Password unit creation method and device, data processing method and device and electronic equipment

[0046] The first embodiment

[0047] Please refer. Figure 3 The embodiment of the present application also provides a cryptographic unit creation method, which can be applied to the above-mentioned development terminal 10, and the development terminal 10 can execute or realize the steps of the method, and the method can include the following steps:

[0048] S110, obtaining a password component for executing a password processing operation;

[0049] S120, according to the dependency relationship between the cryptographic component and the dependent component, obtaining each type of target dependent component corresponding to the cryptographic component;

[0050] S130, by building a tool, the cryptographic component and each type of target dependent component are encapsulated into an image file representing the cryptographic unit installation package in a static link, and the image file is a file including an operating system.

[0051] In the above embodiment, the password component and the target dependent component are separated, and then encapsulated into an image file in a static link way, and the image file can realize the corresponding password operation at runtime. The password unit itself is a unit containing the operating system. The startup and operation of the password unit no longer need the general Linux operating system, but can be started and operated independently for password service. That is, the cryptographic unit already contains the necessary operating system functions for starting and running, so it does not need the support of additional operating systems, which is conducive to reducing the attack surface and improving the security of data. In addition, because the password unit contains few components of the operating system, the capacity of the password unit is small, which is conducive to improving the startup speed and recovery speed when using the password service function.

[0052] The steps of the method will be described in detail as follows:

[0053] In step S110, when a cryptographic unit needs to be created, the development terminal can obtain various cryptographic components prepared in advance. A single cryptographic component can be used to perform cryptographic operation through the corresponding cryptographic operation strategy, or the data to be processed can be sent to the corresponding cryptographic operation component, and the cryptographic operation component can perform cryptographic operation on the data to be processed through the corresponding cryptographic operation strategy. Among them, the type and number of cryptographic components acquired by the development terminal can be determined according to the actual situation. The cryptographic strategy can be understood as the algorithm used to realize the cryptographic service functions of encryption and decryption, and can be selected according to the actual situation. For example, cryptographic operation strategy can be but not limited to digital signature, character encryption and decryption algorithm, data digest algorithm, etc. Components include, but are not limited to, components that can be used to implement cryptographic operations such as digital signature, character encryption and decryption algorithm, data digest algorithm, and components that are used to send data to be processed to the corresponding cryptographic operation components.

[0054] Understandably, the cryptographic component itself can perform the corresponding cryptographic operation on the data to be processed through the cryptographic operation strategy. Alternatively, the cryptographic component can be used as a transmission tool to transmit the data to be processed to the corresponding cryptographic operation component, so that the cryptographic operation component can perform cryptographic operation on the data to be processed according to the corresponding cryptographic operation strategy. At this time, the cryptographic component has a corresponding relationship with the corresponding cryptographic operation component, and the cryptographic operation component is the component used to perform cryptographic operations such as digital signature, character encryption and decryption algorithm, and data digest algorithm on the data.

[0055]In this embodiment, before the step S110 is executed, the password component may be stored in the server or the local memory of the development terminal in advance. When a cryptographic unit needs to be created, the cryptographic device can obtain various cryptographic components from the server or local storage. As long as the cryptographic device can acquire the cryptographic component, there is no specific limitation on the source or way of acquiring the cryptographic component.

[0056] In step S120, the development terminal may store the dependency relationship between the password component and the dependent component in advance. Among them, the dependent components are required when installing or running the cryptographic unit. All kinds of dependent components can be stored in the server or development terminal in advance in the form of database. The dependency between password and dependent components can be determined according to the actual situation. After obtaining the password component, the terminal can determine the dependent component corresponding to the password component as the target dependent component according to the dependency relationship between the password component and the dependent component, and then obtain the target dependent component as the component of the password unit.

[0057] In step S130, the building tool may be, but is not limited to, an IncludeOS tool, a Unik tool, etc., and may be used to package the obtained cryptographic components and dependent components in the form of static links. That is, by IncludeOS OS tools or Unik tools and other building tools, components such as password components and dependent components can be linked together to generate executable programs. In this embodiment, the executable program is an image file representing the cryptographic unit installation package, which can be as follows Figure 3 Shown.

[0058] When the password unit is applied to physical devices (such as personal computers and servers), the system of the physical devices can install image files. During deployment, the image files can automatically install various contents into the corresponding installation directories of the physical devices. After the image files are installed, the password unit can be formed.

[0059] When the cryptographic unit is applied to a virtualization scenario, for example, when the cryptographic unit is applied to a virtualization manager, the image file can be compiled by the virtualization manager, and the virtualization manager can directly load the image file without installing the image file. By running the image file, it can be used as a cryptographic unit to encrypt and decrypt data. The form of the image file can correspond to the virtual disk supported by the virtualization manager (for example, Vmdk file), and the image file contains the password component of the password unit, the required boot program, driver, etc.

[0060] In this embodiment, the cryptographic unit only includes such service components as cryptographic components, so the cryptographic unit only provides a logical interface for implementing cryptographic services, and does not provide other interfaces, so as to improve the security of data processing.

[0061] Understandably, the image file includes the components needed for the operation of cryptographic components, which can be directly operated without relying on Linux system, and is convenient for the transplantation and installation of cryptographic units. In addition, the cryptographic unit only includes cryptographic components, not other types of service components. For example, compared with the existing cipher machine, which needs to include the service component for realizing user management and the dependent component required by the service component, the cipher unit of the embodiment of the present application does not include the service component managed by the user, and does not need to additionally add the dependent component required by the service component managed by the user. Therefore, the capacity of the cryptographic unit can be reduced, and the lightweight cryptographic unit can be created. After the capacity of the cryptographic unit is reduced, it is beneficial for the cryptographic unit to start quickly, so as to shorten the time required for starting, and at the same time, it can also improve the recovery speed (the speed of closing the cryptographic unit). In addition, because the cryptographic unit only provides cryptographic services, but does not provide user management, the logical interface for external interaction is reduced, which is conducive to narrowing the attack surface and improving the security of data processing.

[0062] As an optional implementation, step S110 may include: obtaining at least one type of cryptographic component among the first type of cryptographic components used to perform cryptographic operations through cryptographic operation strategies and the second type of cryptographic components used to send data to be processed to the corresponding cryptographic operation components.

[0063] Understandably, cryptographic components can be divided according to the principle or algorithm of performing encryption and decryption operations. Different cryptographic components of different classes usually use different algorithms to perform encryption and decryption. In this embodiment, the first type of cryptographic components include, but are not limited to, a first cryptographic component for performing cryptographic operations through digital signatures, a second cryptographic component for performing cryptographic operations through character encryption and decryption algorithms, and a third cryptographic component for performing cryptographic operations through data digest algorithms. The second type of cryptographic component may include a fourth cryptographic component for sending the data to be processed to the corresponding cryptographic operation component. When the data to be processed is sensitive data, the fourth cryptographic component can transmit the data to be processed to the corresponding cryptographic operation component through a preset password, so that the cryptographic operation component can perform corresponding cryptographic operation on the data to be processed.

[0064] Password components can also be password components of other classes. For example, the cryptographic component may include a cryptographic component used to encrypt and decrypt the hash function. Methods By obtaining a variety of cryptographic components, it is convenient to select the corresponding encryption and decryption methods according to the requirements, so as to enrich the implementation methods of encryption and decryption.

[0065] In this embodiment, the password component can be created by the designer in advance. When creating a password component, you can create the password component according to the password function or algorithm. For example, cryptographic functions include but are not limited to digital signature, character encryption and decryption, data digest, hash function, transmission of data to be processed, etc. When the password function is realized, various password functions can be realized by different programming languages, such as digital signature, character encryption and decryption, data digest, hash function, etc. Alternatively, the password function can be realized by software, such as OpenSSL and other open source libraries or self-written codes, or by other password modules such as PCI password library, software password module or virtual password module.

[0066] Among them, the password function can be implemented on a physical machine (such as a personal computer) or a virtual machine. When it is implemented on a physical machine, the corresponding hardware drivers, such as CPU driver and motherboard driver, can be selected according to the actual situation. When a virtual machine is implemented, the virtualized hardware is usually standard hardware. At this point, you can choose the corresponding virtualization software according to the actual situation, such as VirtualBox, Xen, Qemu, VMWare, etc.

[0067] After the password function is realized, the password function can be provided to the outside world in the form of network service. For example, a request/response mechanism based on TCP or HTTP or HTTPS. Among them, when providing password function in the form of network service, the bottom layer of the operating system where the password unit is installed needs to provide TCP protocol stack and HTTP/HTTPS support. In addition, when the cryptographic unit serves multiple concurrent scenarios, the operating system also needs to support multithreading, such as POSIX.

[0068] As an optional implementation, before step S120, the method may further include: creating a dependency relationship between the cryptographic component and the dependent component, wherein the dependent component corresponding to the cryptographic component includes a basic dependency component, a TCP protocol stack component, a network support component, and a programming language runtime component.

[0069] When creating dependencies, password components can be set with unique codes to represent the unique ID of password components, and various types of dependent components can also be set with unique codes to represent the unique ID of dependent components. Different dependent components of have different IDs, so that they can be easily distinguished. When establishing the dependency relationship, the ID of the cryptographic component can be associated with the ID of the dependent component required by the cryptographic component, and based on this, the dependency relationship between the cryptographic component and the dependent component can be established. Among them, the dependent components required by the password component can be selected according to the actual situation, and there is no specific limitation here.

[0070]Understandably, current embedded development systems and microkernel systems can provide libOS.a, which includes various standard CPU drivers, motherboard drivers, boot programs and disk management, as a basic dependent component. The password designer of the unit can identify other dependent components, including TCP protocol stack components, network support components, math library Libm, programming language runtime components (such as C language runtime library libc, C++ language runtime library libstdc++, multi-thread support library posix, etc.), as well as the supporting software of the used password components, which are well known to those skilled in this field. All kinds of components can be pre-stored on servers, development terminals and other devices. Or, various components can be configured in the configuration files specified by compiling and linking tools (such as the above-mentioned IncludeOS tools and Unik tools).

[0071] When creating a dependency relationship, the program code of the password component can automatically identify the required dependent component, or link the password component with the required dependent component by compiling the command line and specifying the link through the configuration file, so as to realize the establishment of the dependency relationship.

[0072] In the above embodiment, by obtaining the dependent components of the cryptographic component and then packaging them, the cryptographic unit itself can include the operating system, which is convenient to transplant and relocate the cryptographic unit.

[0073] As an alternative embodiment, the method can perform steps S110 to S130 several times to obtain a plurality of image files, and each image file is an installation package of a cryptographic unit.

[0074] Understandably, the number of created image files can be determined according to the actual situation. Among them, multiple mirror files are conducive to the construction of large-scale cryptographic units, so as to provide multiple cryptographic service lines to the outside world at the same time.

[0075] As an optional implementation, the method may further include: sending the obtained multiple image files to a cryptographic device, so that the cryptographic device can construct a cryptographic integrated service system according to the multiple image files.

[0076] Understandably, the cryptographic integrated service system can provide multiple cryptographic service interfaces to the outside world at the same time, and can encrypt and decrypt multiple paths of data, which is conducive to improving the efficiency of cryptographic processing. In addition, because the operating system contained in the image file is obtained through static link, the password unit starts quickly, and the password integrated service system can realize the rapid and dynamic expansion of password service and the rapid recovery of resources by quickly adding and deleting password units. That is, the dynamic horizontal expansion speed and the dynamic resource recovery speed of the cryptographic integrated service system provided by the embodiment of the present application can be improved.

[0077] Please refer. Figure 3 , through the above component tools, the basic dependent components, TCP protocol stack components, network card drivers, motherboard drivers and other dependent components can be packaged into a static library file OS. A; Package the math library Libm, Libc, Libstdc++, Posix and other programming language runtime components into Os basic library; Encapsulating cryptographic operation strategy and key management components into Crypto.c file; Encapsulate the password service into a Service.c file, and finally, encapsulate all kinds of encapsulated files to form a mirror file.

[0078] In this embodiment, because the constructed cryptographic unit contains the boot program and the basic computer system, when it is loaded by the physical or virtual machine management programs such as Qemu and Xen, it can find the boot program of the cryptographic unit to start the physical or virtual machine, drive the installed hardware such as CPU, memory, disk and bus, and then load the cryptographic components, network drivers and network protocol stacks in the cryptographic unit. The cryptographic component receives the encryption request, completes the encryption operation for the requester, or receives the decryption request, completes the decryption operation for the requester, or transmits the data to be processed to the corresponding cryptographic operation component to realize the transmission function.

[0079] In this embodiment, the cryptographic unit can be installed in cryptographic devices such as industrial personal computers and dedicated servers, and become a hardware cryptographic device with the characteristics of fast startup and fast service, and at the same time, the potential safety hazards of physical devices caused by their own complexity can be reduced.

[0080] In this embodiment, the cryptographic capability of the traditional hardware cryptographic machine can be replaced by several virtual lightweight cryptographic units. The device can provide key management and password calculation capabilities, and the lightweight password unit created by this application encapsulates sensitive parameters of a specific user, such as visitor account password and security policy, such as the maximum number of connections, etc., so as to achieve the effect of secure sharing of computing capabilities of password devices.

[0081] In this embodiment, the software module of the cryptographic unit (i.e., the above-mentioned image file) can be encapsulated in a lightweight virtual machine. Because the lightweight virtual machine has the characteristics of low complexity, small image volume, low resource consumption and high isolation degree, it can start up quickly, provide cryptographic services efficiently and safely.

[0082] In this embodiment, the constructed cryptographic units can form a large-scale cryptographic unit cluster through network level planning to jointly improve cryptographic service capabilities, and can cooperate with various key management systems, digital certificate systems, identity authentication systems, electronic signature systems, etc. to jointly complete the required complex cryptographic functions.

[0083] Based on the above design, it is possible to construct cryptographic units with lower complexity than the current special cryptographic machines. In the cryptographic unit, only all kinds of components necessary for the operation and service of cryptographic equipment are included, and others are excluded. For example, the password unit does not include service components such as user management of Linux system, Telnet remote connection service, SSH(Secure Shell) protocol service, etc., which makes it unnecessary for the designers, developers and managers of password devices to carry out targeted defense design for the hidden risks of these service components, thus reducing the complexity of the system and potential security risks of other service components.

[0084] When cryptographic unit is applied to virtual machine, it is different from traditional cryptographic machine virtualization. Because the lightweight cryptographic unit created in this application has the characteristics of few dependencies, low complexity, small volume and little resource occupation, a single cryptographic device can support virtualization to become a large number of virtualized cryptographic units, and at the same time, it can be quickly started and recovered.

[0085] Please refer. Figure 5 The embodiment of the present application also provides a cryptographic unit creating device 200, which can be applied to the above development terminal 10, and is used for executing or realizing the steps of the cryptographic unit creating method. The unit creating device 200 includes at least one software function module that can be stored in the memory in the form of software or Firmware or solidified in the Operating System (OS) of the development terminal 10. The processor is used to execute executable modules stored in the memory, such as software functional modules and computer programs included in the cryptographic unit creating device 200.

[0086] The unit creation device 200 may include a first acquisition module 210, a second acquisition module 220, and an encapsulation module 230.

[0087] A first obtaining module 210, configured to obtain a cryptographic component for performing cryptographic processing operations.

[0088] A second obtaining module 220, configured to obtain each type of target dependent component corresponding to the cryptographic component according to the dependency relationship between the cryptographic component and the dependent component.

[0089] An encapsulation module 230, configured to encapsulate the cryptographic component and each type of target dependent component into an image file representing the cryptographic unit installation package by a static link through a construction tool, wherein the image file is a file including an operating system.

[0090]Optionally, the first obtaining module 210 may also be used to obtain at least one type of cryptographic component among the first type of cryptographic components used to perform cryptographic operations through cryptographic operation strategies and the second type of cryptographic components used to send the data to be processed to the corresponding cryptographic operation components.

[0091] Optionally, the cryptographic unit creating device 200 may further include a creating module, which is used to create the dependency relationship between the cryptographic components and the dependent components before the second acquiring unit acquires each type of target dependent components corresponding to the cryptographic components according to the dependency relationship between the cryptographic components and the dependent components, wherein the dependent components corresponding to the cryptographic components include basic dependent components, TCP protocol stack components, network support components and programming language runtime components.

[0092] Optionally, the cryptographic unit creating device 200 may further include a sending module, which is used to send the obtained plurality of image files to a cryptographic device, so that the cryptographic device can construct a cryptographic integrated service system according to the plurality of image files.

[0093] It should be noted that those skilled in the art can clearly understand that for the convenience and conciseness of the description, the specific working process of the development terminal and the cryptographic unit creating device 200 described above can refer to the corresponding process of each step in the aforementioned method, and will not be repeated here.

[0094] The second embodiment

[0095] Please refer. Figure 5 The embodiment of this application also provides a data processing method, which can be applied to the above-mentioned cryptographic device 20. The password device 20 stores the image file created by the first embodiment, and the steps of the method can be executed or realized by the password device 20. The method can comprise the following steps:

[0096] Step 310, a cryptographic processing request and data to be processed corresponding to the cryptographic processing request are obtained;

[0097] Step 320, according to the cryptographic operation strategy corresponding to the cryptographic processing request, perform cryptographic operation on the data to be processed by running the image file to obtain the data to be processed after cryptographic operation.

[0098] In the second embodiment, the cryptographic operation strategy can be, but is not limited to, the above-mentioned digital signature, character encryption and decryption algorithm, data digest algorithm, spread function, transmission of data to be processed, etc. The password can establish communication connection with other devices for data interaction with other devices. Among them, the data sent to the cryptographic device is usually the data to be processed. The data to be processed is the data that needs cryptographic operations such as digital signature, character encryption and decryption algorithm, data digest algorithm and diffusion function. For example, a user terminal can send the data to be processed to a cryptographic device, which encrypts the data to be processed by a character encryption and decryption algorithm, and then sends the encrypted data to other terminals or servers.

[0099] When the terminal sends the data to be processed to the cryptographic device, it needs to request the cryptographic device to provide the corresponding cryptographic service. For example, the user terminal can inform the cryptographic device by sending an encryption request or a decryption request to the cryptographic device, so that the cryptographic device can encrypt the data to be processed according to the encryption request or decrypt the data to be processed according to the decryption request. The encryption or decryption operation can be realized by the above-mentioned cryptographic component itself, or the cryptographic component sends the data to be processed to the cryptographic operation unit, and the cryptographic operation unit realizes the encryption or decryption operation.

[0100] For example, when the cryptographic processing request is an encryption request, the encryption request may include the type of encryption strategy, such as digital signature, character encryption and decryption algorithm, data digest algorithm, etc., so that the cryptographic unit can encrypt the data to be processed according to the corresponding encryption strategy. Similarly, when the cryptographic processing request is a decryption request, the decryption request may include a corresponding decryption strategy so that the cryptographic device can decrypt the data to be processed accordingly.

[0101] In this embodiment, the cryptographic unit constructed in the first embodiment can provide cryptographic services in a virtual mirror mode. When providing password service, except the interface provided by the password service, it does not contain any access ways that may access the key and password function realization program, and the image file does not contain any content that may threaten the security of the key and password function realization. For example, other processes of password removal service cannot be started in the image file, and the image file cannot be used for user access through the operating system. In this way, a layer of barrier is built for the cryptographic unit to improve the security of data processing of the cryptographic unit.

[0102] In the second embodiment, the cryptographic device can construct a cryptographic integrated service system according to a plurality of image files. For example, building multiple cryptographic units through virtual machines can support the construction of a large-scale, fast and horizontally expanded cryptographic integrated service system. As mentioned above, the image file constructed by this application can improve the security, speed up the startup, and meet the requirement of startup within 10-20ms, because the number of components contained in the image file is reduced, the complexity is low and the volume is small. This speed is faster than that of most current Docker cipher machines, and it can start (load) hundreds of image files of virtual cipher machines in seconds. When it is not needed, it can be quickly closed to recover resources.

[0103] In addition, different from the development of embedded systems such as VxWork, the cryptographic unit provided in this application can be a system image linked according to the micro-kernel mechanism, and can run on general mail or virtual layers such as VmWare and Qemu, instead of embedded hardware. Users can use a large number of PC servers to build password integrated service system without buying a large number of dedicated password machines, so as to reduce the cost of building password service system.

[0104] Please refer. Figure 6 The embodiment of the present application also provides a data processing device 400, which can be applied to the above-mentioned cryptographic device, and is used to realize each step in the data processing method. The data processing device 400 includes at least one software function module that can be stored in the memory of the cryptographic device or solidified in the OperatingSystem (OS) of the cryptographic device in the form of software or Firmware. The processor is used to execute executable modules stored in the memory, such as software functional modules and computer programs included in the data processing device 400.

[0105] The data processing device 400 may include a third acquisition module 410 and a cryptographic operation module 420.

[0106] A third obtaining module 410, configured to obtain a cryptographic processing request and data to be processed corresponding to the cryptographic processing request;

[0107] The cryptographic operation module 420 is configured to perform cryptographic operation on the data to be processed by running the image file according to the cryptographic operation strategy corresponding to the cryptographic processing request, so as to obtain the data to be processed after cryptographic operation.

[0108] It should be noted that those skilled in the art can clearly understand that, for the convenience and conciseness of the description, the specific working process of the above-described cryptographic device 20 and data processing device 400 can refer to the corresponding process of each step in the above-mentioned method, and will not be repeated here.

[0109] In this embodiment, the processor, the communication module and the memory in the electronic device are electrically connected directly or indirectly to realize data transmission or interaction. For example, these elements can be electrically connected with each other through one or more communication buses or signal lines.

[0110]The processor can be an integrated circuit chip with signal processing capability. For example, the processor may be a Central Processing Unit (CPU), a Network Processor (NP), etc. It can also be a Digital Signal Processing (DSP), an application specific integrated circuit (ASIC), a Field－Programmable GateArray (FPGA), FPGA) or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components, the methods, steps, and logic block diagrams disclosed in the embodiments of this application can be implemented or executed.

[0111] The communication module is used to establish the communication connection between the electronic device and other devices (e.g., user terminals) through the network, and to send and receive data through the network.

[0112] The memory can be, but is not limited to, random access memory, read-only memory, programmable read-only memory, erasable programmable read-only memory, electrically erasable programmable read-only memory, etc. In this embodiment, the memory can be used to store cryptographic components, the dependency relationship between cryptographic components and dependent components, etc. Of course, the memory can also be used to store programs, and the processor will execute the programs after receiving the execution instructions.

[0113] The embodiment of the application also provides a computer readable storage medium. A computer program is stored in a readable storage medium, and when the computer program is run on a computer, it causes the computer to execute the cryptographic unit creation method and the data processing method as described in the above embodiments.

[0114] Through the description of the above embodiments, those skilled in the art can clearly understand that this application can be realized by hardware or by software plus necessary general hardware platform. Based on this understanding, the technical solution of this application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as CD-ROM, U disk, mobile hard disk, etc.) and includes several instructions to make a computer device (such as a personal computer)

[0115] To sum up, this application provides a cryptographic unit creation method, data processing method, device and electronic equipment. The creation method comprises the following steps: obtaining a password component for executing a password processing operation; According to the dependency relationship between the cryptographic component and the dependent component, acquiring each type of target dependent component corresponding to the cryptographic component; Through the construction tool, the cryptographic components and each kind of target dependent components are encapsulated into an image file representing the cryptographic unit installation package by static links, and the image file is a file including the operating system. In this scheme, the password component and the target dependent component are separated, and then encapsulated into an image file in a static link way, which can realize the corresponding password operation at runtime. Based on this, the small capacity of cryptographic unit is beneficial to reduce attack surface and improve data security. In addition, the small capacity is beneficial to improve the startup speed and recovery speed when using cryptographic service function.