device and method for realizing safety information export

文档序号：1711830 发布日期：2019-12-13 浏览：4次中文

阅读说明：本技术 一种实现安全信息导出的装置及方法 (device and method for realizing safety information export ) 是由王利明宋晨李栋朱启超孙宏跃于 2019-07-25 设计创作，主要内容包括：本发明提供一种实现安全信息导出的装置及方法,装置包括验签设备,所述验签设备连接有内网脱敏信息发送服务器和外网脱敏信息接收服务器,内网脱敏信息发送服务器设置在内网,外网脱敏信息接收服务器设置在外网；所述验签设备包括FPGA,FPAG连接有内网通信接口和外网通信接口、管理员KEY接口以及算法芯片；内网通信接口与内网脱敏信息发送服务器连接,外网通信接口与外网脱敏信息接收服务器连接。本发明使用FPGA实现验签设备功能,保证了验签设备无法被黑客攻击和劫持,能有效保证脱敏信息审批节点签名的脱敏信息与导出到外网系统的脱敏信息的一致性,且本发明采用电子化管理,提高办公效率,节省办公成本。(The invention provides a device and a method for realizing safety information export, wherein the device comprises an identification device, the identification device is connected with an intranet desensitization information sending server and an extranet desensitization information receiving server, the intranet desensitization information sending server is arranged in an intranet, and the extranet desensitization information receiving server is arranged in an extranet; the label checking equipment comprises an FPGA (field programmable gate array), wherein the FPAG is connected with an intranet communication interface, an extranet communication interface, an administrator KEY interface and an algorithm chip; the intranet communication interface is connected with the intranet desensitization information sending server, and the extranet communication interface is connected with the extranet desensitization information receiving server. The invention uses FPGA to realize the function of the signature checking device, ensures that the signature checking device cannot be attacked and hijacked by hackers, can effectively ensure the consistency of desensitization information signed by the desensitization information approval node and desensitization information exported to an external network system, adopts electronic management, improves the office efficiency and saves the office cost.)

1. The device for realizing the derivation of the safety information is characterized by comprising an identification device (1), wherein the identification device (1) is connected with an intranet desensitization information sending server (2) and an extranet desensitization information receiving server (3), the intranet desensitization information sending server (2) is arranged in an intranet, and the extranet desensitization information receiving server (3) is arranged in an extranet;

the label checking device (1) comprises an FPGA (field programmable gate array) (FPGA) (4), wherein the FPAG (4) is connected with an intranet communication interface (5), an extranet communication interface (6), an administrator KEY interface (7) and an algorithm chip (8);

the intranet communication interface (5) is connected with the intranet desensitization information sending server (2), and the extranet communication interface (6) is connected with the extranet desensitization information receiving server (3).

2. The device for implementing secure information derivation according to claim 1, wherein the FPGA (4) comprises an intranet communication interface controller (4.1), an extranet communication interface controller (4.2), an administrator KEY interface controller (4.3) and an algorithm chip interface controller (4.4), the intranet communication interface controller (4.1) is connected with the intranet communication interface (5), the extranet communication interface controller (4.2) is connected with the extranet communication interface (6), the administrator KEY interface controller (4.3) is connected with the administrator KEY interface (7), and the algorithm chip interface controller (4.4) is connected with the algorithm chip (8);

the intranet communication interface controller (4.1) is connected with a cache module (4.5), and the cache module (4.5) is connected with a management module (4.6), a certificate analysis module (4.7) and a summary operation module (4.8);

the management module (4.6) is also connected with an external network communication interface controller (4.2), an administrator KEY interface controller (4.3), a certificate analysis module (4.7), a summary operation module (4.8) and an identification module (4.9);

the algorithm chip interface controller (4.4) is connected with a label checking module (4.9);

the signature checking module (4.9) is also connected with the certificate parsing module (4.7) and the abstract operation module (4.8).

3. An arrangement for enabling secure information derivation according to claim 1, wherein said digest operation module (4.8) implements the SM3 digest algorithm and the SHA digest algorithm.

4. an arrangement for enabling secure information derivation according to claim 2, wherein said algorithm chip (8) includes an SM2 algorithm unit, an RSA algorithm unit, and an ECC algorithm unit;

The algorithm chip interface controller (4.4) comprises an SM2 algorithm chip interface controller, an RSA algorithm chip interface controller and an ECC algorithm chip interface controller.

5. the device for realizing the secure information export according to claim 2, characterized in that the extranet communication interface (6) adopts a unidirectional transmission optical fiber interface, and the signature verification device (1) is connected with the extranet desensitization information receiving server (3) through the unidirectional transmission optical fiber interface;

the external network communication interface controller (4.2) adopts a unidirectional transmission optical fiber controller.

6. The device for realizing the derivation of the security information according to claim 1, wherein the intranet is further provided with a desensitization information initiating node (9) and a desensitization information approving node (10), the desensitization information initiating node (9) is connected with the desensitization information approving node (10), and the desensitization information approving node (10) is connected with the intranet desensitization information sending server (2).

7. a method for enabling secure information derivation, comprising the steps of:

S1, an administrator KEY is connected with a signature checking device, the signature checking device is started, and an administrator KEY interface guides a PKI CA system root certificate stored in the administrator KEY into the signature checking device;

S2, the desensitization information initiating node and the desensitization information approving node respectively use KEY signed and issued by PKI CA to sign desensitization information needing to be exported;

s3, the intranet desensitization information sending server combines the desensitization information, the signature values of desensitization information initiating nodes and desensitization information approving nodes on the desensitization information and public key certificates of the desensitization information initiating nodes and the desensitization information approving nodes to generate desensitization information export data packets, and sends the desensitization information export data packets to the signature verification equipment;

s4, analyzing the desensitization information export data packet by the signature checking equipment to obtain desensitization information, and checking the desensitization information;

s5, if the desensitization information is successfully checked, the checking device sends the checking information to an external network desensitization information receiving server through an external network communication interface;

and S6, the signature checking equipment informs the intranet desensitization information sending server of the signature checking result.

8. The method for implementing secure information derivation according to claim 7, wherein the step S4 specifically comprises the following steps:

s41, caching a data packet sent by an intranet by the label checking equipment;

s42, identifying the data packet by the signature verification equipment through a packet protocol, extracting desensitization information to export the data packet, and discarding the data packet which cannot be identified;

S43, the signature verification equipment uses the CA root public key to carry out validity verification on the desensitization information initiating node certificate and the desensitization information approving node certificate in the desensitization information data packet;

And S44, if the desensitization information initiating node certificate and the desensitization information approving node certificate are successfully verified, verifying and signing the desensitization information by using the desensitization information initiating node certificate and the desensitization information approving node certificate.

9. the method according to claim 8, wherein in step S44, if the desensitization information initiating node certificate and the desensitization information approving node certificate fail to verify, the desensitization information export data packet is destroyed.

10. The method for implementing security information export according to claim 7, wherein in step S5, if the desensitization information fails to be checked, the checking device destroys the desensitization information.

Technical Field

the invention belongs to the field of network security, and particularly relates to a device and a method for realizing security information export.

background

at present, computer office network systems of a plurality of units are divided into two sets, namely an internal network system and an external network system. The intranet system is used for processing sensitive information in a unit. The external network system is used for external communication. The sensitive information in the unit needs to be kept secret from the outside and does not want to be obtained from the outside, so that the internal network system and the external network system are isolated and cannot be interconnected. However, when the sensitive information is desensitized and needs to be released to the outside, the desensitized information of the intranet system needs to be exported to the extranet system.

In order to prevent sensitive information of an internal network system from being leaked, the current management method for exporting the desensitization information to the external network system comprises the following steps: the initiator provides desensitization information and exports the desensitization information to an application form of the external network system, and signs the desensitization information; the examiner examines and verifies the desensitization information and signs the desensitization information on the application; the personnel of carving records the desensitization information on the CD, and sign on the application; the optical disc is taken away by the initiator and is released to the external network system. The existing management method is basically paper management, the process is complicated, the management cost is high, and the condition that the approval information is inconsistent with the recorded information can be caused because an approver cannot monitor the information recorded in the optical disk. There is a risk of sensitive information leaking out.

therefore, it is very necessary to provide an apparatus and a method for implementing secure information derivation to overcome the above-mentioned drawbacks in the prior art.

Disclosure of Invention

the invention aims to provide a device and a method for realizing safe information export, aiming at the defects that the existing intranet sensitive information management method is basically paper-based management, has complex process and high management cost, and has the risk of sensitive information leakage due to the fact that an approver cannot monitor information recorded in an optical disc, the approver is inconsistent with recorded information, and the sensitive information is leaked.

in order to achieve the purpose, the invention provides the following technical scheme:

a device for realizing the export of safety information comprises an identification device which is connected with an intranet desensitization information sending server and an extranet desensitization information receiving server,

the internal network desensitization information sending server is arranged in an internal network, and the external network desensitization information receiving server is arranged in an external network;

the label checking equipment comprises an FPGA (field programmable gate array), wherein the FPAG is connected with an intranet communication interface, an extranet communication interface, an administrator KEY interface and an algorithm chip;

the intranet communication interface is connected with the intranet desensitization information sending server, and the extranet communication interface is connected with the extranet desensitization information receiving server. The algorithm chip is used for providing a signature verification algorithm for the signature verification equipment; the administrator KEY interface is used for providing a PKI CA system root certificate required by starting of the signature verification equipment; the intranet communication interface is used for acquiring a data packet from the intranet desensitization information sending server; the external network communication interface is used for sending desensitization information which passes the verification to the external network desensitization information receiving server; the signature checking device adopts the digital circuit logic of the FPGA to realize the signature checking function, and does not depend on programs running in an RAM like a traditional server, so that the signature checking device can be effectively prevented from being attacked and hijacked by Trojan viruses in an intranet system, and the effectiveness of the device is ensured.

Furthermore, the FPGA comprises an intranet communication interface controller, an extranet communication interface controller, an administrator KEY interface controller and an algorithm chip interface controller, wherein the intranet communication interface controller is connected with the intranet communication interface, the extranet communication interface controller is connected with the extranet communication interface, the administrator KEY interface controller is connected with the administrator KEY interface, and the algorithm chip interface controller is connected with the algorithm chip;

the intranet communication interface controller is connected with a cache module, and the cache module is connected with a management module, a certificate analysis module and a summary operation module;

the management module is also connected with the external network communication interface controller, the administrator KEY interface controller, the certificate analysis module, the abstract operation module and the signature verification module;

The algorithm chip interface controller is connected with a signature checking module;

the signature checking module is also connected with the certificate analysis module and the abstract operation module.

The intranet communication interface controller is used for realizing intranet communication and protocol analysis;

the external network communication interface controller is used for realizing external network communication and protocol analysis;

the administrator KEY interface controller is used for realizing administrator KEY communication and protocol analysis;

The algorithm chip interface controller is used for realizing algorithm chip communication and protocol analysis;

The cache module is used for caching the intranet data packet;

the management module is used for realizing equipment authority control and configuring and managing each functional module;

the certificate analysis module is used for acquiring a certificate signature value and a certificate public key of the desensitization information initiating node and the desensitization information approving node;

The abstract operation module is used for carrying out abstract operation on the intranet data packet;

and the signature verification module is used for verifying the signature values of the certificate of the desensitization information initiating node and the certificate of the desensitization information approving node by using the public key of the CA root certificate and verifying the signature values of the desensitization information initiating node and the certificate of the desensitization information approving node by using the public key of the desensitization information initiating node and the public key of the desensitization information approving node.

Further, the digest operation module implements SM3 and SHA digest algorithms.

further, the intranet communication interface adopts a USB interface, an ethernet interface, or a custom interface.

further, the cache module adopts a RAM cache module.

further, the algorithm chip comprises an SM2 algorithm unit, an RSA algorithm unit and an ECC algorithm unit; the algorithm chip interface controller comprises an SM2 algorithm chip interface controller, an RSA algorithm chip interface controller and an ECC algorithm chip interface controller.

Furthermore, the external network communication interface adopts a unidirectional transmitting optical fiber interface, and the label checking equipment is connected with the external network desensitization information receiving server through the unidirectional transmitting optical fiber interface;

The external network communication interface controller adopts a unidirectional transmission optical fiber controller. The outer net communication interface adopts a one-way transmission optical fiber interface to ensure that data can only flow from the label checking equipment to the outer net system, and the data of the outer net system can not flow to the label checking equipment, so that the attack of Trojan horse virus in the outer net system on the label checking equipment can be effectively prevented.

furthermore, the intranet is further provided with a desensitization information initiating node and a desensitization information approving node, the desensitization information initiating node is connected with the desensitization information approving node, and the desensitization information approving node is connected with the intranet desensitization information sending server. Desensitization information initiating single nodes and desensitization information approval nodes respectively use KEY issued by PKI CA to sign desensitization information needing to be exported in an intranet system. The number of desensitization information approval nodes may be multiple.

the invention also provides the following technical scheme:

a method of enabling secure information derivation, comprising the steps of:

s1, an administrator KEY is connected with a signature checking device, the signature checking device is started, and an administrator KEY interface guides a PKI CA system root certificate stored in the administrator KEY into the signature checking device;

S4, analyzing the desensitization information export data packet by the signature checking equipment to obtain desensitization information, and checking the desensitization information;

and S6, the signature checking equipment informs the intranet desensitization information sending server of the signature checking result.

further, the step S4 specifically includes the following steps:

S41, caching a data packet sent by an intranet by the label checking equipment;

S42, identifying the data packet by the signature verification equipment through a packet protocol, extracting desensitization information to export the data packet, and discarding the data packet which cannot be identified;

s43, the signature verification equipment uses the CA root public key to carry out validity verification on the desensitization information initiating node certificate and the desensitization information approving node certificate in the desensitization information data packet;

and S44, if the desensitization information initiating node certificate and the desensitization information approving node certificate are successfully verified, verifying and signing the desensitization information by using the desensitization information initiating node certificate and the desensitization information approving node certificate.

further, if the desensitization information initiating node certificate and the desensitization information approving node certificate fail to verify, the desensitization information export data packet is destroyed.

further, in step S5, if the desensitization information signature verification fails, the signature verification device destroys the desensitization information.

the invention has the beneficial effects that:

the invention uses FPGA to realize the function of the signature checking device, ensures that the signature checking device cannot be attacked and hijacked by hackers, can effectively ensure the consistency of desensitization information signed by the desensitization information approval node and desensitization information exported to an external network system, adopts electronic management, improves the office efficiency and saves the office cost.

in addition, the invention has reliable design principle, simple structure and very wide application prospect.

Therefore, compared with the prior art, the invention has prominent substantive features and remarkable progress, and the beneficial effects of the implementation are also obvious.

drawings

FIG. 1 is a schematic diagram of the apparatus of the present invention;

FIG. 2 is a schematic diagram of the FPGA structure of the present invention;

FIG. 3 is a second schematic structural view of the apparatus of the present invention;

FIG. 4 is a flow chart of a method of the present invention;

fig. 5 is a flowchart of the signature verification device acquiring desensitization information and verifying the desensitization information;

wherein, 1-signature checking equipment; 2-inner network desensitization information sending server; 3-an external network desensitization information receiving server; 4-FPGA; 4.1-an intranet communication interface controller; 4.2-extranet communication interface controller; 4.3-administrator KEY interface controller; 4.4-algorithm chip interface controller; 4.5-cache module; 4.6-management module; 4.7-certificate resolution module; 4.8-abstract operation module; 4.9-signature checking module; 5-an intranet communication interface; 6-extranet communication interface; 7-administrator KEY interface; 8-algorithm chip; 9-desensitization information initiating node; 10-desensitization information approval node.

The specific implementation mode is as follows:

In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.

as shown in fig. 1, the present invention provides a device for implementing security information export, which includes an identification device 1, wherein the identification device 1 is connected to an intranet desensitization information sending server 2 and an extranet desensitization information receiving server 3, the intranet desensitization information sending server 2 is arranged in an intranet, and the extranet desensitization information receiving server 3 is arranged in an extranet;

the label checking equipment 1 comprises an FPGA 4, wherein the FPAG 4 is connected with an intranet communication interface 5, an extranet communication interface 6, an administrator KEY interface 7 and an algorithm chip 8;

the intranet communication interface 5 is connected with the intranet desensitization information sending server 2, and the extranet communication interface 6 is connected with the extranet desensitization information receiving server 3. The algorithm chip 8 is used for providing a signature verification algorithm for the signature verification equipment; the administrator KEY interface 7 is used for providing a PKI CA system root certificate required by starting of the signature verification equipment; the intranet communication interface 5 is used for acquiring a data packet from the intranet desensitization information sending server 2; the extranet communication interface 6 is used for sending desensitization information which passes the verification to the extranet desensitization information receiving server 3; the signature checking device 1 adopts the digital circuit logic of the FPGA 4 to realize the signature checking function, and does not depend on programs running in an RAM like a traditional server, so that the signature checking device can be effectively prevented from being attacked and hijacked by Trojan viruses in an intranet system, and the effectiveness of the device is ensured.

as shown in fig. 2, the FPGA 4 in embodiment 1 includes an intranet communication interface controller 4.1, an extranet communication interface controller 4.2, an administrator KEY interface controller 4.3, and an algorithm chip interface controller 4.4, the intranet communication interface controller 4.1 is connected to the intranet communication interface 5, the extranet communication interface controller 4.2 is connected to the extranet communication interface 6, the administrator KEY interface controller 4.3 is connected to the administrator KEY interface 7, and the algorithm chip interface controller 4.4 is connected to the algorithm chip 8; the algorithm chip 8 comprises an SM2 algorithm unit, an RSA algorithm unit and an ECC algorithm unit;

The extranet communication interface 6 adopts a unidirectional transmission optical fiber interface, and the label checking equipment 1 is connected with the extranet desensitization information receiving server 3 through the unidirectional transmission optical fiber interface;

The intranet communication interface controller 4.1 is connected with a cache module 4.5, and the cache module 4.5 is connected with a management module 4.6, a certificate analysis module 4.7 and a summary operation module 4.8;

the management module 4.6 is also connected with an external network communication interface controller 4.2, an administrator KEY interface controller 4.3, a certificate analysis module 4.7, a summary operation module 4.8 and an identification module 4.9;

the algorithm chip interface controller 4.4 is connected with a label checking module 4.9;

The signature verification module 4.9 is also connected with the certificate parsing module 4.7 and the summary operation module 4.8.

The intranet communication interface controller 4.1 is used for realizing intranet communication and protocol analysis; the intranet communication interface 5 adopts a USB interface, an Ethernet interface or a custom interface;

the external network communication interface controller 4.2 is used for realizing external network communication and protocol analysis; the external network communication interface controller 4.2 adopts a unidirectional transmission optical fiber controller; the extranet communication interface 6 adopts a one-way transmission optical fiber interface to ensure that data can only flow from the label checking equipment to the extranet system, and the extranet system data can not flow to the label checking equipment, so that the attack of Trojan horse virus in the extranet system to the label checking equipment can be effectively prevented;

the administrator KEY interface controller 4.3 is used for realizing administrator KEY communication and protocol analysis;

An algorithm chip interface controller 4.4 for realizing algorithm chip communication and protocol analysis; the algorithm chip interface controller 4.4 comprises an SM2 algorithm chip interface controller, an RSA algorithm chip interface controller and an ECC algorithm chip interface controller; the SM2 algorithm chip interface controller is connected with the SM2 algorithm unit, the RSA algorithm chip interface controller is connected with the RSA algorithm unit, and the ECC algorithm chip interface controller is connected with the ECC algorithm unit;

The cache module 4.5 is used for caching the intranet data packet; the cache module 4.5 adopts an RAM cache module;

the management module 4.6 is used for realizing the equipment authority control and the configuration and management of each functional module;

the certificate analysis module 4.7 is used for acquiring a certificate signature value and a certificate public key of the desensitization information initiating node and the desensitization information approving node;

The abstract operation module 4.8 is used for carrying out abstract operation on the intranet data packet; the abstract operation module 4.8 adopts SM3 and SHA abstract algorithm;

And the signature checking module 4.9 is used for checking the signature values of the certificate of the desensitization information initiating node and the certificate of the desensitization information approving node by using the public key of the CA root certificate and checking the signature values of the desensitization information by using the public keys of the desensitization information initiating node and the desensitization information approving node.

As shown in fig. 3, the present invention provides a device for implementing security information export, which includes an identification device 1, wherein the identification device 1 is connected to an intranet desensitization information sending server 2 and an extranet desensitization information receiving server 3, the intranet desensitization information sending server 2 is arranged in the intranet, and the extranet desensitization information receiving server 3 is arranged in the extranet;

The intranet is further provided with a desensitization information initiating node 9 and a desensitization information approving node 10, the desensitization information initiating node 9 is connected with the desensitization information approving node 10, and the desensitization information approving node 10 is connected with the intranet desensitization information sending server 2. Desensitization information initiating single nodes 9 and desensitization information approving nodes 10 respectively use KEY issued by PCI CA to sign desensitization information needing to be exported in an intranet system; there may be a plurality of desensitization information approval nodes 10.

As shown in fig. 4, the present invention provides a method for implementing secure information export, which includes the following steps:

s2, the desensitization information initiating node and the desensitization information approving node respectively use KEY signed and issued by PKI CA to sign desensitization information needing to be exported;

S3, the intranet desensitization information sending server combines the desensitization information, the signature values of desensitization information initiating nodes and desensitization information approving nodes on the desensitization information and public key certificates of the desensitization information initiating nodes and the desensitization information approving nodes to generate desensitization information export data packets, and sends the desensitization information export data packets to the signature verification equipment;

S4, analyzing the desensitization information export data packet by the signature checking equipment to obtain desensitization information, and checking the desensitization information;

S5, if the desensitization information is successfully checked, the checking device sends the checking information to an external network desensitization information receiving server through an external network communication interface;

If the desensitization information signature verification fails, the signature verification equipment destroys the desensitization information;

And S6, the signature checking equipment informs the intranet desensitization information sending server of the signature checking result.

as shown in fig. 5, the specific steps of step S4 are as follows:

S41, caching a data packet sent by an intranet by the label checking equipment;

s44, if the desensitization information initiating node certificate and the desensitization information approving node certificate are successfully verified, the desensitization information initiating node certificate and the desensitization information approving node certificate are used for verifying and signing desensitization information;

and if the desensitization information initiating node certificate and the desensitization information approving node certificate fail to verify, destroying the desensitization information exporting data packet.

the embodiments of the present invention are illustrative rather than restrictive, and the above-mentioned embodiments are only provided to help understanding of the present invention, so that the present invention is not limited to the embodiments described in the detailed description, and other embodiments derived from the technical solutions of the present invention by those skilled in the art also belong to the protection scope of the present invention.

12页详细技术资料下载

device and method for realizing safety information export

相关技术

网友询问留言