By Tim Encryption Card
This PCI-E cryptographic card supports domestic SM1, SM2, SM3, SM4, SM9 cryptographic algorithms and hardware true random number generation, compliant with national cryptographic security and reliability standards and module level 2 testing requirements, supporting PCI-Ex4 and above hardware interfaces. The cryptographic card has data encryption/decryption processing functions and provides identity authentication, digital signature, and data integrity verification functions, with secure and effective key management and device management functions, capable of providing secure and effective key protection measures.
The cryptographic card can be applied in server cryptographic machines, network cryptographic machines, security gateways, IPSec/SSL VPN, and other commercial cryptographic devices, providing basic cryptographic services such as data encryption/decryption, signature verification, and key exchange for devices; it can be applied in various security servers, providing key management, encryption/decryption, signature verification, and other services for server secure login, encrypted storage, and other business needs with security requirements; it is widely suitable for application fields such as VPN, PKI, e-government, and e-commerce.
Standards and Specifications: The cryptographic card uses a core cryptographic chip approved by the National Cryptography Administration. It complies with the following standards and specifications:
"Cryptographic Device Application Interface Specification" (GM/T 0018-2012)
"SM2 Elliptic Curve Public Key Cryptographic Algorithm" (GM/T 0003-2012)
"SM3 Cryptographic Hash Algorithm" (GM/T 0004-2012)
"SM4 Block Cipher Algorithm" (GM/T 0002-2012)
"SM9 Identity-Based Cryptographic Algorithm" (GM/T 0044-2016)
"Randomness Test Specification" (GM/T 0005-2012)
"PCI Cryptographic Card Technical Specification" (National Cryptography Administration, October 2018)
Main Functions:
SM1, SM4 Algorithms: Support ECB, CBC modes for SM1, SM4 algorithms;
Support generation and verification of MAC message authentication codes based on SM1, SM4 algorithms.
SM2 Algorithm: Support digital signature and verification, encryption and decryption based on SM2 algorithm;
Support generation of SM2 algorithm key pairs;
Support key negotiation based on SM2 algorithm.
SM3 Algorithm: Support generation and verification of data digests based on SM3 hash algorithm.
SM9 Algorithm: Support digital signature and verification, encryption and decryption based on SM9 algorithm;
Support generation of SM9 algorithm key pairs;
Support key negotiation based on SM9 algorithm.
Random Number Generation: Use physical noise sources to generate true random numbers.
Key Management: Support key generation and destruction, import and export, backup and recovery for different algorithms;
Use a three-level key protection system to ensure key security.
Hardware Interface: Support PCI-Ex4 interface;
Can be customized to develop mini-PCIE cryptographic cards, USB cryptographic cards, and user-defined interfaces.
Software Interface: Support national cryptographic SDF interface, compliant with GMT 0018-2012 “Cryptographic Device Application Interface Specification”;
Support international standard interfaces such as PKCS#11, JCE, and support customized development of interfaces;
Support calling cryptographic card programming interfaces in operating system kernels and application layers;
Support multi-card parallel calling, support multi-process and multi-thread calling in user mode and kernel mode.
Operating System Support: Support 32/64-bit operating systems such as Linux, Unix.
Support operating systems based on domestic processors such as Loongson, Feiteng, Shenwei, Hisilicon, Zhaoxin.
Other Parameters:
Name: Detailed Description
Physical Characteristics: Product Size: Standard PCI-E half-height and half-length;
Weight (including bracket): 118g.
Electrical Characteristics: Bus Type: PCI-E bus;
Operating Power: 12V;
Power Consumption: <15W.
Environmental Parameters: Operating Temperature: -10℃~70℃;
Storage Temperature: -40°C~85°C.
Product Features: The cryptographic card has the following features:
High Performance: (1) Leading domestic performance in encryption/decryption algorithms; (2) Unique multi-concurrency technology that maximizes the performance of cryptographic hardware.
Hardware Implementation of SM9 Algorithm: Full hardware implementation of the national cryptographic SM9 algorithm.
High Usability: (1) Comprehensive support for x86, amd64, arm, mips, and other hardware platforms; (2) Support for 32/64-bit operating systems such as Linux, Unix; (3) Support for operating systems based on domestic processors such as Loongson, Feiteng, Shenwei; (4) Fast response service support, capable of rapid customization based on user needs.
Typical Applications: The cryptographic card is mainly applied in the following fields:
Security Products: IPSec/SSL VPN security gateways, server cryptographic machines, financial cryptographic machines, CA servers, etc.
Security Application Systems: Encrypted databases, encrypted storage servers, video transmission and storage encryption systems, secure e-government.
Emerging Industries: Industrial control network encryption security transmission, IoT communication encryption and identity authentication.
Encryption Card Installation
Hardware Installation
- Turn off the system power and unplug the power cord;
- Insert the PCIE cryptographic card into the PCIE slot and secure the bracket;
- Check and confirm that the PCIE cryptographic card is properly installed and fixed, then plug in the system power cord and start the system.
Driver Installation
Obtain the driver installation package from the manufacturer, named something like piico_cc_driver_xxx.tgz, and extract the file package under Linux. The directory and file structure after extraction is as follows:
| Directory or File Name | Description |
|---|---|
| driver/PIICOCard.ko | Kernel module, cryptographic card driver |
| driver/Makefile | Kernel module installation script, including creating device files |
| lib | User-space dynamic and static libraries |
| include | Header files, needed for development |
| examples | Contains card management tool piicoTool, and multiple sample programs for cryptographic card calling, users can refer to the source code for development |
| Makefile | Root directory Makefile file, can execute make, make install, and make uninstall operations, which will call respective subdirectories |
First, execute make to compile the sample programs under examples; then execute make install to install the kernel module and dynamic libraries. At this point, you can call the card management tool piicoTool and sample programs under examples to manage and use the card.
#Extract driver package
tar -zxvf piico_cc_driver_xxx.tgz
#Enter driver directory
cd piico_cc_driver_xxx
#Compile
make
#Install kernel and dynamic libraries
make install
Common Errors
1.Error “gcc does not exist” during make?
Solution: Install gcc environment
sudo apt install gcc
sudo apt install automake
sudo apt-get install make
sudo apt install g++
2.Cannot find module piico_cc_driver/driver/PIICOCard.ko: Invalid module format?
Solution: Due to incorrect driver file, system kernel version is not consistent with the driver version, contact manufacturer technicians to compile the driver file according to the system kernel for replacement
#Query the directory of the driver file
find / -name PIICOCard.ko
#Copy the compiled driver file to the specified directory
cp PIICOCard.ko /usr/local/src/piico/piico_cc_driver/driver
Usage Process
Management Tool piicoTool
Under the examples directory, there are cryptographic card management tools piicoTool and piicoToolWP, users can use these management tools to perform various operations on the cryptographic card such as initialization, key management, user management, and permission login. Among them, piicoTool is suitable for cryptographic card management with UKEY authentication, and piicoToolWP is suitable for cryptographic card management with PIN password authentication. The cryptographic card management operations in this manual are all exemplified using piicoTool, and the operation of the piicoToolWP management tool is similar to piicoTool, the difference being that it does not require inserting a UKEY, only performing PIN code authentication. The specific parameters and functions of the cryptographic card management tool piicoTool with UKEY authentication are as follows:
| Parameter | Example | Description |
|---|---|---|
| -s | ./piicoTool -s | Display the current login permission and status of the cryptographic card |
| -rs | ./piicoTool -rs | Register super administrator, needs to be executed in factory state |
| -ra | ./piicoTool -ra | Register administrator, needs to be executed in factory state or with super administrator permission |
| -ro | ./piicoTool -ro | Register operator, needs to be executed in factory state or with super administrator permission |
| -li | ./piicoTool -li | Identity login |
| -ic | ./piicoTool -ic | Initialize file system and key container space, needs to be executed in factory state and with super administrator permission |
| -gd | ./piicoTool -gd | Generate device key 0, needs to be executed in initial state and with administrator permission |
| -gu | ./piicoTool -gu | Generate user keys 1~9999, needs to be executed in ready state and with administrator permission |
| -gk | ./piicoTool -gk | Generate key encryption keys (KEK) 0~1024, needs to be executed in ready state and with administrator permission |
| -bu | ./piicoTool -gk target directory/ | Backup all keys in the device, needs to be executed in ready state and with administrator permission. Follow program prompts to insert three different backup Ukeys in sequence,分散保存备份设备内所有密钥的备份保护密钥。执行完成后会创建目标目录,并将密码卡内所有密钥以目录同名文件抬头的方式加密导出。 |
| -rd | ./piicoTool -rd target directory/ | Restore device keys, needs to be executed with administrator permission and in initialized state. Follow prompts to insert any two different backup Ukeys in sequence,恢复出分散的备份密钥,随后恢复目标目录下加密保护的 0 号设备密钥 |
| -ru | ./piicoTool -ru target directory/ | Restore user keys and KEK keys, needs to be executed with administrator permission and in ready state. Follow prompts to insert any two different backup Ukeys in sequence,恢复出分散的备份密钥,随后恢复目标目录下加密保护的所有用户密钥和KEK 密钥 |
| -ri | ./piicoTool -ri | Reset cryptographic card to factory settings, needs to be used with super administrator permission, no restriction on cryptographic card state |
| -mp | ./piicoTool -mp | Modify private key usage permission, needs to be used with administrator permission |
| -mk | ./piicoTool -mk | Modify Ukey’s PIN password (piicoToolWP tool corresponds to modifying administrator authentication password) |
Initialization Password
The initialization password for the cryptographic card’s private key usage permission and UsbKey is “wuxipiico”.
Login Process
The cryptographic card is delivered in a ready state for testing, with super administrator, administrator, and operator already set, and all device keys, user keys, and KEK keys generated within the card.
Users can use the “piicoTool -li” command to select different Ukeys to obtain different permissions for login. After successful login, removing or replacing the Ukey will not change the login permission of the cryptographic card, when the “piicoTool -li” command is executed again and succeeds, the new permission will overwrite the original permission.
Reset Process
- Select the super administrator Ukey and login with the “piicoTool -li” command to obtain cryptographic card permission
- Execute the “piicoTool -ri” command to clear all information in the cryptographic card, including registered users, key containers, file system, device keys, user keys, and KEK information.
- At this point, executing the “piicoTool -s” command will show that the cryptographic card is in factory state with no users.
Initialization Process
Note: Use the piicoTool command for Ukey registration; if only using password registration, use the piicoToolWP command. Taking Ukey registration as an example, the cryptographic card initialization process is as follows:
1. Execute the “piicoTool -rs” command to register the super administrator identity.
2. Execute the “piicoTool -li” command to login as the super administrator and obtain the corresponding permission
3. Execute the “piicoTool -ra” command to register the administrator identity
4. Execute the “piicoTool -ro” command to register the operator identity
5. Execute the “piicoTool -ic” command to perform initialization of the key system and file system
6. At this point, the cryptographic card enters the initialized state, only the administrator permission can work in the initialized state, so execute the “piicoTool -li” command to login as the administrator and obtain the corresponding permission
7. Execute the “piicoTool -gd” command to generate the device key
8. At this point, the cryptographic card enters the ready state, execute the “piicoTool -gu” command to generate all user keys of the cryptographic card.
9. Execute the “piicoTool -gk” command to generate all KEK keys of the cryptographic card. At this point, the cryptographic card initialization is complete, and encryption/decryption operation tests can be performed. After shutdown and restart, the state and key status of the cryptographic card will not change, and it can be reused after re-login.
Backup Process
After the cryptographic card initialization is complete, the key information in the card can be backed up, which requires administrator permission, and the process is as follows.
(1) Execute the “piicoTool -li” command to login as the administrator and obtain the corresponding permission, skip this step if already logged in.
(2) Execute the “piicoTool -bu /dir/” command to back up all keys in the cryptographic card to the specified directory in encrypted form.
Upgrade Process
(1) Contact the manufacturer to obtain the upper upgrade package;
(2) Confirm that the files gm_destroy_x.x.srec and gm_release_x.x.srec are in the upper directory;
(3) First execute ./upper gm_destroy_x.x.srec
(4) Power off and restart the machine
examples Sample Description
In the examples folder under the driver directory, there are many usage samples. The general functions are as follows:
| Sample File Name | Sample Description |
|---|---|
| piicoTool | Card management tool based on UKEY |
| piicoToolWP | Card management tool based on PIN code |
| std_sm1 SM1 | Algorithm standard data encryption/decryption |
| std_sm2 SM2 | Algorithm signature/verification, encryption/decryption |
| std_sm3 SM3 | Algorithm call example |
| std_sm4 SM4 | Algorithm standard data encryption/decryption |
| AllTest | Contains many function usage examples |
| menu | Contains many function usage examples, in menu form |