CN104035890A - Static random access memory based programmable gate array chip encryption method and system - Google Patents
Static random access memory based programmable gate array chip encryption method and system Download PDFInfo
- Publication number
- CN104035890A CN104035890A CN201410258908.2A CN201410258908A CN104035890A CN 104035890 A CN104035890 A CN 104035890A CN 201410258908 A CN201410258908 A CN 201410258908A CN 104035890 A CN104035890 A CN 104035890A
- Authority
- CN
- China
- Prior art keywords
- circuit
- authorization
- business function
- function circuit
- microprocessor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a static random access memory based programmable gate array chip encryption method and system. On the basis of an original encryption mode, corresponding authorization circuits are arranged for configured business function circuits, when one specific business function circuit is needed for working, the authorization circuit corresponding to the specific business function circuit sends a service request to a coprocessor according to functions of the business function circuit, the compressor generates a key seed, a microprocessor and the authorization circuit complete temporary enciphered data channel connection according to the key seed, the authorization circuit authorizes the corresponding business function circuit to work, and a processing result of the business function circuit is sent to the microprocessor via a data format, length and an encryption mode required by the microprocessor, thus dynamic encryption protection in the process of business processing is realized, and reliability of the system and difficulty in cracking are heightened.
Description
Technical field
The present invention relates to programmable gate array (FPGA) design field based on static RAM (SRAM), particularly a kind of programmable gate array chip encryption method and system based on static RAM.
Background technology
Field programmable gate array (Field-Programmable Gate Array, FPGA) is fast with himself speed, density is high, price is low and flexibly online scalable advantage just extensively used.FPGA process or the operation of sending into fpga chip of designing program is commonly referred to as to the configuration to fpga chip, and the FPGA through configuration, has the required function of user.Fpga chip in normal operation, its configuration data is stored in the programmed element SRAM (static RAM) of FPGA, volatibility due to SRAM, configuration information after power down in fpga chip will be lost, when so every subsystem powers on, all need fpga chip to reshuffle, this just makes by monitoring the configuration data stream of fpga chip, to clone design.
Conventionally the clone's means that adopt are to utilize certain circuit to sample to the data pin of configuration FPGA, utilize the configuration data of recording to be configured another piece fpga chip, and this has just realized the clone to FPGA internal configuration circuitry.
In order to tackle above-mentioned clone's design, two kinds of modes below normal employing in prior art:
One, built-in encryption chip form: deciphering module is set in fpga chip inside, there is the fpga chip of inner deciphering module when powering on, receive the configuration data of encrypting, after by deciphering module, the configuration data of encrypting being decrypted, the circuit in fpga chip is carried out to business function configuration; When utilizing aforementioned clone technology; although after configuration data stream being sampled by certain circuit; can obtain the configuration data stream of encrypting, but utilize the configuration data stream of encrypting not complete, other fpga chips be carried out to business function configuration, thereby fpga chip has been played to good protective effect.But adopt this kind of mode simple, practical, but it is high to encrypt cost, makes most of FPGA, particularly in, low-grade FPGA do not possess this type of encryption function.
Two, external encryption chip form: at fpga chip outer setting encryption chip, as shown in Figure 1, first, after powering on, fpga chip receives configuration data, and utilizes configuration data to be configured and to form business function circuit circuit, and make business function circuit in waiting status, do not work, in FPGA inside and peripheral hardware encryption chip, be provided with key module, and insert identical cryptographic algorithm, random number generation module in fpga chip generates random number after fpga chip receives configuration data stream, and random number is sent to the receiver module in encryption chip, key and random number that First ray encryption equipment in fpga chip provides according to key module are carried out computing, generate the comparer that the first check code is sent to fpga chip, the key that in encryption chip, the second sequential encryption device identical with First ray encryption equipment provides according to the key module in encryption chip simultaneously and the random number receiving are carried out computing, generate the second check code, and by the output circuit in encryption chip, be sent to the comparer of fpga chip, by comparer, compare first, the second check code, if the two is consistent, enable the circuit being configured in fpga chip, if inconsistent, do not enable the circuit being configured in fpga chip.Adopt this kind of mode, even if utilize existing clone technology to obtain configuration data, owing to can not receiving enabling signal, the fpga chip configuration circuit cisco unity malfunction that clone obtains, so makes fpga chip protected.
Although above-mentioned two kinds of modes all can play the protective effect to fpga chip to a certain extent, in above-mentioned two kinds of modes, key is only worked once, is easily cracked, and therefore also needs further to improve the protection effect of fpga chip.
Summary of the invention
In view of this, fundamental purpose of the present invention is to provide a kind of programmable gate array chip encryption method and system based on static RAM, to improve the encryption reliability of fpga chip.
For achieving the above object, the invention provides a kind of programmable gate array chip encryption method based on static RAM, comprising:
Initial configuration step:
External memory sends configuration data to fpga chip, and described configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with business function circuit;
Described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes described business function circuit in waiting status, and described authorization circuit is placed in to duty;
Business processing step:
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit initiated services request to coprocessor;
Described coprocessor generates key seed according to described services request, and key seed is sent to described microprocessor and authorization circuit, and services request is sent to described microprocessor;
Described microprocessor generates authorization message according to described services request, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, and described authorization message ciphertext is sent to described authorization circuit;
Described authorization circuit is utilized key seed to decipher described authorization message ciphertext and is obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty.
Further, described the first configuration information comprises the Performance Level information of the business function circuit of its configuration, described the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical.
Further, in business processing step, described services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Unique key seed that described coprocessor is corresponding according to the Performance Level Information generation in described services request.
Further, described microprocessor generates authorization message according to described information on services, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, described authorization message ciphertext is sent to described authorization circuit and comprises:
Whether the key seed that micro-processor verification key seed and last time receive repeats, if repeat, do not process this services request, if do not repeat, according to information on services, generate authorization message, utilize key seed to be encrypted described authorization message, described authorization message ciphertext is sent to described authorization circuit; Described authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides.
Further, described authorization circuit is utilized key seed to decipher described authorization message ciphertext and is obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty and comprises:
Described authorization circuit is utilized key seed to decipher described authorization message ciphertext and is obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty;
Described business function circuit is started working, and data layout, length, cipher mode that the result of business function circuit is required according to microprocessor are sent to microprocessor.
Further, described authorization circuit requires result data layout, length, cipher mode according to described microprocessor are sent to after microprocessor, transmission business completes information to described microprocessor, and described microprocessor receives that business completes after information, empties data cached.
Further, described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit be placed in to duty and comprise:
Described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes described business function circuit and authorization circuit in waiting status;
Described fpga chip generates random number, generates the first check code, and random number is sent to peripheral hardware encryption chip according to the first built-in key and described random number; Described peripheral hardware encryption chip receives described random number, generates the second check code, and the second check code is sent to described fpga chip according to the second built-in key and described random number;
Described fpga chip is the first check code and the second check code relatively, when the two is consistent, described authorization circuit is placed in to duty.
Further, described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit be placed in to duty and comprise:
Described configuration data is encrypted configuration data, described fpga chip is deciphered described encrypted configuration data, and circuit is configured, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty.
The present invention also provides a kind of programmable gate array chip encryption system based on static RAM, comprises external memory, fpga chip, coprocessor and microprocessor;
Described external memory is for sending configuration data to fpga chip, and described configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with functional circuit;
Described fpga chip comprises configuration module, described configuration module is for being configured circuit according to described configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty;
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit is for initiating services request to described coprocessor, and reception key seed and authorization message ciphertext, and after utilizing key seed decrypt authorized information acquisition authorization message expressly, authorize its corresponding business function circuit to enter duty;
Described coprocessor is used for generating key seed according to services request, and key seed is sent to microprocessor and described authorization circuit, and services request is sent to described microprocessor;
Described microprocessor is used for generating authorization message according to services request, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, and authorization message ciphertext is sent to authorization circuit.
Further, described the first configuration information comprises the Performance Level information of the business function circuit of its configuration, described the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical.
Further, described services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Described coprocessor is for the unique key seed corresponding according to the Performance Level Information generation of described services request.
Further, whether described microprocessor repeats for the key seed of authentication secret seed and reception last time, if repeat, according to information on services, generates authorization message, utilize key seed to be encrypted described authorization message, described authorization message ciphertext is sent to described authorization circuit; Described authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides.
Further, described authorization circuit is utilizing key seed decrypt authorized information acquisition authorization message expressly, and after authorizing its corresponding business function circuit to start working, also for data layout, length, the cipher mode that the result of business function circuit is required according to microprocessor, be sent to microprocessor.
Further, described authorization circuit is sent to after microprocessor for data layout, length, the cipher mode that result is required according to described microprocessor, and transmission business completes information to described microprocessor;
Described microprocessor is used for receiving that business completes after information, empties data cached.
Further, the described programmable gate array chip encryption system based on static RAM also comprises peripheral hardware encryption chip, and described peripheral hardware encryption chip comprises the second key unit and the second check code generation unit; The configuration module of described FPGA module comprises: dispensing unit, random number generation unit, the first key unit, the first check code generation unit and contrast unit;
Wherein, described dispensing unit, for circuit being configured according to described configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, makes described business function circuit and authorization circuit in waiting status;
Described random number generation unit is used for generating random number, and random number is sent to peripheral hardware encryption chip and the first check code generation unit;
Described the first key unit is built-in with the first key, and described the first check code generation unit is for generating the first check code according to built-in described the first key and described random number;
The second check code that described contrast unit sends for accepting described peripheral hardware encryption chip, relatively the first check code and the second check code, when the two is consistent, be placed in duty by described authorization circuit;
Described the second key unit is built-in with the second key, and described the second check code generation unit is used for generating the second check code according to built-in described the second key and described random number, and the second check code is sent to described contrast unit.
Further, the configuration module of described FPGA module comprises dispensing unit and decryption unit, and described configuration data is encrypted configuration data; Described decryption unit is for deciphering encrypted configuration data, described dispensing unit is for being configured circuit, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty.
Adopt programmable gate array chip encryption method and the system based on static RAM provided by the invention, on the basis of original cipher mode, business function circuit to configuration arranges corresponding authorization circuit, when the concrete business function circuit of needs carries out work, according to the function of this business function circuit, by its corresponding authorization circuit, to coprocessor, send services request, coprocessor generates key seed, microprocessor completes interim enciphered data passage with authorization circuit according to key seed and is connected, its corresponding business function circuit working of authorization circuit mandate, and the data layout requiring with microprocessor, length, cipher mode is sent to microprocessor by the result of business function circuit, realized thus the dynamic encryption protection in business procession, the reliability of system and the difficulty being cracked have been increased.
Accompanying drawing explanation
Fig. 1 is prior art peripheral encryption chip encryption method schematic diagram;
Fig. 2 is the programmable gate array chip encryption method schematic flow sheet that the present invention is based on static RAM;
Fig. 3 a, 3b are the schematic flow sheet that the present invention is based on a kind of embodiment of programmable gate array chip encryption method of static RAM;
Fig. 4 is the programmable gate array chip encryption system structural representation based on static RAM corresponding to embodiment of the method shown in 3a, 3b;
Fig. 5 is the schematic flow sheet that the present invention is based on the another kind of embodiment of programmable gate array chip encryption method of static RAM;
Fig. 6 is the programmable gate array chip encryption system structural representation based on static RAM corresponding embodiment illustrated in fig. 5.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in further detail.
The invention provides a kind of programmable gate array chip encryption method based on static RAM, as shown in Figure 2, comprising:
Initial configuration step:
External memory sends configuration data to fpga chip, and described configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with business function circuit;
Described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes described business function circuit in waiting status, and described authorization circuit is placed in to duty;
Business processing step:
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit initiated services request to coprocessor;
Described coprocessor generates key seed according to described services request, and key seed is sent to described microprocessor and authorization circuit, and services request is sent to microprocessor;
Described microprocessor generates authorization message according to described services request, and utilizes the authorized information ciphertext of key seed encryption authorization information, and authorization message ciphertext is sent to authorization circuit;
Authorization circuit is utilized after the plaintext of the authorized information of key seed decrypt authorized information ciphertext, authorizes its corresponding business function circuit to enter duty.
Below in conjunction with built-in encryption chip form and two kinds of modes of external encryption chip form, to the application, the programmable gate array chip encryption method based on static RAM is elaborated.
Embodiment mono-:
In the present embodiment, take in conjunction with external encryption chip form is example, describes the application's encryption method flow process in detail, specific as follows:
In the present embodiment, encryption method comprises:
Initial configuration step, as shown in Figure 3 a:
External memory sends configuration data to fpga chip, and configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with business function circuit; Wherein, the first configuration information comprises the Performance Level information of the business function circuit of its configuration, the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical.For example, the function that can realize according to business function circuit is in advance carried out classification, business function circuit is divided into basic business functional circuit, bottom business function circuit, high-level business functional circuit and core business functional circuit, the authorization circuit corresponding to business function circuit of different brackets, the authorization circuit corresponding to business function circuit of same levels;
Fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes business function circuit and authorization circuit in waiting status;
Fpga chip generates random number, generates the first check code, and random number is sent to peripheral hardware encryption chip according to the first built-in key and random number; Peripheral hardware encryption chip receives random number, generates the second check code, and the second check code is sent to fpga chip according to the second built-in key and random number;
Fpga chip is the first check code and the second check code relatively, when the two is consistent, authorization circuit is placed in to duty;
Business processing step, as shown in Figure 3 b:
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit initiated services request to coprocessor; Services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Coprocessor is according to the Performance Level Information generation key seed in services request, and key seed is sent to microprocessor and authorization circuit, and services request is sent to microprocessor; For key seed, can produce according to predefined mode, Performance Level according to above-mentioned division, can be for the Performance Level information of bottom business function circuit, coprocessor generates 128 key seed in AES encryption standard, Performance Level information for high-level business functional circuit, coprocessor generates 192 key seed in AES encryption standard, Performance Level information for core business functional circuit, coprocessor generates 256 key seed in AES encryption standard, and above-mentioned key seed is unique unduplicated key seed;
Microprocessor receives after key seed, whether the key seed first receiving authentication secret seed and last time repeats, if repeat, do not process this services request, if do not repeat, according to services request, generate authorization message, utilize key seed to be encrypted authorization message, authorization message ciphertext is sent to authorization circuit; In the present embodiment, authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides;
Authorization circuit is utilized after the plaintext of the authorized information of key seed decrypt authorized information ciphertext, authorizes its corresponding business function circuit to enter duty; Business function circuit is started working, and authorization circuit requires the result of business function circuit data layout, length, cipher mode according to microprocessor are sent to microprocessor.
In the present embodiment, preferred, the data layout, length, the cipher mode that result are required according to microprocessor in authorization circuit are sent to after microprocessor, and transmission business completes information to microprocessor; Microprocessor receives that business completes after information, empty data cached, to realize better protection effect.
The method flow above-mentioned according to the present embodiment, the formation that the present embodiment is corresponding a programmable gate array chip encryption system based on static RAM, as shown in Figure 4, comprising: external memory, fpga chip, peripheral hardware encryption chip, coprocessor and microprocessor;
Wherein, external memory is for sending configuration data to fpga chip, and configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with functional circuit;
Fpga chip comprises configuration module, configuration module is for being configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make business function circuit in waiting status, described authorization circuit is placed in to duty; Wherein, configuration module comprises dispensing unit, random number generation unit, the first key unit, the first check code generation unit and contrast unit; Peripheral hardware encryption chip comprises the second key unit and the second check code generation unit; Dispensing unit, for circuit being configured according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, makes business function circuit and authorization circuit in waiting status; Random number generation unit is used for generating random number, and random number is sent to peripheral hardware encryption chip and the first check code generation unit; The first key unit is built-in with the first key, and the first check code generation unit is for generating the first check code according to the first built-in key and random number; The second check code that contrast unit sends for accepting peripheral hardware encryption chip, relatively the first check code and the second check code, when the two is consistent, be placed in duty by authorization circuit; The second key unit is built-in with the second key, and the second check code generation unit is used for generating the second check code according to the second built-in key and random number, and the second check code is sent to contrast unit;
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit is for initiating services request to coprocessor, and reception key seed and authorization message ciphertext, and after utilizing key seed decrypt authorized information acquisition authorization message expressly, authorize its corresponding business function circuit to enter duty; Also for data layout, length, the cipher mode that the result of business function circuit is required according to microprocessor, be sent to microprocessor, and the business that sends completes information to microprocessor;
Coprocessor is used for generating key seed according to services request, and key seed is sent to microprocessor and authorization circuit, and services request is sent to microprocessor;
Whether microprocessor repeats for the key seed of authentication secret seed and reception last time, if repeat, according to information on services, generate authorization message, utilize key seed to be encrypted authorization message, authorization message ciphertext is sent to authorization circuit, and authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides; And for receiving that business completes after information, empties data cached.
Identical with the above-mentioned encryption method of the present embodiment, the first configuration information comprises the Performance Level information of the business function circuit of its configuration, the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical; Services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding; The key seed that coprocessor generates is the unique key seed corresponding according to the Performance Level Information generation in services request.
Embodiment bis-:
In the present embodiment, with the cipher mode in conjunction with the built-in deciphering module of FPGA, describe the application's encryption method flow process in detail.
As shown in Figure 5, in the present embodiment, encryption method comprises:
Initial configuration step:
External memory sends the configuration data of encrypting to fpga chip, configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with business function circuit;
Fpga chip is by the configuration data of built-in deciphering module enabling decryption of encrypted, according to configuration data, circuit is configured, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, authorization circuit is placed in to duty;
Business processing step:
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit initiated services request to coprocessor; Identical with embodiment mono-, services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Coprocessor generates key seed according to services request, and key seed is sent to microprocessor and authorization circuit, and services request is sent to microprocessor, in the present embodiment, can be identical with embodiment mono-, key seed is according to the Performance Level Information generation in services request, Performance Level according to above-mentioned division, can be for the Performance Level information of bottom business function circuit, coprocessor generates 128 key seed in AES encryption standard, Performance Level information for high-level business functional circuit, coprocessor generates 192 key seed in AES encryption standard, Performance Level information for core business functional circuit, coprocessor generates 256 key seed in AES encryption standard, above-mentioned key seed is unique unduplicated key seed,
Microprocessor generates authorization message according to services request, and utilizes the authorized information ciphertext of key seed encryption authorization information, and authorization message ciphertext is sent to authorization circuit; In the present embodiment, identical with embodiment mono-, microprocessor need to first be verified the uniqueness of key seed, sends the authorization message ciphertext of being encrypted by key seed while being verified, and does not repeat them here;
Authorization circuit is utilized after the plaintext of the authorized information of key seed decrypt authorized information ciphertext, authorizes its corresponding business function circuit to enter duty.
It should be noted that, in the present embodiment, except initialization step and embodiment mono-distinct, business processing step details is consistent with embodiment mono-, does not repeat them here.
Method flow for the present embodiment, corresponding also provide a kind of programmable gate array chip encryption system based on static RAM, as shown in Figure 6, comprising: external memory, fpga chip, coprocessor and microprocessor, wherein fpga chip is built-in with deciphering module;
Wherein, external memory is for sending the configuration data of encrypting to fpga chip, and configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with functional circuit;
Fpga chip comprises configuration module, and configuration module comprises dispensing unit and decryption unit; Decryption unit is for deciphering encrypted configuration data, dispensing unit is for being configured circuit, to form business function circuit and the authorization circuit corresponding with business function circuit, and make business function circuit in waiting status, authorization circuit is placed in to duty;
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit is for initiating services request to coprocessor, and reception key seed and authorization message ciphertext, and after utilizing key seed decrypt authorized information acquisition authorization message expressly, authorize its corresponding business function circuit to enter duty; Also for data layout, length, the cipher mode that the result of business function circuit is required according to microprocessor, be sent to microprocessor, and the business that sends completes information to microprocessor;
Coprocessor is used for generating key seed according to services request, and key seed is sent to microprocessor and authorization circuit, and services request is sent to microprocessor;
Whether microprocessor repeats for the key seed of authentication secret seed and reception last time, if repeat, according to information on services, generate authorization message, utilize key seed to be encrypted authorization message, authorization message ciphertext is sent to authorization circuit, and authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides; And for receiving that business completes after information, empties data cached.
It should be noted that, business processing step in the present embodiment encryption method is identical with embodiment mono-, therefore, the functional specification in business processing step of the authorization circuit in the coprocessor in the encryption system that the present embodiment provides, microprocessor and fpga chip and business function circuit can, with reference to the encryption system in embodiment mono-, not repeat them here.
Adopt encryption method provided by the invention and system, on the basis of original cipher mode, business function circuit to configuration arranges corresponding authorization circuit, when the concrete business function circuit of needs carries out work, according to the function of this business function circuit, by its corresponding authorization circuit, to coprocessor, send services request, coprocessor generates key seed, microprocessor completes interim enciphered data passage with authorization circuit according to key seed and is connected, its corresponding business function circuit working of authorization circuit mandate, and the data layout requiring with microprocessor, length, cipher mode is sent to microprocessor by the result of business function circuit, realized thus the dynamic encryption protection in business procession, the reliability of system and the difficulty being cracked have been increased.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (16)
1. the programmable gate array chip encryption method based on static RAM, is characterized in that, comprising:
Initial configuration step:
External memory sends configuration data to fpga chip, and described configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with business function circuit;
Described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes described business function circuit in waiting status, and described authorization circuit is placed in to duty;
Business processing step:
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit initiated services request to coprocessor;
Described coprocessor generates key seed according to described services request, and key seed is sent to described microprocessor and authorization circuit, and services request is sent to described microprocessor;
Described microprocessor generates authorization message according to described services request, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, and described authorization message ciphertext is sent to described authorization circuit;
Described authorization circuit is utilized key seed to decipher described authorization message ciphertext and is obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty.
2. method according to claim 1, it is characterized in that, described the first configuration information comprises the Performance Level information of the business function circuit of its configuration, described the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical.
3. method according to claim 2, is characterized in that, in business processing step, described services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Unique key seed that described coprocessor is corresponding according to the Performance Level Information generation in described services request.
4. method according to claim 3, it is characterized in that, described microprocessor generates authorization message according to described information on services, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, described authorization message ciphertext is sent to described authorization circuit and comprises:
Whether the key seed that micro-processor verification key seed and last time receive repeats, if repeat, do not process this services request, if do not repeat, according to information on services, generate authorization message, utilize key seed to be encrypted described authorization message, described authorization message ciphertext is sent to described authorization circuit; Described authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides.
5. method according to claim 4, is characterized in that, described authorization circuit is utilized key seed to decipher described authorization message ciphertext and obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty and comprises:
Described authorization circuit is utilized key seed to decipher described authorization message ciphertext and is obtained after the plaintext of described authorization message, authorizes its corresponding business function circuit to enter duty;
Described business function circuit is started working, and data layout, length, cipher mode that the result of business function circuit is required according to microprocessor are sent to microprocessor.
6. method according to claim 5, it is characterized in that, described authorization circuit requires result data layout, length, cipher mode according to described microprocessor are sent to after microprocessor, transmission business completes information to described microprocessor, described microprocessor receives that business completes after information, empties data cached.
7. according to the method described in claim 1-6 any one, it is characterized in that, described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty and comprises:
Described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and makes described business function circuit and authorization circuit in waiting status;
Described fpga chip generates random number, generates the first check code, and random number is sent to peripheral hardware encryption chip according to the first built-in key and described random number; Described peripheral hardware encryption chip receives described random number, generates the second check code, and the second check code is sent to described fpga chip according to the second built-in key and described random number;
Described fpga chip is the first check code and the second check code relatively, when the two is consistent, described authorization circuit is placed in to duty.
8. according to the method described in claim 1-6 any one, it is characterized in that, described fpga chip is configured circuit according to configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty and comprises:
Described configuration data is encrypted configuration data, described fpga chip is deciphered described encrypted configuration data, and circuit is configured, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty.
9. the programmable gate array chip encryption system based on static RAM, is characterized in that, comprises external memory, fpga chip, coprocessor and microprocessor;
Described external memory is for sending configuration data to fpga chip, and described configuration data comprises for the first configuration information of configuration service functional circuit with for configuring the second configuration information of the authorization circuit corresponding with functional circuit;
Described fpga chip comprises configuration module, described configuration module is for being configured circuit according to described configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty;
When needs business function circuit carries out work, the authorization circuit corresponding with this business function circuit is for initiating services request to described coprocessor, and reception key seed and authorization message ciphertext, and after utilizing key seed decrypt authorized information acquisition authorization message expressly, authorize its corresponding business function circuit to enter duty;
Described coprocessor is used for generating key seed according to services request, and key seed is sent to microprocessor and described authorization circuit, and services request is sent to described microprocessor;
Described microprocessor is used for generating authorization message according to services request, and utilizes key seed to encrypt the authorized information ciphertext of described authorization message, and authorization message ciphertext is sent to authorization circuit.
10. system according to claim 9, it is characterized in that, described the first configuration information comprises the Performance Level information of the business function circuit of its configuration, described the second configuration information comprises the corresponding different authorization circuit of the business function circuit of different stage, the corresponding informance of the authorization circuit that the business function circuit of same levels is corresponding identical.
11. systems according to claim 10, is characterized in that, described services request comprises the Performance Level information of the business function circuit that authorization circuit is corresponding;
Described coprocessor is for the unique key seed corresponding according to the Performance Level Information generation of described services request.
12. systems according to claim 11, it is characterized in that, whether described microprocessor repeats for the key seed of authentication secret seed and reception last time, if repeat, according to information on services, generate authorization message, utilize key seed to be encrypted described authorization message, described authorization message ciphertext is sent to described authorization circuit; Described authorization message comprises data layout, length, the cipher mode of the result that authorization circuit provides.
13. systems according to claim 12, it is characterized in that, described authorization circuit is utilizing key seed decrypt authorized information acquisition authorization message expressly, and after authorizing its corresponding business function circuit to start working, also for data layout, length, the cipher mode that the result of business function circuit is required according to microprocessor, be sent to microprocessor.
14. systems according to claim 13, it is characterized in that, described authorization circuit is sent to after microprocessor for data layout, length, the cipher mode that result is required according to described microprocessor, and transmission business completes information to described microprocessor;
Described microprocessor is used for receiving that business completes after information, empties data cached.
15. according to the system described in claim 9-14 any one, it is characterized in that, also comprises peripheral hardware encryption chip, and described peripheral hardware encryption chip comprises the second key unit and the second check code generation unit; The configuration module of described FPGA module comprises: dispensing unit, random number generation unit, the first key unit, the first check code generation unit and contrast unit;
Wherein, described dispensing unit, for circuit being configured according to described configuration data, to form business function circuit and the authorization circuit corresponding with business function circuit, makes described business function circuit and authorization circuit in waiting status;
Described random number generation unit is used for generating random number, and random number is sent to peripheral hardware encryption chip and the first check code generation unit;
Described the first key unit is built-in with the first key, and described the first check code generation unit is for generating the first check code according to built-in described the first key and described random number;
The second check code that described contrast unit sends for accepting described peripheral hardware encryption chip, relatively the first check code and the second check code, when the two is consistent, be placed in duty by described authorization circuit;
Described the second key unit is built-in with the second key, and described the second check code generation unit is used for generating the second check code according to built-in described the second key and described random number, and the second check code is sent to described contrast unit.
16. according to the system described in claim 9-14 any one, it is characterized in that, the configuration module of described FPGA module comprises dispensing unit and decryption unit, and described configuration data is encrypted configuration data; Described decryption unit is for deciphering encrypted configuration data, described dispensing unit is for being configured circuit, to form business function circuit and the authorization circuit corresponding with business function circuit, and make described business function circuit in waiting status, described authorization circuit is placed in to duty.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410258908.2A CN104035890B (en) | 2014-06-11 | 2014-06-11 | Static random access memory based programmable gate array chip encryption method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410258908.2A CN104035890B (en) | 2014-06-11 | 2014-06-11 | Static random access memory based programmable gate array chip encryption method and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104035890A true CN104035890A (en) | 2014-09-10 |
CN104035890B CN104035890B (en) | 2017-02-15 |
Family
ID=51466662
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410258908.2A Active CN104035890B (en) | 2014-06-11 | 2014-06-11 | Static random access memory based programmable gate array chip encryption method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104035890B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897410A (en) * | 2014-12-08 | 2016-08-24 | 深圳市创成微电子有限公司 | Audio frequency chip spi communication encryption method |
CN108063664A (en) * | 2016-11-08 | 2018-05-22 | 霍尼韦尔国际公司 | Cryptographic key generation based on configuration |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010117968A (en) * | 2008-11-14 | 2010-05-27 | National Institute Of Advanced Industrial Science & Technology | System and method for protecting logic program data of reconfigurable logic device |
CN101854243A (en) * | 2010-04-30 | 2010-10-06 | 株洲南车时代电气股份有限公司 | Circuit system design encryption circuit and encryption method thereof |
US20130332745A1 (en) * | 2010-08-23 | 2013-12-12 | Raytheon Company | Secure field-programmable gate array (fpga) architecture |
US20130346758A1 (en) * | 2012-06-20 | 2013-12-26 | Microsoft Corporation | Managing use of a field programmable gate array with isolated components |
CN103593622A (en) * | 2013-11-05 | 2014-02-19 | 浪潮集团有限公司 | FPGA-based design method of safe and trusted computer |
-
2014
- 2014-06-11 CN CN201410258908.2A patent/CN104035890B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010117968A (en) * | 2008-11-14 | 2010-05-27 | National Institute Of Advanced Industrial Science & Technology | System and method for protecting logic program data of reconfigurable logic device |
CN101854243A (en) * | 2010-04-30 | 2010-10-06 | 株洲南车时代电气股份有限公司 | Circuit system design encryption circuit and encryption method thereof |
US20130332745A1 (en) * | 2010-08-23 | 2013-12-12 | Raytheon Company | Secure field-programmable gate array (fpga) architecture |
US20130346758A1 (en) * | 2012-06-20 | 2013-12-26 | Microsoft Corporation | Managing use of a field programmable gate array with isolated components |
CN103593622A (en) * | 2013-11-05 | 2014-02-19 | 浪潮集团有限公司 | FPGA-based design method of safe and trusted computer |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105897410A (en) * | 2014-12-08 | 2016-08-24 | 深圳市创成微电子有限公司 | Audio frequency chip spi communication encryption method |
CN108063664A (en) * | 2016-11-08 | 2018-05-22 | 霍尼韦尔国际公司 | Cryptographic key generation based on configuration |
Also Published As
Publication number | Publication date |
---|---|
CN104035890B (en) | 2017-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102383829B1 (en) | Cryptographic method for securely exchanging messages and device and system for implementing this method | |
KR20060051957A (en) | Encrypted data distributing method, encryption device, decryption device, encryption program and decryption program | |
CN104902138B (en) | Encryption/deciphering system and its control method | |
CN102880836A (en) | Security device | |
CN106161444B (en) | Secure storage method of data and user equipment | |
CN112906070B (en) | Integrated circuit and IoT devices with block cipher side channel attack mitigation and related methods | |
US20150074760A1 (en) | System and Processing Method for Electronic Authentication Client, and System and Method for Electronic Authenication | |
CN105790927B (en) | A kind of bus graded encryption system | |
CN105447394B (en) | Intelligent password key with local data encryption function | |
CN104038340A (en) | Device for generating an encrypted key and method for providing an encrypted key to a receiver | |
CN106101150B (en) | The method and system of Encryption Algorithm | |
CN103455446A (en) | Device for carrying out a cryptographic method, and operating method for same | |
KR101608815B1 (en) | Method and system for providing service encryption in closed type network | |
CN110855616B (en) | Digital key generation system | |
JP2006333095A5 (en) | ||
CN102598575B (en) | Method and system for the accelerated decryption of cryptographically protected user data units | |
TWI615731B (en) | Method of bus protection with improved key entropy and electronic device using the same | |
CN101539977B (en) | Method for protecting computer software | |
CN105208028A (en) | Data transmission method and related device and equipment | |
CN105262586B (en) | The method for distributing key and device of automobile burglar equipment | |
US9537655B2 (en) | Random number generating device, cipher processing device, storage device, and information processing system | |
CN114793184B (en) | Security chip communication method and device based on third-party key management node | |
CN110198320B (en) | Encrypted information transmission method and system | |
CN104035890A (en) | Static random access memory based programmable gate array chip encryption method and system | |
CN106295372B (en) | A kind of encryption Hub device realized based on EMMC interface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A Programmable Gate Array Chip Encryption Method and System Based on Static Random Access Memory Effective date of registration: 20230417 Granted publication date: 20170215 Pledgee: Lishui branch of Bank of Hangzhou Co.,Ltd. Pledgor: LISHUI BOYUAN TECHNOLOGY Co.,Ltd. Registration number: Y2023980038020 |