By Tim Encryption Card
This PCI-E cryptographic card supports domestic SM1, SM2, SM3, SM4, SM9 cryptographic algorithms and hardware true random number generation, meeting the national cryptographic security and reliability requirements and module level 2 inspection standards. It supports PCI-Ex4 and above hardware interfaces. The cryptographic card has data encryption/decryption processing functions and provides identity authentication, digital signature, and data integrity verification functions, with secure and effective key management and device management functions, capable of providing secure and effective key protection measures.
The cryptographic card can be applied in server cryptographic machines, network cryptographic machines, security gateways, IPSec/SSL VPN, and other commercial cryptographic devices, providing basic cryptographic services such as data encryption/decryption, signature verification, and key exchange for devices; it can also be applied in various security servers, providing key management, encryption/decryption, and signature verification services for server security login, encrypted storage, and other business needs with security requirements; it is widely suitable for application fields such as VPN, PKI, e-government, and e-commerce.
Standards and Specifications: The cryptographic card uses a core cryptographic chip approved by the National Cryptography Administration. It complies with the following standards and specifications:
"Cryptographic Device Application Interface Specification" (GM/T 0018-2012)
"SM2 Elliptic Curve Public Key Cryptographic Algorithm" (GM/T 0003-2012)
"SM3 Cryptographic Hash Algorithm" (GM/T 0004-2012)
"SM4 Block Cipher Algorithm" (GM/T 0002-2012)
"SM9 Identity-Based Cryptographic Algorithm" (GM/T 0044-2016)
"Randomness Test Specification" (GM/T 0005-2012)
"PCI Cryptographic Card Technical Specification" (National Cryptography Administration, October 2018)
Main Functions:
SM1, SM4 Algorithms: Supports ECB, CBC modes of SM1, SM4 algorithms;
Supports generation and verification of MAC message authentication codes based on SM1, SM4 algorithms.
SM2 Algorithm: Supports digital signature and verification, encryption and decryption based on SM2 algorithm;
Supports key pair generation of SM2 algorithm;
Supports key negotiation based on SM2 algorithm.
SM3 Algorithm: Supports generation and verification of data digests based on SM3 hash algorithm.
SM9 Algorithm: Supports digital signature and verification, encryption and decryption based on SM9 algorithm;
Supports key pair generation of SM9 algorithm;
Supports key negotiation based on SM9 algorithm.
Random Number Generation: Uses physical noise sources to generate true random numbers.
Key Management: Supports key generation, destruction, import, export, backup, and recovery for different algorithms;
Adopts a three-level key protection system to ensure key security.
Hardware Interface: Supports PCI-Ex4 interface;
Can be customized to develop mini-PCIE cryptographic cards, USB cryptographic cards, and user-defined interfaces.
Software Interface: Supports national cryptographic SDF interface, compliant with GMT 0018-2012 “Cryptographic Device Application Interface Specification”;
Supports international standard interfaces such as PKCS#11, JCE, and supports custom development of interfaces;
Supports calling cryptographic card programming interfaces in operating system kernels and application layers;
Supports multi-card parallel calling, and multi-process, multi-thread calling in user mode and kernel mode.
Operating System Support: Supports 32/64-bit operating systems such as Linux, Unix.
Supports operating systems based on domestic processors such as Loongson, Feiteng, Shenwei, Hisilicon, Zhaoxin.
Other Parameters:
Name: Detailed Description
Physical Characteristics: Product Size: Standard PCI-E half-height, half-length;
Weight (including bracket): 118g.
Electrical Characteristics: Bus Type: PCI-E bus;
Power Supply: 12V;
Power Consumption: <15W.
Environmental Parameters: Operating Temperature: -10°C to 70°C;
Storage Temperature: -40°C to 85°C.
Product Features: The cryptographic card has the following features:
High Performance: (1) Leading domestic performance in encryption/decryption algorithms; (2) Unique multi-concurrency technology that maximizes the performance of cryptographic hardware.
Hardware Implementation of SM9 Algorithm: Full hardware implementation of the national cryptographic SM9 algorithm.
High Usability: (1) Comprehensive support for x86, amd64, arm, mips, and other hardware platforms; (2) Supports 32/64-bit operating systems such as Linux, Unix; (3) Supports operating systems based on domestic processors such as Loongson, Feiteng, Shenwei; (4) Fast response service support, capable of rapid customization based on user needs.
Typical Applications: The cryptographic card is mainly applied in the following fields:
Security Products: IPSec/SSL VPN security gateways, server cryptographic machines, financial cryptographic machines, CA servers, etc.
Security Application Systems: Encrypted databases, encrypted storage servers, video transmission and storage encryption systems, secure e-government.
Emerging Industries: Industrial control network encryption secure transmission, IoT communication encryption and identity authentication.
Encryption Card Installation
Hardware Installation
- Turn off the system power and unplug the power cord;
- Insert the PCIE cryptographic card into the PCIE slot and secure the bracket;
- Check and confirm that the PCIE cryptographic card is properly installed and fixed, then plug in the system power cord and start the system.
Driver Installation
Obtain the driver installation package from the manufacturer, named similar to piico_cc_driver_xxx.tgz, and extract the file package in Linux. The directory and file structure after extraction is as follows:
| Directory or File Name | Description |
|---|---|
| driver/PIICOCard.ko | Kernel module, cryptographic card driver |
| driver/Makefile | Kernel module installation script, including creating device files |
| lib | User-space dynamic and static libraries |
| include | Header files, needed for development |
| examples | Contains card management tool piicoTool, and multiple sample programs for cryptographic card calling, users can refer to the source code for development |
| Makefile | Root directory Makefile, can execute make, make install, and make uninstall operations, which will call respective subdirectories |
First, execute make to compile the sample programs in examples; then execute make install to install the kernel module and dynamic libraries. At this point, you can call the card management tool piicoTool and sample programs in examples to manage and use the card.
#Extract driver package
tar -zxvf piico_cc_driver_xxx.tgz
#Enter driver directory
cd piico_cc_driver_xxx
#Compile
make
#Install kernel and dynamic libraries
make install
Common Errors
1.Error “gcc does not exist” during make?
Solution: Install gcc environment
sudo apt install gcc
sudo apt install automake
sudo apt-get install make
sudo apt install g++
2.Cannot find module piico_cc_driver/driver/PIICOCard.ko: Invalid module format?
Solution: Due to incorrect driver file, system kernel version is not consistent with the driver version, contact manufacturer technicians to compile the driver file according to the system kernel for replacement
#Query the directory of the driver file
find / -name PIICOCard.ko
#Copy the compiled driver file to the specified directory
cp PIICOCard.ko /usr/local/src/piico/piico_cc_driver/driver
Usage Process
Management Tool piicoTool
In the examples directory, there is a cryptographic card management tool piicoTool and piicoToolWP. Users can use this management tool to perform various operations on the cryptographic card such as initialization, key management, user management, and permission login. Among them, piicoTool is suitable for cryptographic card management with UKEY authentication, and piicoToolWP is suitable for cryptographic card management with PIN password authentication. The cryptographic card management operations in this manual are all exemplified using piicoTool, and the operation of the piicoToolWP management tool is similar to piicoTool, the difference being that it does not require inserting a UKEY, only performing PIN code authentication. The specific parameters and functions of the cryptographic card management tool piicoTool with UKEY authentication are as follows:
| Parameter | Example | Description |
|---|---|---|
| -s | ./piicoTool -s | Displays the current login permission and status of the cryptographic card |
| -rs | ./piicoTool -rs | Registers a super administrator, needs to be executed in the factory state |
| -ra | ./piicoTool -ra | Registers an administrator, needs to be executed in the factory state or with super administrator permission |
| -ro | ./piicoTool -ro | Registers an operator, needs to be executed in the factory state or with super administrator permission |
| -li | ./piicoTool -li | Identity login |
| -ic | ./piicoTool -ic | Initializes the file system and key container space, needs to be executed in the factory state and with super administrator permission |
| -gd | ./piicoTool -gd | Generates device key 0, needs to be executed in the initial state and with administrator permission |
| -gu | ./piicoTool -gu | Generates user keys 1-9999, needs to be executed in the ready state and with administrator permission |
| -gk | ./piicoTool -gk | Generates key encryption keys (KEK) 0-1024, needs to be executed in the ready state and with administrator permission |
| -bu | ./piicoTool -gk Target Directory/ | Backs up all keys in the device, needs to be executed in the ready state and with administrator permission. Follow the program prompts to insert three different backup Ukeys in sequence,分散保存备份设备内所有密钥的备份保护密钥。执行完成后会创建目标目录,并将密码卡内所有密钥以目录同名文件抬头的方式加密导出。 |
| -rd | ./piicoTool -rd Target Directory/ | Restores device keys, needs to be executed with administrator permission and in the initialized state. Follow the prompts to insert any two different backup Ukeys in sequence,恢复出分散的备份密钥,随后恢复目标目录下加密保护的 0 号设备密钥 |
| -ru | ./piicoTool -ru Target Directory/ | Restores user keys and KEK keys, needs to be executed with administrator permission and in the ready state. Follow the prompts to insert any two different backup Ukeys in sequence,恢复出分散的备份密钥,随后恢复目标目录下加密保护的所有用户密钥和KEK 密钥 |
| -ri | ./piicoTool -ri | Resets the cryptographic card to factory settings, needs to be used with super administrator permission, no restriction on the cryptographic card state |
| -mp | ./piicoTool -mp | Modifies the private key usage permission, needs to be used with administrator permission |
| -mk | ./piicoTool -mk | Modifies the Ukey’s PIN password (piicoToolWP tool corresponds to modifying the administrator authentication password) |
Initialization Password
The initialization password for the cryptographic card’s private key usage permission and UsbKey is “wuxipiico”.
Login Process
The cryptographic card is delivered in a ready state for testing, with super administrator, administrator, and operator already set, and all device keys, user keys, and KEK keys generated.
Users can use the “piicoTool -li” command to select different Ukeys to obtain different permissions for login. After successful login, removing or replacing the Ukey will not change the login permission of the cryptographic card. When “piicoTool -li” is executed again and succeeds, the new permission will overwrite the original permission.
Reset Process
- Select the super administrator Ukey and use the “piicoTool -li” command to login and obtain cryptographic card permission
- Execute the “piicoTool -ri” command to clear all information in the cryptographic card, including registered users, key containers, file system, device keys, user keys, and KEK information.
- At this point, executing the “piicoTool -s” command will show that the cryptographic card is in the factory state with no users.
Initialization Process
Note: Use the piicoTool command for Ukey registration; if only password registration is used, use the piicoToolWP command. Taking Ukey registration as an example, the cryptographic card initialization process is as follows:
1. Execute the “piicoTool -rs” command to register the super administrator identity.
2. Execute the “piicoTool -li” command to login with the super administrator identity and obtain the corresponding permission
3. Execute the “piicoTool -ra” command to register the administrator identity
4. Execute the “piicoTool -ro” command to register the operator identity
5. Execute the “piicoTool -ic” command to perform the initialization of the key system and file system
6. At this point, the cryptographic card enters the initialization state, only the administrator permission can work in the initialization state, so execute the “piicoTool -li” command to switch to the administrator identity and obtain the corresponding permission
7. Execute the “piicoTool -gd” command to generate the device key
8. At this point, the cryptographic card enters the ready state, execute the “piicoTool -gu” command to generate all user keys of the cryptographic card.
9. Execute the “piicoTool -gk” command to generate all KEK keys of the cryptographic card. At this point, the cryptographic card initialization is complete, and encryption/decryption operation tests can be performed. After shutting down and restarting, the state and key status of the cryptographic card will not change, and it can be reused after re-login.
Backup Process
After the cryptographic card initialization is complete, the key information in the card can be backed up. Backup requires administrator permission, and the process is as follows.
(1) Execute the “piicoTool -li” command to login with the administrator identity and obtain the corresponding permission, skip this step if already logged in.
(2) Execute the “piicoTool -bu /dir/” command to back up all keys in the cryptographic card into encrypted files in the specified directory.
Upgrade Process
(1) Contact the manufacturer to obtain the upper upgrade package;
(2) Confirm that the files gm_destroy_x.x.srec and gm_release_x.x.srec are in the upper directory;
(3) First execute ./upper gm_destroy_x.x.srec
(4) Power off and restart the machine
examples Sample Explanation
In the examples folder under the driver directory, there are many usage samples. The general functions are as follows:
| Sample File Name | Sample Description |
|---|---|
| piicoTool | Card management tool based on UKEY |
| piicoToolWP | Card management tool based on PIN code |
| std_sm1 SM1 | Algorithm standard data encryption/decryption |
| std_sm2 SM2 | Algorithm signature/verification, encryption/decryption |
| std_sm3 SM3 | Algorithm call sample |
| std_sm4 SM4 | Algorithm standard data encryption/decryption |
| AllTest | Contains many functional usage samples |
| menu | Contains many functional usage samples, in menu form |