CN118900176A - Quantum fusion password card and data processing method - Google Patents
Quantum fusion password card and data processing method Download PDFInfo
- Publication number
- CN118900176A CN118900176A CN202311832736.0A CN202311832736A CN118900176A CN 118900176 A CN118900176 A CN 118900176A CN 202311832736 A CN202311832736 A CN 202311832736A CN 118900176 A CN118900176 A CN 118900176A
- Authority
- CN
- China
- Prior art keywords
- password
- quantum
- main control
- cryptographic
- control chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004927 fusion Effects 0.000 title claims abstract description 82
- 238000003672 processing method Methods 0.000 title claims abstract description 14
- 230000006870 function Effects 0.000 claims description 17
- 238000000034 method Methods 0.000 claims description 16
- 230000002085 persistent effect Effects 0.000 claims description 2
- 230000001360 synchronised effect Effects 0.000 claims description 2
- 238000004891 communication Methods 0.000 abstract description 4
- 238000012545 processing Methods 0.000 abstract description 4
- 230000005540 biological transmission Effects 0.000 description 9
- 238000002955 isolation Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 239000010419 fine particle Substances 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000013508 migration Methods 0.000 description 1
- 230000005012 migration Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention relates to the technical field of quantum communication and discloses a quantum fusion password card and a data processing method. In the present invention, a quantum fusion cryptographic card includes: the main control chip is used for acquiring a quantum key from a quantum key distribution network through the quantum key interface, receiving and responding to a password service request of upper application through the second PCI-E interface, and the password chip is connected with the main control chip through the first PCI-E interface, acquiring the quantum key from the main control chip and executing password operation and/or key operation so as to realize quantum security capability of the password card and processing of the password service request and meet basic requirements of data value-added service of enterprises.
Description
Technical Field
The embodiment of the invention relates to the technical field of quantum communication, in particular to a quantum fusion password card and a data processing method.
Background
The PCI cipher card is divided into two modes of software implementation and hardware implementation, wherein the software implementation refers to the implementation of a cipher algorithm through an FPGA or a DSP chip; the hardware implementation refers to the implementation of the cryptographic algorithm using a dedicated cryptographic algorithm chip. PCI cipher card plays key role of data encryption and decryption in computer system, and mainly includes the following functions:
Cryptographic operations: a variety of cryptographic algorithms are implemented, including symmetric cryptographic algorithms, asymmetric cryptographic algorithms, and hash algorithms. Sensitive data is encrypted, confidentiality of the data is protected during transmission and storage, and unauthorized users are prevented from accessing and stealing sensitive information. Meanwhile, the encrypted data can be decrypted, so that the data can be correctly decrypted and used by legal users when the data need to be used.
Key management: keys required for various types of cryptographic algorithms are generated, stored, and managed. The method can generate high-strength random keys, store keys, import and export of the keys and the like, and ensure the safety and reliability of the keys.
And (3) key storage: the PCI cipher card generally has a safe storage area inside the cipher card chip for storing sensitive data, cipher key, certificate and other information. This part of the storage area is usually protected by hardware level, and has high security against external illegal access.
However, the inventors have found that quantum computing may weaken the security of many cryptographic algorithms of PCI cryptographic cards in the current state of the art, exposing the information system to potential security risks. Moreover, the PCI cryptocard realizes specific encryption and decryption operations and key storage, and cannot realize processing of upper-layer crypto service requests such as identity authentication, data security transmission and the like. Under the large background of digital transformation, the data value-added service requirement of enterprises cannot be met.
Disclosure of Invention
The embodiment of the invention aims to provide a quantum fusion password card and a data processing method so as to realize quantum security capability, and can provide password service under the condition of no participation of a host computer, thereby meeting the data value-added service requirement of enterprises.
In order to solve the above technical problems, an embodiment of the present invention provides a quantum fusion cryptographic card, including: a first PCI-E interface; the system comprises a main control chip carrying a real-time operating system, wherein the main control chip acquires a quantum key from a quantum key distribution network through a quantum key interface, receives and responds to a password service request of an upper layer application through a password service interface, and the password service interface is a second PCI-E interface; and the password chip is connected with the main control chip through the first PCI-E interface, wherein the password chip acquires a quantum key from the main control chip to execute password operation and/or key operation.
The embodiment of the invention also provides a data processing method which is applied to the quantum fusion password card, and comprises the following steps: the method comprises the steps that a main control chip receives a password service request of an upper layer application, converts the password service request into a password operation instruction and transmits the password operation instruction to the password chip, wherein the password chip executes the password operation instruction and feeds back an execution result to the main control chip; and the main control chip responds to the password service request according to the execution result.
In an embodiment of the invention, a quantum fusion cryptographic card is provided, which comprises a first PCI-E interface, a second PCI-E interface, a main control chip and a cryptographic chip, wherein the main control chip carries a real-time operating system, a quantum key is obtained from a quantum key distribution network through a quantum key interface, a cryptographic service request applied at an upper layer is received and responded through a cryptographic service interface, the cryptographic chip is connected with the main control chip through the first PCI-E interface, and the cryptographic operation and/or key operation is performed by obtaining the quantum key from the main control chip. The real-time operation system is added, the general password service interface (namely the second PCI-E interface) is utilized to provide general password service for the typical password service layer and the application layer, the password service request of the upper application layer is converted into a specific basic password operation request, and the password operation and/or the key operation are realized based on the quantum key obtained from the quantum key distribution network, so that the quantum security capability of the password card and the processing of the password service request can be realized, and the basic requirements of the data value-added service of enterprises are met.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.
FIG. 1 is a schematic diagram of a quantum fusion cryptographic card according to an embodiment of the invention;
FIG. 2 is a flow chart of a data processing method according to an embodiment of the invention;
FIG. 3 is a schematic diagram of virtualizing a quantum fusion cryptographic card into multiple virtual cryptographic cards according to an embodiment of the invention;
FIG. 4 is a schematic diagram of the operation set alignment management functions of a quantum fusion cryptographic card according to an embodiment of the invention;
FIG. 5 is a schematic diagram of identity authentication and encrypted transmission by a quantum fusion cryptographic card, according to an embodiment of the invention;
FIG. 6 is a flow chart of authentication and encrypted transmission by a quantum fusion cryptographic card according to an embodiment of the invention;
FIG. 7 is a schematic diagram of file encryption using a quantum fusion cryptographic card in accordance with an embodiment of the invention;
FIG. 8 is a schematic diagram of a quantum fusion cryptographic card in accordance with an embodiment of the invention applied to a distributed storage system;
Fig. 9 is a schematic diagram of a quantum fusion cryptographic card implementing secure mutual control using a network card according to an embodiment of the invention.
Detailed Description
Under the large background of digital transformation, the realization of distributed multi-cloud multi-point and cross-domain circulation of novel business data of enterprises in combination with cloud services has become a basic requirement of data value-added business, and how to effectively solve the problems of corresponding security management responsibility, data abuse, data leakage and the like has become more and more urgent. Data is required to realize cross-domain safe flow between different safety domains and is also required to be safe and controllable. The large group has the requirements of realizing intercommunication safety control, cross-domain remote control instruction issuing, operation set management and the like on data in each safety domain; meanwhile, enterprises have the requirement of creating integrated full fusion application, and the problems of policy issuing, policy triggering, isolation and intercommunication of control information flow and service data flow in the field and cross-field scenes and virtualized operation environments are combined by combining the safety high-sensitivity service.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the following detailed description of the embodiments of the present application will be given with reference to the accompanying drawings. However, those of ordinary skill in the art will understand that in various embodiments of the present application, numerous technical details have been set forth in order to provide a better understanding of the present application. The claimed application may be practiced without these specific details and with various changes and modifications based on the following embodiments. The following embodiments are divided for convenience of description, and should not be construed as limiting the specific implementation of the present application, and the embodiments can be mutually combined and referred to without contradiction.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
An embodiment of the present invention relates to a quantum fusion cryptographic card, in this embodiment, the quantum fusion cryptographic card includes: a first PCI-E interface; the main control chip is loaded with a real-time operating system, wherein the main control chip can be understood as a main processor, a quantum key is acquired from a quantum key distribution network through a quantum key interface, a password service request of an upper application is received and responded through a password service interface, and the password service interface is a second PCI-E interface; the password chip is connected with the main control chip through the first PCI-E interface, wherein the password chip can be also understood as a password coprocessor, and the password chip acquires the quantum key from the main control chip to execute password operation and/or key operation so as to realize quantum security capability, and can provide password service under the condition of no participation of a host, thereby meeting the data value-added service requirement of enterprises. The implementation details of the quantum fusion cryptographic card of the present embodiment are specifically described below, and the following description is merely provided for convenience of understanding, and is not necessary to implement the present embodiment.
As shown in fig. 1, the quantum fusion cryptographic card of the present embodiment includes: a first PCI-E interface 101, a main control chip 102, a cryptographic chip 103, a second PCI-E interface 104 and a quantum key interface 105. The main control chip 102 carries a Real-time operating system (Real-time operating system, abbreviated as "RTOS"), which is also called an instant operating system, and operates and manages system resources according to the order, and provides a consistent basis for developing application programs. The master chip 102 obtains the quantum key from the quantum key distribution network through the quantum key interface 105 and receives and responds to the cryptographic service request of the upper layer application through the cryptographic service interface (i.e., the second PCI-E interface 104). The cryptographic chip 103 is connected with the main control chip through the first PCI-E interface 101, and obtains the quantum key from the main control chip to execute cryptographic operation and/or key operation.
In one example, the quantum fusion cryptographic card as shown in fig. 1 further includes: a synchronous dynamic random access memory 106 (SDRAM) coupled to the host chip 102, wherein the SDRAM106 provides dynamic storage of data to the host chip. An embedded multimedia card 107 (embedded MultiMediaCard, abbreviated as "eMMC") connected to the host chip 102, wherein the eMMC107 provides persistent storage of data to the host chip. The quantum random number chip 108 (Quantum Random Number Generator, abbreviated as "QRNG") connected with the main control chip 102, wherein the QRNG 108 generates a quantum random number and provides the generated quantum random number to the main control chip, and the low-speed chip such as the QRNG is connected with the main control chip 102 through a serial bus. And the usb authentication interface 109 is connected with the main control chip 102, wherein the usb authentication interface 109 provides a channel for the main control chip 102 to authenticate the identity of the equipment, and the equipment comprises the intelligent password key.
In addition, the quantum fusion cryptographic card as shown in fig. 1 may further include: an algorithm chip 110 connected to the cryptographic chip 103, wherein the algorithm chip 110 provides a cryptographic algorithm preset to perform cryptographic operations and key operations; the algorithm chip 110 may be understood as a cryptographic chip for implementing an algorithm such as SM1, which is not open, and is only responsible for a single algorithm operation. A random number generator 111 connected to the cryptographic chip 103, wherein the random number generator 111 generates a random number and provides the random number to the cryptographic chip 103. A key memory 112 connected to the cryptographic chip 103, wherein the key memory 112 stores a quantum key.
The main control chip 102 provides general password services such as certificate analysis, certificate authentication, confidentiality of information, integrity, non-repudiation and the like for the upper layer application through the unified second PCIE interface 104, and a real-time operating system running on the main control chip 102 converts a password service request of the upper layer application into a specific basic password operation request, and invokes the password chip 103 through the first PCI-E interface 101 to achieve specific password operation and key operation. That is, the first PCI-E interface 101 is connected to the crypto chip 103 to encrypt and decrypt data, the second PCIE interface 104 provides cryptographic services to the outside, and the main control chip 102 can cope with potential threats of quantum computing by integrating a real-time operating system and a quantum random number chip and supporting fast access of a post-quantum cryptographic algorithm (Post Quantum Cryptography, abbreviated as "PQC") and a quantum key distribution (Quantum key distribution, abbreviated as "QKD") system, and increases a random number entropy value.
The quantum fusion password card of the embodiment is based on a quantum key negotiation network (QKDN) technology, merges a classical password application technology, plans to take the password card as a carrier, builds a novel management and control system taking data security as a core, intensively solves the problems of unified cooperative security supervision mechanism and operation environment when data are circulated or operated in multiple cloud points, and is suitable for realizing data isolation, data intercommunication and data processing logic cooperative management of novel business in a cloud service environment. The carrier is used for meeting the requirements of miniaturization and flexible deployment of quantum cryptography application equipment, and is used as a quantum fusion cryptography card integrating a real-time operating system to realize flexible deployment of quantum security capability. In addition, the quantum fusion password card is provided with an embedded operating system, so that the quantum fusion password card can have general computing capability, and can be deployed with applications to realize custom applications in the password equipment. The quantum fusion cipher card can also reserve a limited management interface, so that a trusted application can be flexibly led into the cipher card, a custom application can run in the card, cipher resources are called for the inside, and services are provided for the outside through the cipher card, therefore, quantum security capability can be realized, cipher services can be provided under the condition of no participation of a host, and the data value-added service requirements of enterprises are met.
Another embodiment of the present invention relates to a data processing method, which is applied to the quantum fusion cryptographic card described above, and the specific method is shown in fig. 2.
In step 201, the main control chip receives a cryptographic service request of an upper layer application, and converts the cryptographic service request into a cryptographic operation instruction to be transmitted to the cryptographic chip, wherein the cryptographic chip executes the cryptographic operation instruction and feeds back an execution result to the main control chip.
In step 202, the main control chip responds to the password service request according to the execution result.
In one example, compared with the password card in the related art at present, the password card generally only has three different authorities of an administrator, an operator and a super administrator, the password operation is generally not controlled by fine particle authorities, and the user is not distinguished; the user service should be provided with an independent identifier for distinguishing the user from the service. In this embodiment, as shown in fig. 3, the quantum fusion cryptographic card is virtualized into multiple virtual cryptographic cards, where the multiple virtual cryptographic cards are in one-to-one correspondence with multiple user virtual machines applied on an upper layer, and each virtual cryptographic card includes a virtual master control chip and a virtual cryptographic chip. That is, user and business isolation is realized through hardware virtualization of the password card, and the password card is accessed in the virtual machine directly through a hardware I/O channel (DMA) based on the SR-IOV technology. The SR-IOV technology is used to virtualize one physical quantum fusion cipher card into several virtual cipher cards and to distribute the virtual cipher cards to several users, each user has independent key storing space and I/O channel to realize key safety isolation. As shown in FIG. 3, the quantum fusion cryptographic card is registered as a device on a host in the manner of SR-IOV virtualization, where SR-IOV technology allows partitioning hardware resources on a PCI Express (PCIe) device into one or more virtual interfaces, referred to as Virtual Functions (VFs). One VF can be used for carrying out key import and key management related operations, the interface is also used as a quantum key interface, and the quantum key can be imported by connecting quantum equipment through host driving; another VF may be used for cryptographic operations. The method can realize the separation of the cipher card from the external key and the flow. And in the password card, the password chip is still registered in the embedded operating system in an SR-IOV virtualization mode, and the isolation of password resources is realized at the bottom layer.
Aiming at the quantum fusion password card, each virtual password card is distributed into a virtual machine of a user in a PCIE direct connection mode, a cloud platform service scene for realizing a corresponding password application function is driven in the virtual machine, and the step 201 specifically comprises the following steps: the virtual main control chip receives a password service request sent by a corresponding user virtual machine, converts the password service request into a password operation instruction and transmits the password operation instruction to a virtual password chip belonging to the same virtual password card, wherein the virtual password chip executes the password operation instruction and feeds back an execution result to the virtual main control chip. Step 202 specifically includes: and the virtual main control chip responds to the password service request to the corresponding user virtual machine according to the execution result. The quantum fusion password card of the embodiment can realize the isolation of internal resources and the isolation of multiple services and multiple users by the real-time operating system borne by the main control chip. The method enhances the general computing capacity, has the capability of providing a customized interface for the application, and the customized interface can be realized through firmware upgrading, and can simplify the upgrading difficulty of partial firmware through classifying the firmware of the equipment in a grading way. And supporting a distributed system scene through the fine particle authority control of the embedded operating system.
In addition, the embodiment can realize operation set comparison management, divide the security policy execution code and the security policy decision code into two components, and provide an enhanced security mechanism for the system. Specifically, the quantum fusion password card has an operation set comparison function and a policy security storage function, wherein the operation set comprises at least one security policy, the at least one security policy is securely stored through the policy security storage function, and the password service request comprises an execution policy query request. In the service scene, the virtual main control chip receives a password service request sent by a corresponding user virtual machine, and specifically comprises the following steps: the virtual main control chip receives an execution strategy query request sent by a corresponding user virtual machine, wherein the execution strategy query request carries execution strategy information. The virtual main control chip compares the carried execution strategy with at least one stored security strategy to obtain decision information of the execution strategy, and feeds back the decision information of the execution strategy to the corresponding user virtual machine.
That is, the quantum fusion cryptographic card of the present embodiment has operation set comparison management, and divides the security policy execution code and the security policy decision code into two components, thereby providing an enhanced security mechanism for the system: access control (Mandatory Access Control, abbreviated as "MAC") is enforced. The MAC mechanism is characterized in that the owner of the resource cannot decide who can access the resource, but is specifically decided by a security policy, which is composed of a series of access rules, and only users with specific rights have rights to operate the security policy. The system call executed by the user program is checked according to the security policy. If the security policy allows operation, then continue, otherwise an error message will be thrown to the application, as shown in FIG. 4.
In another service scenario, the quantum fusion cryptographic card provides an identity authentication service based on a PQC algorithm for an application, specifically, the main control chip realizes that the PQC algorithm carries out digital signature/signature verification on an authentication message, and the cryptographic chip provides random numbers generated by QRNG and RNG for the purpose. Wherein the random number may be obtained by xoring the result of QRNG (quantum random number generator) with RNG (e.g. classical white noise based random number generator). After authentication is completed, QKD carries out quantum key distribution, directly encrypts and transmits the quantum key to the inside of the quantum fusion cipher card, and the quantum key is stored in a key memory by the cipher chip. In the subsequent transmission process, the quantum key is used for symmetrically encrypting the data needing to be transmitted safely, so that the data is transmitted safely, as shown in fig. 5. In this application scenario, the cryptographic service request includes a data encryption and decryption request, and the implementation steps of the master control chip for receiving the cryptographic service request of the upper layer application are as shown in fig. 6:
In step 601, the main control chip receives a data encryption and decryption request of an upper layer application, where the data encryption and decryption request carries data that needs to be transmitted safely.
In step 602, the main control chip performs identity authentication on the upper layer application based on the PQC algorithm. In one example, the master chip digitally signs the authentication message via a PQC algorithm. Wherein, the random number of the quantum key used for generating the digital signature comprises the quantum random number provided by the QRNG and/or the random number generated by the RNG provided by the cipher chip.
In step 603, after the identity authentication is passed, the master control chip obtains the quantum key from the quantum key distribution network and transmits the quantum key to the cryptographic chip.
In step 604, the master control chip performs one-time pad data transmission by calling the cryptographic chip. Specifically, the main control chip converts the data encryption and decryption request into a password operation instruction and transmits the password operation instruction to the password chip, wherein the password operation instruction indicates that the data needing to be transmitted safely is digitally signed and/or encrypted symmetrically. And under the protection of the quantum key, one-time and one-time data transmission is realized.
That is, the quantum fusion cipher card converts the cipher service request of upper layer application into specific basic cipher operation request through the combination of the symmetric algorithm, the asymmetric algorithm, the hash algorithm, the specific cipher operation and the key operation in the embedded operation system, encrypts and digitally signs the transmitted information by calling the cipher chip, and ensures the confidentiality, the authenticity, the integrity and the non-repudiation of the information transmission.
Taking file encryption as an example, the conventional implementation flow and the implementation flow of this embodiment are compared and described below:
in the conventional flow, confidentiality of file contents is ensured by: a) Acquiring a symmetric algorithm and an asymmetric algorithm identification; b) Invoking a universal password service to generate a symmetric key; c) Invoking a symmetric encryption service to encrypt file content using a symmetric key; d) Invoking an asymmetric encryption service to encrypt the symmetric key using the electronic file receiver or the application system encryption public key; e) The encrypted symmetric key and the file content encrypted by the symmetric key are packaged in a digital envelope format to form encrypted file content; f) The algorithm identification, algorithm pattern, and number of feedback bits are stored in the security attribute. In the traditional flow, the integrity and non-repudiation of the file content are ensured by the following steps: a) Acquiring a signature algorithm and a hash algorithm identification; b) Invoking a hash algorithm service to calculate a digest of the plaintext of the file content; c) Digitally signing the digest value using a signing private key of the business operator or the application system; d) And filling the signature value, the algorithm identification and the signature certificate into the security attribute in sequence.
In this embodiment, the quantum key distribution is used to replace the digital envelope, and the real-time operating system is used in the main control chip to complete the combination of the above operations, so that the application can complete all the above processes through one call, thereby facilitating the popularization of the password application.
Specifically, as shown in fig. 7, after receiving a data encryption and decryption request of an upper layer application, the main control chip performs a digest operation on data to be transmitted safely, which is carried in the data encryption and decryption request, by calling the cryptographic chip, that is, calculates a digest of the plaintext of the file content. And then, calling a password chip to digitally sign the abstract value by using a signature private key of a service operator or an application system, and splicing the signed information with plaintext information (namely data needing to be transmitted safely) by a main control chip to obtain spliced information. The master control chip transmits the quantum key obtained from the quantum key distribution network to the password chip, the password chip uses the quantum key as a symmetric key, the spliced information is symmetrically encrypted, and ciphertext information is obtained and transmitted to the receiving end. And performing inverse operation of the transmitting end on the receiving end side, wherein the symmetric key required for decryption is a quantum key distributed by a quantum key distribution network. Through the file encryption flow shown in fig. 7, the cryptographic service request of the upper layer application is converted into a specific basic cryptographic operation request, and the transmitted information is encrypted and digitally signed, so that confidentiality, authenticity, integrity and non-repudiation of the quantum security level of the transmitted information are ensured.
In another distributed storage system business scenario, the cryptographic service request includes a data access request of the distributed storage system. As shown in fig. 8, the quantum fusion cryptographic card is divided into a master-slave mode, and the key synchronization between devices is realized by deploying a driver in a host. In addition, a deployment driver is also required to realize the function at the client, and the client driver is responsible for file slicing. The client driver accesses monitor metadata before accessing the osd (object storage device) access data. The quantum fusion cipher card at the monitoring equipment is a first quantum fusion cipher card in a main mode, the first quantum fusion cipher card bears a secret management function, the monitoring equipment stores sliced metadata, the mapping relation can be recorded in the monitoring equipment, and the first quantum fusion cipher card in the main mode stores all keys and a corresponding table of the keys and the osd. Osd stores data, the quantum fusion cryptographic card at Osd is a second quantum fusion cryptographic card in slave mode for storing the keys of the Osd, each Osd key being issued by the first quantum fusion cryptographic card at the monitoring device.
That is, when the quantum fusion cryptographic card is a first quantum fusion cryptographic card in a master mode, a quantum key for accessing data is issued to a second quantum fusion cryptographic card in a slave mode; when the quantum fusion cryptocard is a second quantum fusion cryptocard in a slave mode, a quantum key for accessing data is received from the first quantum fusion cryptocard in a master mode.
In one example, the quantum fusion cryptographic card supports secure mutual control with the card, and the respective information such as state, key and the like is interacted in a secure mutual control manner. The quantum fusion cipher card supports a master-slave mode, and when the master cipher card is in safe mutual control, the master cipher card (namely the first quantum fusion cipher card in the master mode) can be selected manually or according to a strategy to bear part of key management function and manage and control the second quantum fusion cipher card in the slave mode. The master cipher card can issue a secret key to the slave cipher card, control the state of the secret key and monitor the service condition through a safety mutual control function, and realize the safety coordination among multiple points through the secret key protection. That is, there is a secure mutual control between the first quantum fusion cryptographic card and the second quantum fusion cryptographic card, and the mutual control parameters of the secure mutual control include state information, user information, and key information. The first quantum fusion password card supports control instructions and security policy encryption issuing, wherein the control instructions comprise password operation instructions.
In addition, the quantum fusion password card does not have a data communication function, so that the quantum fusion password card communication between devices can be realized by calling the auxiliary forwarding flow of the network card by a host driver, and the function of acting as a relay is driven, as shown in fig. 9. The quantum key transmission process from the quantum key distribution device to the quantum fusion cryptographic card is also protected by cryptographic techniques, such as confidentiality protection using an SM4 algorithm and integrity protection using an SM3 algorithm.
In this embodiment, through the cryptographic service provided by the quantum fusion cryptographic card, functions such as device identity authentication, operation set comparison management and the like can be realized, and operations such as IO blocking, policy issuing updating, data and important parameter protection, protocol protection, key process starting, and password basic operation can be triggered based on a preset policy of quantum key migration from the QKD to the quantum fusion cryptographic card. Moreover, by virtualizing the quantum fusion password card into a plurality of virtual password cards, which are in one-to-one correspondence with a plurality of user virtual machines, user and/or service isolation can be realized, so that fine-particle authority control can be realized.
The above method is divided into steps, which are only for clarity of description, and may be combined into one step or split into multiple steps when implemented, so long as they include the same logic relationship, and they are all within the protection scope of this patent; it is within the scope of this patent to add insignificant modifications to the algorithm or flow or introduce insignificant designs, but not to alter the core design of its algorithm and flow.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples of carrying out the invention and that various changes in form and details may be made therein without departing from the spirit and scope of the invention.
Claims (10)
1. A quantum fusion cryptographic card, comprising:
A first PCI-E interface;
the system comprises a main control chip carrying a real-time operating system, wherein the main control chip acquires a quantum key from a quantum key distribution network through a quantum key interface, receives and responds to a password service request of an upper layer application through a password service interface, and the password service interface is a second PCI-E interface;
and the password chip is connected with the main control chip through the first PCI-E interface, wherein the password chip acquires a quantum key from the main control chip to execute password operation and/or key operation.
2. The quantum fusion cryptographic card of claim 1, further comprising:
the synchronous dynamic random access memory SDRAM is connected with the main control chip, wherein the SDRAM provides data dynamic storage for the main control chip;
An embedded multimedia card (eMMC) connected with the main control chip, wherein the eMMC provides persistent storage of data for the main control chip;
the quantum random number chip is connected with the main control chip, and generates a quantum random number and provides the quantum random number for the main control chip;
And the usb authentication interface is connected with the main control chip, wherein the usb authentication interface provides a channel for the main control chip to authenticate the identity of equipment, and the equipment comprises an intelligent password key.
3. The quantum fusion cryptographic card of claim 1, further comprising:
the algorithm chip is connected with the password chip, and provides a preset password algorithm for executing password operation and key operation;
A random number generator connected to the cryptographic chip, wherein the random number generator generates a random number and provides the random number to the cryptographic chip;
And the key memory is connected with the password chip, and the key memory stores the quantum key.
4. A data processing method applied to the quantum fusion cryptographic card as claimed in any one of claims 1 to 3, characterized in that the method comprises:
the method comprises the steps that a main control chip receives a password service request of an upper layer application, converts the password service request into a password operation instruction and transmits the password operation instruction to the password chip, wherein the password chip executes the password operation instruction and feeds back an execution result to the main control chip;
and the main control chip responds to the password service request according to the execution result.
5. The method according to claim 4, wherein the quantum fusion cryptographic card is virtualized into a plurality of virtual cryptographic cards, the plurality of virtual cryptographic cards are in one-to-one correspondence with a plurality of user virtual machines of an upper application, each virtual cryptographic card includes a virtual main control chip and a virtual cryptographic chip, and the main control chip receives a cryptographic service request of the upper application and converts the cryptographic service request into a cryptographic operation instruction and transmits the cryptographic operation instruction to the cryptographic chip includes:
The virtual main control chip receives a password service request sent by a corresponding user virtual machine, converts the password service request into a password operation instruction and transmits the password operation instruction to a virtual password chip belonging to the same virtual password card, wherein the virtual password chip executes the password operation instruction and feeds back an execution result to the virtual main control chip.
6. The data processing method according to claim 5, wherein the quantum fusion cryptographic card has an operation set comparison function and a policy security storage function, the operation set includes at least one security policy, the at least one security policy is securely stored via the policy security storage function, and the cryptographic service request includes an execution policy query request;
The receiving, by the virtual master control chip, a password service request sent by a corresponding user virtual machine includes:
The virtual main control chip receives an execution strategy query request sent by a corresponding user virtual machine, wherein the execution strategy query request carries execution strategy information;
The virtual main control chip compares the execution strategy with the at least one security strategy to obtain decision information for allowing or prohibiting the execution strategy;
And the virtual main control chip feeds back decision information allowing or prohibiting execution of the execution strategy to the user virtual machine.
7. The data processing method according to claim 4, wherein the cryptographic service request includes a data encryption/decryption request, and the receiving, by the main control chip, the cryptographic service request of the upper layer application includes:
the main control chip receives a data encryption and decryption request of an upper layer application, wherein the data encryption and decryption request carries data needing to be transmitted safely;
The main control chip provides identity authentication service for the upper layer application, after the identity authentication is passed, the main control chip converts the data encryption and decryption request into a password operation instruction and transmits the password operation instruction to the password chip, and the main control chip acquires a quantum key from a quantum key distribution network and transmits the quantum key to the password chip, wherein the password operation instruction instructs digital signature and/or symmetric encryption of the data needing to be transmitted safely, and the digital signature comprises a digital signature based on a post quantum password algorithm PQC.
8. The data processing method of claim 4, wherein the cryptographic service request comprises a data access request of a distributed storage system, further comprising:
When the quantum fusion password card is a first quantum fusion password card in a master mode, a quantum key for accessing data is issued to a second quantum fusion password card in a slave mode;
and when the quantum fusion cipher card is a second quantum fusion cipher card in the slave mode, receiving a quantum key for accessing data from the first quantum fusion cipher card in the master mode.
9. The data processing method according to claim 8, further comprising:
a security mutual control exists between the first quantum fusion password card and the second quantum fusion password card, and the mutual control parameters of the security mutual control comprise state information, user information and key information;
The first quantum fusion cryptographic card supports control instructions and security policy encryption issuing, wherein the control instructions comprise the cryptographic operation instructions and/or key operation instructions.
10. The data processing method according to claim 5, wherein the main control chip responding to the cryptographic service request according to the execution result comprises:
And the virtual main control chip responds to the password service request to the corresponding user virtual machine according to the execution result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311832736.0A CN118900176A (en) | 2023-12-27 | 2023-12-27 | Quantum fusion password card and data processing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311832736.0A CN118900176A (en) | 2023-12-27 | 2023-12-27 | Quantum fusion password card and data processing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118900176A true CN118900176A (en) | 2024-11-05 |
Family
ID=93267176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311832736.0A Pending CN118900176A (en) | 2023-12-27 | 2023-12-27 | Quantum fusion password card and data processing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118900176A (en) |
-
2023
- 2023-12-27 CN CN202311832736.0A patent/CN118900176A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5142578A (en) | Hybrid public key algorithm/data encryption algorithm key distribution method based on control vectors | |
| US10509914B1 (en) | Data policy implementation in a tag-based policy architecture | |
| EP2947811A1 (en) | Method, server, host and system for protecting data security | |
| CN110889696A (en) | Storage method, device, equipment and medium for alliance block chain secret key based on SGX technology | |
| CN111782344A (en) | Method and system for providing password resources and host machine | |
| CN111245813B (en) | Cryptographic resource pool system, encryption method, electronic device, and storage medium | |
| CN117728937A (en) | Multi-class data encryption system and method based on cloud password unified service platform | |
| CN111191217A (en) | Password management method and related device | |
| CN107729760B (en) | CSP implementation method based on Android system and intelligent terminal | |
| EP3716563A1 (en) | Method and apparatus for establishing virtual network function instance | |
| CN111181944B (en) | Communication system, information distribution method, device, medium, and apparatus | |
| CN114223176B (en) | Certificate management method and device | |
| WO2021170049A1 (en) | Method and apparatus for recording access behavior | |
| CN115348077A (en) | Virtual machine encryption method, device, equipment and storage medium | |
| CN117786758B (en) | Trusted execution environment-based secret database system and electronic equipment | |
| CN110750326B (en) | Disk encryption and decryption method and system for virtual machine | |
| CN110990111B (en) | Method and system for verifying virtual trusted root in cloud environment | |
| WO2024079438A1 (en) | A device and a method for performing a cryptographic operation | |
| CN111190694A (en) | Virtualization security reinforcement method and device based on Roc platform | |
| CN118900176A (en) | Quantum fusion password card and data processing method | |
| CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
| CN110430046B (en) | Cloud environment-oriented trusted platform module two-stage key copying method | |
| CN104899480A (en) | Software copyright protection and management method based on combined public key identity authentication technology | |
| WO2022233394A1 (en) | Device, method and system for asynchronous messaging | |
| EP3872671A1 (en) | Secure key management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication |