引用本文: |
-
李晨,康颖,涂碧波,张坤,冯延畅.云密码资源服务架构研究[J].信息安全学报,已采用 [点击复制]
- Li Chen,Kang Ying,Tu Bibo,zhangkun,Feng Yanchang.Research on Cloud Cryptographic Resource Service Architecture[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
在云计算技术的推动下,传统的密码技术正在向云密码服务转型。当前,云密码服务尚处于起步阶段,且现有研究多为面向某一应用场景的云密码功能服务,缺少对云密码资源服务的研究。本文通过对现有云密码服务方案的分析,并结合密码服务云化需求,提出一种新的云密码资源服务架构—CryptCRS,该架构具备可动态调度的密码服务能力和可弹性扩展的密码运算能力,为用户提供云平台内生的密码服务。具体地,CryptCRS基于共享内存的方式实现密码硬件资源的虚拟化,将一块PCIe密码卡虚拟化为多个虚拟密码卡,再封装为虚拟密码机提供给用户;通过设计高安全密钥管理系统,实现密钥的全生命周期安全管理;采用双重加密方式保护用户数据密钥,并实现用户级别的密钥安全隔离;实现密钥只在密码设施之间以密文的形式流转,增强了密钥的安全性;且为进一步保证密钥传输安全,本文基于密码卡的PUF特性,利用其生成的物理指纹作为信任根,在密钥管理系统和密码卡之间设计了一种安全认证和密钥协商协议,并采用BAN逻辑对协议进行安全性证明。最后,本文基于OpenStack开源云平台实现了云密码资源服务原型系统,并对系统进行了实验分析,实验结果证明了CryptCRS的性能优于现有的密码卡软件虚拟化方法,其较高的云密码资源服务能力完全能够满足高可用、高并发的密码应用需求。 |
关键词: 云计算 云密码资源服务 密码卡虚拟化 共享内存 密钥管理 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.18 |
投稿时间:2022-05-10修订日期:2022-08-31 |
基金项目: |
|
Research on Cloud Cryptographic Resource Service Architecture |
Li Chen1, Kang Ying2, Tu Bibo1, zhangkun1, Feng Yanchang1
|
(1.Institute of information engineering;2.People''s Liberation Army of China No.31401) |
Abstract: |
Driven by cloud computing technology, traditional cryptography is transforming into cloud cryptographic services. At present, cloud cryptographic service is still in its infancy, and most of the existing studies are cloud cryptographic functional services oriented to a certain application scenario, and there is a lack of research on cloud cryptographic re-source services. Through the analysis of the existing cloud cryptographic service schemes and combined with the cloud requirements of cryptographic service, this paper proposes a new cloud cryptographic resource service architec-ture-CryptCRS, which can dynamically schedule cryptographic service and elastically expand cryptographic operation, and provides users with the cryptographic service generated in the cloud platform. Specifically, CryptCRS realizes the vir-tualization of cryptographic hardware resources based on shared memory, virtualizes a PCIe cryptographic card into mul-tiple virtual cryptographic cards, and then encapsulates it as a virtual cipher machine for users; By designing a high-security key management system, the whole life cycle security management of the key is realized; The user data key is protected by double encryption, and realize the security isolation of the key at the user level; Realize that the key is only circulated in the form of ciphertext between cryptographic facilities, which enhances the security of the key; To further ensure the security of key transmission, this paper designs a security authentication and key agreement protocol between the key management system and the card based on the PUF feature of the card and uses the physical fingerprint generated by the card as the trusted root, and the BAN logic is used to prove the security of the protocol. Finally, this paper implements a cloud cryptographic resource service prototype system based on the OpenStack open source cloud platform and conducts an experimental analysis of the system. The experimental results show that the performance of CryptCRS is better than the existing cryptographic card software virtualization methods, and its higher cloud cryptographic resource service capability can fully meet the requirements of high-availability and high-concurrency cryptographic applications. |
Key words: cloud computing cloud cryptographic resource service cryptographic card virtualization shared memory key management |