Wondershare EdrawMind
MindMap Gallery Alibaba Cloud Encryption Service
- 30
Alibaba Cloud Encryption Service
The encryption service is based on a hardware encryption machine certified by the National Cryptozoology Bureau, which provides cloud data encryption and decryption services. Users can manage keys safely and reliably, and can also use a variety of encryption algorithms to perform reliable encryption and decryption operations on cloud business data. .
Edited at 2024-01-16 09:41:36
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
Alibaba Cloud Encryption Service
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
Alibaba Cloud Encryption Service
Product introduction
Overview
The underlying service of the encryption service uses a hardware cryptographic machine that has been tested and certified by the State Cryptozoological Administration or passed FIPS 140-2 Level 3 certification.
Through virtualization technology, we help users meet regulatory compliance requirements for data security and protect the privacy requirements of business data on the cloud. With the help of encryption services, users can manage keys safely and reliably, and can also use a variety of encryption algorithms to perform reliable encryption and decryption operations on data.
The cryptographic service can help you perform cryptographic calculations such as:
Generate, store, import, export, and manage encryption keys, including symmetric keys and asymmetric key pairs.
Encrypt and decrypt data using symmetric and asymmetric algorithms.
Use a hash function to calculate the message digest and hash-based message authentication code (HMAC).
Digitally sign data and verify signatures.
Generate secure random data.
Application scenarios
Migrate the cryptographic machine application in the local computer room to the cloud server
When your local computer room cipher machine application is migrated to a cloud server, you can directly use encryption services to replace the local computer room cipher machine to implement data encryption and decryption, signature verification and other functions to protect the security of your cloud data.
Financial payment related fields
For example, in scenarios such as securities and bank payment and settlement, you can use the financial data encryption machine EVSM to implement PIN encryption, PIN conversion, etc. to protect financial data security; in scenarios such as network connection platform payment and settlement, you can use the signature verification server SVSM to implement Signature verification, certificate analysis, and certificate chain verification functions ensure the authenticity, integrity, and non-repudiation of the business.
Provide compliant encryption and decryption functions for encryption applications
For example, you can use encryption services to implement encryption and decryption of sensitive data in application systems for Alibaba Cloud's exclusive KMS, encryption and decryption of database data for database encryption applications, and encryption and decryption of file storage for file encryption applications.
Supports SSL offloading for HTTPS websites
The encryption service provides SSL offloading, reducing the performance pressure on the server and improving the client's access response speed. At the same time, the encryption service uses a cryptographic machine to generate a certificate private key, which strengthens private key protection and prevents the private key from being leaked from the server, thus improving its security.
Protect certificate private key
For digital certificates issued by certificate authorities, you can store the certificate private key in a cryptographic machine and use the cryptographic machine to perform signing operations to protect the security of your certificate private key.
Oracle TDE integration
The encryption service is integrated with the Oracle database to provide users with Transparent Data Encryption (TDE) functionality. TDE stores the encryption key in an encryption machine outside the database and uses the key to encrypt sensitive data in the data file to ensure the security of sensitive data.
Sensitive data encryption
In industries such as public services, e-commerce, and finance, encryption services can be integrated with applications to encrypt or store sensitive user data to meet security and compliance requirements.
Product advantages
Meet regulatory compliance requirements
The financial data cryptographic machine EVSM meets the requirements of "GMT0028-2014 Security Technical Requirements for Cryptographic Modules" and "GM/T0045-2016 Technical Specifications for Financial Data Cipher Machines".
The general data cryptographic machine GVSM meets the requirements of "GMT0028-2014 Security Technical Requirements for Cryptozoological Modules" and "GM/T0030-2014 Technical Specifications for Server Cipher Machines".
The signature verification server SVSM meets the requirements of "GMT 0028-2014 Security Technical Requirements for Cryptozoological Modules" and "GM/T 0029-2014 Technical Specifications for Signature Verification Servers".
The universal cryptographic machine meets FIPS 140-2 Level 3 certification.
Rich industry standard interfaces and encryption algorithms
The encryption service supports a rich set of industry standard interfaces and encryption algorithms. For example, on the basis of supporting the original financial business security requirements, EVSM has expanded the application support of SM1, SM2, SM3, and SM4 domestic cryptographic algorithms in the financial field, and complies with PBOC2.0, PBOC3.0, GP and other application specifications, and Ministry of Construction, transportation and other industry standards.
Secure key management
Device management and key management permissions are separated. Alibaba Cloud can only manage cryptographic machine hardware equipment, which mainly includes monitoring equipment availability indicators, activating services, etc. The key is completely managed by the customer, and Alibaba Cloud has no way to obtain the customer key.
Elastic expansion
When using encryption services, you can flexibly adjust the number of purchased cryptographic machines for deployment based on actual conditions, and use load balancing to meet different encryption and decryption operation requirements.
Cluster high availability
The encryption service supports cluster management functions. You can add multiple purchased cryptographic machines to a cluster to quickly increase the high availability of the cryptographic machines and reduce the risk of business interruption and core data loss.
Convenient cloud use
With the encryption service, you can deploy the purchased encryption machine in your designated VPC private network, manage and call it securely through the designated private IP address, and easily use it with the business on the cloud server.
Common terms
Cipher machine example
A cryptographic machine instance is a resource formed by virtualizing the hardware encryption module of a cryptographic machine. The cryptographic machine instance has the same compliance as the hardware encryption module, can realize all functions of the encryption service, and has the ability to encrypt and decrypt data.
ID card
The identity authentication card (USB Key) is the unique identification information for the encryption service and can be used with the client management tool of the encryption machine to manage the key.
Features
Supported cryptographic machines
The encryption machine types supported by the encryption service include financial data encryption machine EVSM (Electronic Virtual Security Module), general data encryption machine GVSM (General Virtual Security Module), signature verification server SVSM (Sign Virtual Security Module), and general encryption machine FIPS. The encryption algorithms, interface specifications and other information supported by the cryptographic machine are as follows.
EVSM
Features illustrate Function description EVSM meets the requirements of "GMT0028-2014 Security Technical Requirements for Cryptozoological Modules" and "GM/T0045-2016 Technical Specifications for Financial Data Cryptomachine". It also supports financial business applications of national cryptography algorithms and IC card applications in other various industries. It can be used for In the field of financial payments, ensure the security of financial data. EVSM can help you implement password management functions, including PIN encryption, PIN conversion, MAC generation and verification, general data encryption and decryption, signature verification, and key management. Interface specification Compliant specifications: PBOC 2.0, PBOC 3.0, EMV2000, GP, TSM, ESIM and transportation card Supported instruction set: Leica related and financial IC card related Encryption Algorithm Symmetric encryption algorithm: supports SM1, SM4, DES, 3DES, AES (supports 128 and 256-bit keys) Asymmetric encryption algorithm: supports SM2, RSA (2048~4096 bit key length), ECC (NISTP192/P256, SECP192/256, BRAINPOOLP256, FRP256, X25519) Digest algorithm: supports SM3, SHA1, SHA256, SHA384, SHA512 Performance reference Data communication protocol: TCP/IP Maximum number of concurrent connections: 256 The test data length is 32 bytes and the performance is as follows: SM1 encryption operation performance: 600 times/second, response time: 0.006 seconds SM2 key generation performance: 4,000 times/second, response time: 0.006 seconds SM2 signature operation performance: 3,000 times/second, response time: 0.008 seconds SM2 signature verification operation performance: 2,000 times/second, response time: 0.026 seconds RSA2048 key generation performance: 6 pairs/second, response time: 8.605 seconds RSA2048 public key operation performance: 3,500 times/second, response time: 0.008 seconds RSA2048 private key operation performance: 400 times/second, response time: 0.018 seconds SM3 summary operation performance: 5,000 times/second, response time: 0.009 seconds SM4 encryption operation performance: 5,000 times/second, response time: 0.003 seconds AES128 computing performance: 7,000 times/second, response time: 0.004 seconds AES256 operation performance: 6,000 times/second, response time: 0.004 seconds
GVSM
Features illustrate Function description GVSM meets the requirements of "GMT0028-2014 Security Technical Requirements for Cryptozoological Modules" and "GM/T0030-2014 Technical Specifications for Server Cipher Machines", provides an internationally accepted cryptographic service interface, and supports PKI (Public Key Infrastructure) business applications of national cryptographic algorithms. GVSM can help you provide cryptographic services and key management services for multiple application entities independently or in parallel. Interface specification National Secret GMT0018-2012 Cryptozoological Equipment Application Interface Specification PKCS#11 interface specification SunJCE interface specification Microsoft Cryptography API: Next Generation (CNG) Encryption Algorithm Symmetric encryption algorithm: supports SM1, SM4, DES, 3DES, AES (supports 128 and 256-bit keys) Asymmetric encryption algorithm: supports SM2, RSA (2048~4096 bit key length), ECC (NIST P256, BRAINPOOLP256, FRP256) Digest algorithm: supports SM3, SHA1, SHA256, SHA384, SHA512 Performance reference Data communication protocol: TCP/IP Maximum concurrent connections: 64 The test data length is 32 bytes and the performance is as follows: SM1 encryption operation performance: 600 times/second, response time: 0.006 seconds SM2 key generation performance: 4,000 times/second, response time: 0.006 seconds SM2 signature operation performance: 3,000 times/second, response time: 0.008 seconds SM2 signature verification operation performance: 2,000 times/second, response time: 0.026 seconds RSA2048 key generation performance: 6 pairs/second, response time: 8.605 seconds RSA2048 public key operation performance: 3,500 times/second, response time: 0.008 seconds RSA2048 private key operation performance: 400 times/second, response time: 0.018 seconds SM3 summary operation performance: 5,000 times/second, response time: 0.009 seconds SM4 encryption operation performance: 5,000 times/second, response time: 0.003 seconds AES128 computing performance: 7,000 times/second, response time: 0.004 seconds AES256 operation performance: 6,000 times/second, response time: 0.004 seconds
SVSM
Features illustrate Function description SVSM meets the requirements of "GMT 0028-2014 Security Technical Requirements for Cryptozoological Modules" and "GM/T 0029-2014 Technical Specifications for Signature Verification Servers" and provides computing functions based on the PKI system and digital certificates, including XML, QR codes, barcodes, electronic Signature verification functions such as signatures and timestamps, certificate parsing, and certificate chain verification functions. You can use SVSM in the following scenarios to ensure the authenticity, integrity, and non-repudiation of business information. People's Bank of China second generation payment Internet platform payment and clearing UnionPay cardless payment service Customs cross-border e-commerce Interface specification Supports PKCS#1 signature verification Support PKCS#7 signature verification Supports PKCS#7 digital envelopes Encryption Algorithm Symmetric encryption algorithm: supports SM1, SM4, DES, 3DES, AES (supports 128 and 256-bit keys) Asymmetric encryption algorithm: supports SM2, RSA (2048-4096 bit key length), ECC Digest algorithm: supports SM3, SHA1, SHA256, SHA384, SHA512 Performance reference Data communication protocol: TCP/IP, HTTP, HTTPS Maximum concurrent connections: 1,000 The test data length is 256 bytes and the performance is as follows: SM2 PKCS#7 Attached signature operation performance with original text: 2,100 times/second, response time: 0.009 seconds SM2 PKCS#7 Attached signature verification operation performance with original text: 1,100 times/second, response time: 0.018 seconds SM2 PKCS#7 Detached signature operation performance without original text: 2,200 times/second, response time: 0.009 seconds SM2 PKCS#7 Detached signature verification operation performance without original text: 1,200 times/second, response time: 0.025 seconds SM2 PKCS#1 Raw bare signature operation performance: 2,300 times/second, response time: 0.006 seconds SM2 PKCS#1 Raw naked signature verification operation performance: 1,300 times/second, response time: 0.018 seconds RSA2048 PKCS#7 Attached signature operation performance with original text: 350 times/second, response time: 0.78 seconds RSA2048 PKCS#7 Attached signature verification operation performance with original text: 1,500 times/second, response time: 0.025 seconds RSA2048 PKCS#7 Detached signature operation performance without original text: 330 times/second, response time: 0.018 seconds RSA2048 PKCS#7 Detached signature verification operation performance without original text: 1,800 times/second, response time: 0.025 seconds RSA2048 PKCS#1 Raw naked signature operation performance: 400 times/second, response time: 0.075 seconds RSA2048 PKCS#1 Raw naked signature verification operation performance: 2,300 times/second, response time: 0.011 seconds
Universal cipher machine
Features illustrate Function description The hardware and firmware of the universal cryptographic machine meet FIPS 140-2 Level 3 certification. Users can manage keys safely and reliably, and can also use a variety of encryption algorithms to perform reliable encryption and decryption operations on data. Interface specification PKCS#11 interface specification Encryption Algorithm Symmetric encryption algorithm: supports DES, 3DES, AES (supports 128, 192 and 256-bit keys) Asymmetric encryption algorithm: supports RSA (2048~4096 bit key length), ECC Digest algorithm: supports SHA1, SHA256, SHA384, SHA512 Performance reference RSA2048 signature verification operation performance: 1,100 times/second EC P256 dot multiplication performance: 315 times/second AES256 duplex communication encryption rate: 300 Mbit/s RSA2048 key generation performance: 0.5 pairs/second Random number generation rate: 20 megabytes/second
Cluster service
The encryption service provides cluster services. By associating a group of cryptographic machine instances in different availability zones in the same region and used for the same business, unified management is provided to provide high availability, load balancing, and horizontal expansion capabilities for cryptographic computing for business applications. A cluster includes one master cryptographic machine instance and several non-master cryptographic machine instances. The cryptographic machine instances in an availability zone in the cluster use the same subnet.
security audit
The encryption service supports security auditing services. Through the security audit service, you can automatically save the key operating information of the cryptographic machine instance to the OSS (Object Storage Service) and persist it in a specific audit log format to meet compliance and audit requirements. The information in the audit log includes but is not limited to: registering an administrator, adding a key, exporting a key and other operational information.