A method of cryptographic computing resource pool#br#
based on multi-technology fusion#br#

	#br#

Journal of Information Security Reserach ›› 2021, Vol. 7 ›› Issue (4): 384-388.

Online:2021-04-05 Published:2021-04-14

基于多技术融合的密码计算资源池研究

李向锋1 傅大鹏2 李敏3

1. 北京数字认证股份有限公司研究院, 北京市 100080
2. 北京数字认证股份有限公司研究院, 北京市 100080
3. 北京数字认证股份有限公司研究院, 北京市 100080

通讯作者: 李向锋
作者简介:李向锋工程师. 主要研究方向为密码技术、PKI、数字签名． lixiangfeng@bjca.org.cn 傅大鹏，1975年，硕士，高级研究工程师。信息安全和电子认证领域。FU Da-Peng,1975, master degree, senior research engineer，Information security and electronic certifcation. 李敏，1992年，硕士，资深研究工程师。信息安全、电子认证、区块链领域。 Li Min, 1992, master degree, senior research engineer. Information security, electronic certification and blockchain.

Abstract

Abstract: The CaaS ( cryptography as a service ) is a hotspot in cryptography research. Different form traditional solution, we must support implements cryptography in virtualization environment and cloud architecture with a virtualization boundary, we must implements the features such as horizontal exptend, flexible computing,resource sharing and on-demand service. So,we usually design crypto computing resource pool to implements cryptographic functions, through pooled cryptographic computing,resource sharing,resource scheduling and key management,resource management,operation and maintenance provide cryptographic ability for cloud architecture business system,this is the essential about CaaS.In this paper,we analyze unikernel operation system technology,cpu secure enhance technology and para- virtualization technology in recently years,propose a new design about design large-scale cryptographic computing resource pool.It use cpu secure enhance technology and unikernel implements large-scale crypto-ablity supporting,use para-virtualization implements virtual-crypto-moudle, use unikernel implents crpto-ablity encapsulation、arrange and cascade in virtualization environment.

Key words: Cloud Computing, Cryptography, Virtualization, Cryptographic Computing Resouce Pool , Cloud-based cryptographic service

摘要： 云密码服务是近年来密码学研究和产业发展的热点，与传统密码方案不同，云密码服务需要支持在虚拟化环境、云架构系统、虚拟化边界中使用，同时需要满足云计算的易于水平扩展、弹性计算、资源共享、按需服务的要求。而传统密码设备的静态部署、静态配置的方式显然无法满足这样的要求。因此在云密码服务中，通常设计密码计算资源池实现密码功能，通过密码计算能力池化、共享、调度以及配套的密钥管理、密码资源管理、运营维护等机制为云架构的应用系统提供密码能力支撑，这也是是云密码服务研究的关键。本文分析了近年来微内核操作系统、CPU安全增强技术、基于virtio的半虚拟化技术等多种新技术在密码方面的应用场景，提出了一种构建大型密码计算资源池的云密码服务技术新思路，借助CPU安全技术和微内核操作系统实现软件密码计算单元以实现大规模、易于水平扩展的密码计算能力供应，借助半虚拟化实现虚拟密码模块，将密码资源池的能力映射到虚拟空间，最后借助微内核操作系统技术，实现虚拟化环境中密码能力的封装、编排与串接。

关键词: 云计算, 密码技术, 虚拟化, 密码计算资源池, 云密码服务

李向锋傅大鹏李敏. 基于多技术融合的密码计算资源池研究[J]. 信息安全研究, 2021, 7(4): 384-388.

References

[1] 荆继武, 刘丽敏. 电子认证走进2.0时代[J]. 信息安全研究, 2017, 3(006):573-576..
[2] 高志权. 云密码服务关键技术研究[J]. 数字技术与应用, 2019, v.37;No.351(09):191-193..
[3] 陈亚男李晨旸刘海峰荣晓燕. 一种基于密码云的政务云密码应用[J]. 信息安全研究, 2020, 6(9): 0-0.
[4] 张晏. 云计算环境下密码资源池系统的应用[J]. 信息安全研究, 2016, 2(6): 558-561.
[5] Rob Stubbs.Achieving Agile Cryptography Management with Crypto Service Gateway (CSG)[EB/OL]. https://www.cryptomathic.com/news-events/blog/achieving-agile-cryptography-management-with-crypto-service-gateway-csg,2019-1-23
[6] Alteen N , Fisher J , Gerena C , et al. Encryption on AWS[M]// AWS Certified Developer Official Study Guide. 2019.
[7]Tanenbaum A S , Herder J N , Bos H . Can We Make Operating Systems Reliable and Secure?IEEE Computer, 2006, 39(5):44-51.
[8] Madhavapeddy A , Scott D J . Unikernels: The Rise of the Virtual Library Operating System[J]. Communications of the Acm, 2014, 57(1):61-69.
[9]Mortier R , Scott D , Gazagnaire T , et al. Unikernels: library operating systems for the cloud[J]. Acm Sigplan Notices, 2013, 41(1):461-472.
[10] Manco F , Lupu C , Schmidt F , et al. My VM is Lighter (and Safer) than your Container[C]// the 26th Symposium. ACM, 2017.
[11] Guan L , Lin J , Luo B , et al. Protecting Private Keys against Memory Disclosure Attacks Using Hardware Transactional Memory[J]. 2015.
[12] Ittai Anati, Shay Gueron, Simon P Johnson, and Vincent R Scarlata. Innovative technology for cpu based attestation and sealing. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy, HASP, volume 13,
2013. .
[13] Tiago Alves and Don Felton. Trustzone: Integrated
hardware and software security. Information Quarterly,
3(4):18–24, 2004..

[1]	. [J]. Journal of Information Security Reserach, 2021, 7(8): 779-782.
[2]	. Research and Design of Cloud Edge Collaboration Based on Blockchain [J]. Journal of Information Security Reserach, 2021, 7(4): 310-318.
[3]	. Research on the Application of Commercial Cryptography for Satellite Internet [J]. Journal of Information Security Research, 2021, 7(3): 263-267.
[4]	. A Government Affairs Cloud Cryptography Application based on Cryptography Cloud [J]. Journal of Information Security Research, 2020, 6(9): 0-0.
[5]	. Research on Attribute Based Encryption Scheme in Cloud Computing [J]. Journal of Information Security Research, 2020, 6(8): 733-737.
[6]	. Research on Technologies of Windows Malware Detecting Based on Abnormal Behavior in KVM Environment [J]. Journal of Information Security Research, 2020, 6(6): 0-0.
[7]	. Research on Security Architecture for Cloud Data Center [J]. Journal of Information Security Research, 2020, 6(6): 0-0.
[8]	. A cloud computing cybersecurity method based on security domain [J]. Journal of Information Security Research, 2020, 6(4): 362-366.
[9]	. Virtual Machine Introspection Technology Based on System-Call Interception [J]. Journal of Information Security Research, 2020, 6(4): 367-372.
[10]	. Research on Internet of Things Security Based on Cloud Computing [J]. Journal of Information Security Research, 2020, 6(4): 373-376.
[11]	. Research on Cloud Computing Cyber Security Matrix Control Based on Risk Control and Compliance [J]. Journal of Information Security Research, 2020, 6(3): 266-271.
[12]	. Characteristics and Investigation Strategies of Internet Drug Trafficking Under Digital Background [J]. Journal of Information Security Research, 2020, 6(2): 159-164.
[13]	. Design of Protocol Monitoring System Based on Cloud Computing and Deep Learning [J]. Journal of Information Security Research, 2020, 6(12): 1127-1132.
[14]	. Thoughts on Several Issues of Commercial Cryptography Application and Innovation Development [J]. Journal of Information Security Research, 2020, 6(11): 0-0.
[15]	. Research on Evaluation System and Index of Cloud Computing Platform Security Capability [J]. Journal of Information Security Research, 2020, 6(11): 0-0.