| As the basic department of the cryptographic service security architecture, cryptographicservice system is one system that lay on the bottom, which supplied the functions ofcryptography management and the use of cryptography algorithms,supplied the functions ofencryption, decryption, signature and verification for cryptography, there are a variety ofcryptography hardware resources and cryptography software algorithms, but how to mergethese resources into one entirety, it is still lack of research in this aspect of the cryptographicservice system’s overall architecture.The main contributions of this paper are lay as follows:1. Introduced the associated models of cryptographic service which is based on the analyzeand research of associated architecturesAnalysed two typical security architectures: Common Cryptographic Architecture of IBMand Common Data Security Architecture of Intel. They have been used to resolve theinformation and privacy security. Focus on the pros and cons on the solution of both.Summarized the basic implementation principles of cryptographic service security architecture.On this basis, introduced the conceptual model of cryptographic service which is comprised bysome concepts and function entities. From the view of security view, based on the conceptualmodel, built the security model of cryptographic service.2. Designed the structure of cryptography security environment which integrates theassociated cryptography functions, designed the mechanism of system function extending. Theyare both on the basis of system function’s division of the implementation areaBy the isolation of cryptographic service associated functions, forced them into a safesub-environment, built an embedded cryptographic service system which treats thecryptographic service as the core. According to the design templates of ISO/IEC7816-8, usedthe object-oriented design ideas to achieve the rational allocation of cryptographic servicecontents, centralized the management of cryptography elements, designed the structure ofcryptography security environment which is the core of cryptography function structure;Designed one structure of set-up interface which merges the interrelated attributes ofcryptography algorithm. We can use the set-up interface to achieve the flexible extending ofsystem functions, when followed the update flow path.3. Designed the input-output mechanism, thread mechanism and the control mechanism ofapplication usage.Defined the basic input-output mechanism, thread mechanism and the control mechanism of application usage. The basic input-output mechanism uses the Application Protocol DataUnit for data transmission, which is the method of invoking interface; The thread mechanism isby the evolution of Linux thread module; To make the development of security application, weintroduced the mechanism of virtual machine, also designed the download mechanism forsecurity application and the running scheduling policy of multi-application.4. Designed the cryptography management and security guard of system, achievedfunction test and verify of system, and done the security level assessmentDesigned the basic mechanisms of cryptography management and security guard,including the management of keys in system, the mechanism of cryptography functionextending, the control of applications and the access control mechanism; Built the embeddeddevelopment platform for system research, drawn up the test and verify scheme of systemfunction, which is used to verify the feasibility of our design and the correctness of ourrealization. Finally, done the security level assessment for the design following thecryptography module safety standards, which is FIPS140-2. |
PDF Full Text Request