o C l a n o it a n r e t n I 8 1 0
2 nferenceonCommunicaiton ,NetworkandAritifcialI nteillgence( CNA I2018) 8 7 9 : N B S
I -1-60595- 50 -5 6
r o f m e t s y S r e v r e S e r u c e S o t p y r C d u o l C f o n o it a t n e m e l p m I d n a n g i s e D m e t s y S r e w o
P Based on Sha irng Encryp itonResource
e i
T -jun JIA* da n Yang LI
n o it a m r o f n I f o e g e ll o
C Technology ,Shangha iJ nia q iaoUniverstiy ,Shanghai, China r o h t u a g n i d n o p s e rr o C * : s d r o w y e
K CCSSS( CloudCryptoSecureServe rSystem), Cryptographservice, Sharedencrypiton s e c r u o s e
r , Systemplaftormestabilshment, CloudEncrypiton.
.t c a r t s b
A tIi sveryi mpo trantt ouset henewt echnologyo fclouds ecurtiyandencrypitont oi mprove o y ti r u c e s e h
t ft hepoweri nformaitons y tsemandbu isnes sdata .Basedont her equriemen tanaly is so f S S S C C t n e m e l p m i d n a n g is e d , m e ts y s n o it a m r o f n i r e w o p n i e c i v r e s h p a r g o t p y r c y ti r u c e s d u o l c u m r o f m r o fi n u e h t e v o r p m i o t l u f p l e h s 't i ,) m e ts y S r e v r e S e r u c e S o t p y r C d u o l C
( laiton o fva irou s
u c e s l l a r e v o e h t d n a s n o it a c if i c e p s n o it p y r c n e m e ts y s n o it a c il p p
a rtiy effecitvenes so fcryptographi c d n a s e c r u o s e r n o it p y r c n e d u o l c d e r a h s s a h c u s s e c i v r e s g n i d i v o r p t a h t d e v o r p s a h e c it c a r P . st c u d o r p n a n e t n i a m d n a t n e m e g a n a m , t n e m p o l e v e
d cei n plaftorm approach can provide moreeffecitveand . y rt s u d n i r e w o p e h t r o f s e c i v r e s g n ir a h s y ti r u c e s e v is n e h e r p m o c
Introduciton
s 'e l p o e p e h t d n a y m o n o c e l a n o it a n e h t st c e ff a y lt c e ri d m e ts y s n o it a m r o f n i r e w o p e h t f o y ti r u c e s e h T i b a ts l a i c o s , d o o h il e v
il ltiyandeconomicdevelopment .Thecenrtailzedproces isngo fvairou spowe r s e c i v r e s s s e n is u b f o y ti r u c e s s u o u n it n o c f o k si r e h t s e k a m a t a d s s e n is u b d n a s m e ts y s n o it a m r o f n i . S S S C C d li u b o t d e e n t n e g r u n a s i e r e h t , d e s a e r c n i y ti r u c e s d u o l c f o y g o l o n h c e t w e
N encrypiton help sto provide more effecitve overal lnetwork n o it c e t o r p y ti r u c e
s . Throught heanaly is soft her equriement so fclouds ecurtiycryptographs ervicei n s s e n e v it c e ff e e h t e v o r p m i o t s a o s d e t c u rt s n o c d n a d e n g is e d s i S S S C C , m e ts y s n o it a m r o f n i r e w o
p fo
e t a r g e t n i , y ti r u c e s n o it p y r c n e l l a r e v o d n a n o it a c if i c e p s n o it p y r c n e m e ts y s f o n o it a l u m r o f d e if i n u e v it c e ff e d n a e v is n e h e r p m o c e r o m g n i d i v o r p d n a , s d o h t e m d n a s e i g o l o n h c e t n o it p y r c n e g n it si x e s e c i v r e s n o it p y r c n e d u o l c f o t n e m e g a n a m d n a g n ir a h s e c r u o s e
r based on t hesy tsem cloud service m r o ft a l
p ][ . 1
r e w o P n i e c i v r e S n o it p y r c n E d u o l C f o s is y l a n A t n e m e r i u q e R t n e m e r i u q e
R Analy is so C f loudSecurtiyi Pn owerInforma itonSystem
n i h c t a p si d r e w o p , m e ts y s l o rt n o c r e w o p s e d u l c n i y l n i a m m e ts y s n o it a m r o f n i r e w o p e h
T g sy tsem ,
d e d e e n s i si s y l a n a k si R . m e ts y s n o it a m r o f n i t n e m e g a n a m d e t a l e r d n a m e ts y s g n is s e c o r p a t a d s s e n is u b d n a s a e r a k si r y e k y ti r u c e s d u o l c n e v e s s e d u l c n i y l n i a m t I . s d e e n y ti r u c e s d u o l c k r o w t e n s ti r o f y ti r u c e s d u o l c e h t y b d e z ir a m m u s st a e r h t y ti r u c e
s alilanceCSA( CanadianStandard sAssociaiton .) g n it u p m o C d u o l C f o e s U s u o ir a f e N d n a e s u b
A , InsecureI ntefrace sandAPIs, MailciousI n isders, s e u s s I y g o l o n h c e T d e r a h
S , Data Los so rLeakage, Accoun to rService Hjiacking, Unknown Rsik . e li f o r
P Thecon ifdenitaltiy,i ntegrtiyandavaliab litiyo fnetworki nformaitons ecurtiyaret hreeba isc , ts ri F . e c i v r e s n o it p y r c n e d u o l c e s u o t s e si r p r e t n e r e w o p r o f d n a m e d c is a b t s o m e h t o sl a si t I .s e t u b ir tt a s d u o l c e h t , g n is s e c o r p d n a n o it a m r o f n i d u o l c e h t o t g n i d a o l p u r e tf
a ervicecan onlybeaccessed o r d n a e u rt , e t e l p m o c e b d l u o h s a t a d d e t a l e r e c i v r e s d u o l c e h t , d n o c e S . s r e s u d e z ir o h t u a e h t y b d e s u . . d e w e i v e r e b n a c d n a d e y o rt s e d r o d e g r o f , d e r e p m a t , d e t a l u p i n a m y ll a g e ll i e b t o n n a c d n a , e v it c e ff e a a t a d , k r o w t e n e h t , d ri h
T nds ervicehaveconitnutiyand itmeilness ,ensu irngt hatt heclouds ervicei s s r e s u d e z ir o h t u a e h t r o f e m it n i d e s
The needs on relevant hierarchy of power information cloud encryption services: the bottom is the infrastructure security, including basic platform security, virtualization security and safety management; the middle is data security, the top is cloud encryption service, peripheral include network security access related detection and defense technology [4], the demands mainly include:
(1) The cloud encryption service platform is built to provide unified, standardized and efficient encryption underlying services for the new key business and management information system of the power industry, and provide diverse cryptograph service components and program call interfaces.
(2) A perfect key management system is gradually established to provide a standard key management underlying service for the information system.
(3) Unified customization and encapsulation of commercial cipher algorithm and key management interface, meeting the application requirements of security mechanisms such as information encryption, identity authentication, integrity verification, digital signature and key management in the development of information project, providing multi-platform, multi-level standard cryptograph interface software package (CryptoAPI).
(4) According to the construction of power information system security strategy and related laws and regulations, formulating relevant cryptograph and encryption technology and product application technical specifications and guidelines, and further standardize the application of cryptograph technology in power information system.
The Distribution of Cloud Encryption Services
[image:2.595.146.451.394.611.2]Using Unified Threat Management (UTM), which is equivalent to the integration of anti-virus software, firewall and intrusion detection system, the CCSSS constructed needs to form a unified management distribution, as shown in Figure 1.
Figure 1. Distribution of encrypted cloud encryption services
System Design and Implementation
Structure Design of CCSSS
component; ④CryptoAPI - The cipher service application programming interface component after the second encapsulation for the power industry. Write a programmer's manual for the application of cryptograph technology in the power industry to provide accurate and detailed description of function calls and typical routines.
[image:3.595.155.439.172.407.2]Through the organic combination of the above security components, the power industry CCSSS can provide a full range of multi-level security for the cloud terminal users. The CCSSS structure of the power industry is shown in Figure 2.
Figure 2. The CCSSS structure of the power industry
Among them, the CSP abstract device layer is between the standard interface layer and the hardware device layer. It hides the call and implementation details of the underlying device for the upper interface program, and provides all functions supported by the cryptograph device for the upper program, providing flexible programming interface environment.
The CryptoAPI interface is a programming interface that provides cryptograph operations and key management directly for the cloud user application system, use the hardware cryptograph device to complete the popular cryptograph algorithm, public key cryptographic algorithm and HASH and MAC cipher algorithm which are in line with Chinese commercial cryptograph specification.
PKCS11 conforms to the cryptograph functional programming interface of RSA's PKCS#11 cryptograph function call interface standard. The power industry CCSSS PKCS11 provides the main function provided by PKCS#11 interface.
Other layers are mainly enterprise customized CryptoAPI and SSL secure sockets layer system services, Cert certificate management services, etc., which can be directly invoked by the upper application system.
The Composition and Function of CCSSS
For the power industry CCSSS, the safety function of every component is different and complement from the view of computer operation system, and form a CCSSS of power industry application system. It mainly includes:
(1) Core cryptograph function module. Preserving the confidentiality of stored and transmitted information through a trusted and high-performance cryptograph algorithm, which consists of oriented C++ environment Crypto-C and Java oriented environment Crypto-J.
(2) Security protocol SSL module. According to the industrial standard security protocol, the encryption service of application system transport layer is provided. The specific functions of SSL-C include SSL and TLS, CA authentication supporting multiple configurations and certificate service.
to sign and authenticated the data, and to distribute and authenticate the exchange key, so that the two level key is not exposed outside the encryption card in the form of plaintext in the process of generation, distribution and setup.
Implementation and Deployment of CCSSS
Implementation of CCSSS
(1) Access new encryption card, encryption IC card and USB key through the CSP layer; Access SJY series cipher machine through PKCS#11 and vendor proprietary interface in an abstract device layer; Project oriented application development, provide C language and JAVA environment cryptograph service interface components PKCS11, JCE and CryptoAPI; Key support application development based on Windows 2K, SCO UNIX, Linux AIX and HP-UX server system and minicomputer, and provides application development manual [3,5] .
(2) For PKI (Public Key Infrastructure) series of server-based password machine, encryption IC card and USB Key, shielding the details of the implementation of cryptograph to achieve a common password service interface to ensure that the various information systems in the development, production, operation and maintenance various stages, can flexibly choose and replace the cryptograph hardware equipment from different vendors, to improve the independence and interchangeability of cryptograph technology application equipment.
(3) The encryption platform combined with the improved Homomorphic Encryption (HE) technology, High intensively encrypts the private key used for decryption, and encrypts the user privacy data [6,8] .
(4) Realize encrypted information sharing. The standard algorithm is used to lay a good foundation for the sharing of encrypted data between the systems; Provide a unified cryptograph support services based on the unified application platform, to ensure the unity of key management, encryption algorithm, and key length between two or more systems that require information exchange; The data exchange with third party should be completed by encryption machine.
(5) According to the practical requirements of development project using security encoding, Based on the standard cryptograph interfaces PKCS # 11, CSP (Commerce Server Provider) and JCE, the power industry specific Crypto Application Programming Interface (CryptoAPI) is identified and encapsulated to shield the complexity of the application of the standard crypto interface.
(6) For the power industry outlets and management system cloud client, provides CSP and PKCS#11 two kinds of interface software cryptograph computing module, and according to the actual needs supporting the use of encryption IC card and USB key two hardware interfaces, focusing on cloud client key storage and digital signature verification issues.
Deployment and Application of CCSSS
CCSSS provides encryption services for all kinds of UNIX and Windows cryptograph secure API (Application Programming Interface), static libraries, dynamic libraries, service components and Java class libraries or cryptograph security middleware. It usually provides cryptograph support services based on PKI and KMI (Key Management Infrastructure), while internal encryption services provide encryption protection for data transmission and data storage. The application deployment of the application systems to encrypted cloud encryption services is shown in Figure 3.
Among them, the deployment of encryption service in the power business application is as follows: (1) The "Cloud Encryption Service Module" is invoked by "Business Logic" and invokes the "Cloud Encryption Service Component" deployed on the "Integrated Platform" to directly perform the encryption service.
(3) The encryption service can be invoked directly through the cloud encryption service API in the application. It is convenient to realize the encryption protection of data transmission between applications by using the integrated platform (mode ① and ②). For applications that are not integrated on the integrated platform (mode ③), the same encryption and decryption basic component (API) is used to implement the encryption problem of data transmission [7] .
Figure 3. Encrypted cloud encryption service deployment of application system
Usually, encrypted basic component is applied when data is transmitted, and CCSSS is applied to the application system after combining with communication basic component. It enables cloud security processing to invoke application logic and reduce the complexity of application system construction. The actual application effect mainly embodies 5 aspects:
(1) In the two levels of the head office and the branch office, the sharing of various resources of the cloud security cryptograph can be realized, and the repeated investment of the cryptograph devices can be avoided.
(2) In the follow-up development of information projects, there is no need to repeat the development of cryptograph operation processing modules, which can speed up the progress of the project and save a lot of manpower and material resources.
(3) There is no need to worry about the problems of after-sale service and equipment shutdown by realizing the upgrading and expansion of the power cloud security cryptograph products.
(4) Overall improvement of the security level and effectiveness of the power information system. (5) Strengthen the key management service through the cloud and the server side. It includes generation, storage, distribution, input and output, update and discarding of the key. The symmetric key adopts three level key system (main key, work key and session key), and the public key / private key manages the public key and private key by using the key management infrastructure (KMI).
Conclusion
scheduling of the cryptograph execution unit and the management functions of the overall system security mechanism.
The encryption platform combines the improved homomorphic encryption technology to encrypt the private key used for the decryption, and encrypts the cloud data with the new homomorphic encryption technology [8]. For the cryptograph computing speed of the resource encryption platform, the test shows that the key to meet the requirement can be generated in a short time.
Acknowledgement
This research was financially supported by the National Science Foundation (61402280). Computer Technology discipline of Shanghai Jianqiao University (AASH1609).
References
[1] T.J. Jia, W.D. Tao, Network Security Technology and Applications, third ed., Machinery Industry Press, Bei Jing, 2017.
[2] T.J. Jia, F.J. Zhang, J.J. Lin, X.M. Xiao, Cloud computing security for power information system, J. Electrical Automation, 2015, pp. 28-32.
[3] T.J. Jia, Z.H. Feng, X.M. Xiao, F.J. Zhang, Active safety defense model and structure of secondary power system, J. Journal of Shanghai Dianji University, 2014, pp. 16-20.
[4] AnyView (Network Police). Cloud computing service data security, data encryption method to achieve cloud data security, http://www.amoisoft.com/lib/article/2016-3-28/2016328114548 7922.htm
[5] T.J. Jia, X.M. Xiao, F.J. Zhang, Z.H. Feng, Analysis and design of intelligent NIPS based on cloud security, J. WIT Transactions on Engineering Sciences, 2014, pp. 155-163.
[6] Y.Y. Luo, T.J. Jia,. Attacks On a Double Length Blockcipher-based Hash Proposal, Cryptograph and Communications, New York, 2014, pp. 210-215.
[7] S.D. Li, J.W. Dou, D.S. Wang, Homomorphic encryption algorithm and its application in cloud security, J. Computer Research and Development, 52 (2015) ,pp. 1378-1388.
