrypted cipher service carried by the key import information by using a preset built-in key of a virtual cipher module, and storing the key of the decrypted cipher service;
Or responding to the key generation request information sent by the corresponding virtual cipher machine, generating and storing the key of the cipher service;
said deriving a key for the cryptographic service in response to said key derivation request comprising:
Responding to a key export request sent by a corresponding virtual cipher machine, encrypting the saved key of the cipher service by using the built-in key of the virtual cipher module, and exporting the key of the encrypted cipher service; the derived key of the encrypted password service is stored in a file system corresponding to the virtual password machine;
the method further comprises the steps of:
after deriving the key of the encrypted cryptographic service, the stored key of the cryptographic service is cleared.
17. The method of claim 15, wherein the method further comprises:
Acquiring a password operation request sent by a corresponding virtual password machine, wherein the password operation request carries data to be operated of a password application system of a virtual service machine;
Performing a cryptographic operation on the data to be operated by using a key of a cryptographic service to obtain a cryptographic operation result;
And feeding the password operation result back to the corresponding virtual password machine.
18. A storage medium storing computer instructions which, when executed, implement the cryptographic service management method of claim 10, or the cryptographic service management method of any one of claims 11-14, or the cryptographic service management method of any one of claims 15-17.
19. A computer program product comprising computer instructions which, when executed, implement the cryptographic service management method of claim 10, or the cryptographic service management method of any one of claims 11-14, or the cryptographic service management method of any one of claims 15-17.
CN202410850327.1A 2024-06-27 2024-06-27 Host, password service management method, storage medium and program Pending CN118606925A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410850327.1A CN118606925A (en) 2024-06-27 2024-06-27 Host, password service management method, storage medium and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410850327.1A CN118606925A (en) 2024-06-27 2024-06-27 Host, password service management method, storage medium and program

Publications (1)

Publication Number Publication Date
CN118606925A true CN118606925A (en) 2024-09-06

Family

ID=92566598

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410850327.1A Pending CN118606925A (en) 2024-06-27 2024-06-27 Host, password service management method, storage medium and program

Country Status (1)

Country Link
CN (1) CN118606925A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118916064A (en) * 2024-10-10 2024-11-08 三未信安科技股份有限公司 Method and system for hot upgrading of iterative crypto engine service

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228316A (en) * 2017-12-26 2018-06-29 成都卫士通信息产业股份有限公司 A kind of method and apparatus of encryption device virtualization
US20180232519A1 (en) * 2015-09-15 2018-08-16 Institute Of Information Engineering, Chinese Academy Of Sciences System and method for providing cryptographic operation service in virtualization environment
CN111782344A (en) * 2020-07-02 2020-10-16 北京数字认证股份有限公司 Method and system for providing password resources and host machine
CN115455403A (en) * 2022-10-08 2022-12-09 北京江南天安科技有限公司 Application cipher machine architecture and system
CN116866007A (en) * 2023-06-14 2023-10-10 阿里云计算有限公司 Log processing method, device, encryption service system, equipment and storage medium
US20240113898A1 (en) * 2021-02-10 2024-04-04 V-Key Inc. Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180232519A1 (en) * 2015-09-15 2018-08-16 Institute Of Information Engineering, Chinese Academy Of Sciences System and method for providing cryptographic operation service in virtualization environment
CN108228316A (en) * 2017-12-26 2018-06-29 成都卫士通信息产业股份有限公司 A kind of method and apparatus of encryption device virtualization
CN111782344A (en) * 2020-07-02 2020-10-16 北京数字认证股份有限公司 Method and system for providing password resources and host machine
US20240113898A1 (en) * 2021-02-10 2024-04-04 V-Key Inc. Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity
CN115455403A (en) * 2022-10-08 2022-12-09 北京江南天安科技有限公司 Application cipher machine architecture and system
CN116866007A (en) * 2023-06-14 2023-10-10 阿里云计算有限公司 Log processing method, device, encryption service system, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118916064A (en) * 2024-10-10 2024-11-08 三未信安科技股份有限公司 Method and system for hot upgrading of iterative crypto engine service

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
US10454916B2 (en) Systems and methods for implementing security
CN113014539B (en) Internet of things equipment safety protection system and method
US9698988B2 (en) Management control method, apparatus, and system for virtual machine
US20230325492A1 (en) Secure Runtime Systems And Methods
WO2021164166A1 (en) Service data protection method, apparatus and device, and readable storage medium
US9792427B2 (en) Trusted execution within a distributed computing system
US9124640B2 (en) Systems and methods for implementing computer security
US8839004B1 (en) Secure cloud computing infrastructure
CN108509802B (en) Application data anti-leakage method and device
EP3790257B1 (en) Security system for using shared computational facilities
CN113485785B (en) Virtual trusted platform module realization method, secure processor and storage medium
WO2024139273A1 (en) Federated learning method and apparatus, readable storage medium, and electronic device
CN100550030C (en) On portable terminal host, add the method for credible platform
CN118606925A (en) Host, password service management method, storage medium and program
WO2021164167A1 (en) Key access method, apparatus, system and device, and storage medium
US20250226975A1 (en) Method of controlling remote data based on confidential computing and system thereof
KR101107056B1 (en) How to process security information for virtual machines in a cloud computing environment
WO2025112388A1 (en) Confidential computing environment creation method, cryptographic operation method, cryptographic operation system, electronic device, and storage medium
CN115361140B (en) Method and device for verifying security chip key
KR101069500B1 (en) Data security processing method and recording media using virtualization and trust platform module in network system
WO2019133298A1 (en) Managed securitized containers and container communications
US12362914B1 (en) Network authentication with cryptographic corpocessors
CN119135395A (en) Remote data control method, device and equipment based on confidential computing technology
CN118550647A (en) Data sharing method and related device of secure virtual machine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20240920

Address after: Rooms 501 and 502, No. 289 Chunxiao Road, China (Shanghai) Pilot Free Trade Zone, Pudong New Area, Shanghai, 200020 (nominal floor is 6th floor)

Applicant after: Haiguang Yunxin Integrated Circuit Design (Shanghai) Co.,Ltd.

Country or region after: China

Address before: 300384 industrial incubation-3-8, North 2-204, No. 18, Haitai West Road, Tianjin Huayuan Industrial Zone, Binhai New Area, Tianjin

Applicant before: Haiguang Information Technology Co.,Ltd.

Country or region before: China