[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN108256346A - Guard method, encipherment protection device and the embedded system device of critical data - Google Patents

Guard method, encipherment protection device and the embedded system device of critical data Download PDF

Info

Publication number
CN108256346A
CN108256346A CN201611240729.1A CN201611240729A CN108256346A CN 108256346 A CN108256346 A CN 108256346A CN 201611240729 A CN201611240729 A CN 201611240729A CN 108256346 A CN108256346 A CN 108256346A
Authority
CN
China
Prior art keywords
code
decryption code
encrypted
data
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611240729.1A
Other languages
Chinese (zh)
Other versions
CN108256346B (en
Inventor
吴燕静
王茂义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Hangzhou Information Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201611240729.1A priority Critical patent/CN108256346B/en
Publication of CN108256346A publication Critical patent/CN108256346A/en
Application granted granted Critical
Publication of CN108256346B publication Critical patent/CN108256346B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of guard method of critical data, including:Obtain the public key that embedded system device is shared;Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and the first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt the ciphertext data;First decrypted code is encrypted according to the public key and the second encrypted code, obtains encrypted first decrypted code, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;The ciphertext data, encrypted first decrypted code and second decrypted code are sent to the embedded system device;The present invention also discloses the protection systems of a kind of encipherment protection device, embedded system device and critical data.

Description

Key data protection method, encryption protection device and embedded system device
Technical Field
The invention relates to the field of data security of embedded systems, in particular to a key data protection method, an encryption protection device and an embedded system device.
Background
With the development of informatization, intellectualization and networking, an embedded system is widely applied to various aspects of the society such as families, industry, business, offices, medical treatment and the like due to the advantages of simple operation, small volume, low power consumption, high reliability, good portability and the like, and occupies an increasingly important position; it is also important to protect critical data in embedded systems.
At present, a method for protecting key data in an embedded system mainly includes: a method for using Flash Memory Flash as a configuration data Memory or storing configuration data in Flash blocks, a method for establishing a Flash NAND Flash embedded File System (YAFFS 2) in an embedded System and partitioning the NAND Flash, a method for using a Static Random Access Memory (SRAM) as a System Memory to store data and using a battery for backup, and a method for using a Dynamic Random Access Memory (DRAM) as a System Memory to store data and using a nonvolatile Memory as a permanent data storage medium; when the methods are used for protecting the key data in the embedded system, the encryption and decryption codes are easy to reverse crack, so that the key data are easy to obtain, and the safety is low.
Disclosure of Invention
In view of this, embodiments of the present invention are expected to provide a method for protecting key data, an encryption protection apparatus, and an embedded system apparatus, so as to protect key data in an embedded system and improve data security.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
the invention provides a method for protecting key data, which comprises the following steps:
acquiring a public key shared by an embedded system device;
encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code;
and sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.
In the above scheme, the second encrypted code is an asymmetric encrypted code;
the acquiring the public key shared by the embedded system device comprises the following steps:
acquiring the public key shared by the embedded system device through a serial port;
the sending the ciphertext data, the encrypted first decryption code, and the second decryption code to the embedded system device includes:
and burning the ciphertext data, the encrypted first decryption code and the second decryption code into a Flash memory Flash of the embedded system device.
The invention provides a method for protecting key data, which comprises the following steps:
generating a private key according to the inherent characteristic identifier of the private key, and deriving a corresponding public key from the private key by using an asymmetric key generation method;
sharing the public key to an encryption protection device;
the encrypted data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code are stored; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
In the above scheme, after the ciphertext data sent by the encryption protection apparatus, the encrypted first decryption code, and the second decryption code are stored, the method further includes:
decrypting the ciphertext data in the memory to obtain key data to be protected;
after the key data to be protected are obtained, performing emptying operation;
the decrypting the ciphertext data in the memory to obtain the key data to be protected includes:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
In the foregoing solution, the generating a private key according to its own unique feature identifier includes:
generating a private key by utilizing a Hash algorithm according to the inherent characteristic identifier of the private key; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing the public key to the encryption protection device includes:
sharing the public key to the encryption protection device through a serial port;
the storing of the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code includes:
and storing the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code in a Flash memory Flash.
The invention provides an encryption protection device, comprising:
the acquisition module is used for acquiring a public key shared by the embedded system device;
the first encryption module is used for encrypting the key data to be protected according to a first encryption code to obtain ciphertext data and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
the second encryption module is used for encrypting the first decryption code according to the public key and the second encryption code to obtain an encrypted first decryption code and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code;
and the sending module is used for sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.
In the above scheme, the second encrypted code is an asymmetric encrypted code;
the obtaining module is specifically configured to obtain the public key shared by the embedded system device through a serial port;
the sending module is specifically configured to burn the ciphertext data, the encrypted first decryption code, and the second decryption code into a Flash memory Flash of the embedded system device.
The invention provides an embedded system device, comprising:
the generating module is used for generating a private key according to the inherent characteristic identifier of the generating module and deriving a corresponding public key from the private key by using an asymmetric key generating method;
the sharing module is used for sharing the public key to the encryption protection device;
the storage module is used for storing the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
In the above scheme, the apparatus further comprises:
the decryption module is used for decrypting the ciphertext data in the memory to obtain key data to be protected;
the clearing module is used for executing clearing operation after the key data to be protected are obtained;
the decryption module is specifically configured to:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
In the above scheme, the generating module is specifically configured to generate a private key according to the inherent characteristic identifier of the generating module by using a hash algorithm; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing module is specifically configured to share the public key to the encryption protection device through a serial port;
the storage module is specifically configured to store the ciphertext data burned by the encryption protection device, the encrypted first decryption code, and the encrypted second decryption code in a Flash memory Flash.
The invention provides a key data protection system, which is characterized by comprising an encryption protection device in the scheme and an embedded system device in the scheme.
According to the key data protection method, the encryption protection device and the embedded system device provided by the embodiment of the invention, the public key shared by the embedded system device is obtained; encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data; encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code; sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device; the method realizes the protection of the key data in the embedded system and improves the safety of the data.
Drawings
FIG. 1 is a flowchart of a first embodiment of a method for protecting critical data according to the present invention;
FIG. 2 is a flowchart of a second embodiment of a method for protecting critical data according to the present invention;
FIG. 3 is a flowchart of a third embodiment of a method for protecting critical data according to the present invention;
FIG. 4 is a schematic diagram illustrating a generation manner of a key pair in the method for protecting key data according to the present invention;
FIG. 5 is a schematic diagram of an embodiment of a method for protecting key data according to the present invention, in which a PC encryption protection platform performs an encryption operation on key data to be protected and a data decryption code;
FIG. 6 is a schematic diagram illustrating the storage of data and code in an embedded system device according to an embodiment of the method for protecting critical data of the present invention;
FIG. 7 is a diagram illustrating a decryption operation performed on encrypted data decryption codes and ciphertext data in an embedded system device memory according to an embodiment of the method for protecting critical data of the present invention;
FIG. 8 is a schematic structural diagram of an embodiment of an encryption protection apparatus according to the present invention;
FIG. 9 is a schematic diagram of an embedded system device according to an embodiment of the present invention;
FIG. 10 is a schematic structural diagram of an embodiment of a system for protecting critical data according to the present invention.
Detailed Description
The technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention.
Example one
FIG. 1 is a flowchart of a first embodiment of a method for protecting critical data according to the present invention; as shown in fig. 1, the method for protecting critical data provided in the embodiment of the present invention is applied to an encryption protection device, and may include the following steps:
step 101: and acquiring a public key shared by the embedded system device.
The encryption protection device is connected with the embedded system device through a serial port to obtain the public key shared by the embedded system device.
Step 102: encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data.
After the encryption protection device acquires a public key shared by an embedded system device, firstly, encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; wherein the first decryption code is used to decrypt the ciphertext data.
For example, the encryption protection device is a Personal Computer (PC) encryption protection platform, and after acquiring a public key shared by the embedded system device, the PC encryption protection platform performs an encryption operation on key data to be protected through a first encryption code to obtain ciphertext data; meanwhile, a first decryption code for decrypting the ciphertext data is obtained from the first encryption code.
Step 103: encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code.
The encryption protection device which acquires the public key encrypts the key data to be protected to obtain ciphertext data, and after a first decryption code is obtained according to the first encryption code, the encryption protection device encrypts the obtained first decryption code according to the acquired public key and a second encryption code to obtain an encrypted first decryption code; meanwhile, a second decryption code is obtained from the second encryption code; the obtained second decryption code is used for decrypting the encrypted first decryption code; the second encryption code is an asymmetric encryption code.
For example, the PC encryption protection platform that acquires the public key performs an encryption operation on a first decryption code for decrypting ciphertext data according to the public key and the asymmetric encryption code to obtain an encrypted first decryption code, and determines a second decryption code from the asymmetric encryption code, where the second decryption code is used to decrypt the encrypted first decryption code.
Step 104: and sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.
After acquiring the ciphertext data, the encrypted first decryption code and the encrypted second decryption code, the encryption protection device burns the acquired ciphertext data, the encrypted first decryption code and the encrypted second decryption code into a Flash memory Flash of the embedded system device through a serial port, and stores the acquired ciphertext data, the encrypted first decryption code and the encrypted second decryption code into the Flash memory Flash of the embedded system device.
In the method for protecting key data provided by the embodiment of the invention, the encryption protection device obtains a public key shared by the embedded system device; encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data; encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code; sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device; the key data to be protected are encrypted, the first decryption code for decrypting the ciphertext data is encrypted and protected, double protection of the key data in the embedded system is achieved, the key data are more difficult to crack, and the data security is improved.
Example two
FIG. 2 is a flowchart of a second embodiment of a method for protecting critical data according to the present invention; as shown in fig. 2, the method for protecting critical data provided by the embodiment of the present invention is applied to an embedded system device, and may include the following steps:
step 201: and generating a private key according to the inherent characteristic identifier of the private key, and deriving a corresponding public key from the private key by using an asymmetric key generation method.
The embedded system device generates a private key by using a specific algorithm, such as a Hash algorithm, according to its own inherent characteristic identifier, such as Vendor identity (Vendor ID), Serial Number (SN), etc., and derives a corresponding public key from the private key by using an asymmetric key generation method.
For example, the embedded system device calculates a value as a private key by using a Hash algorithm according to its own inherent SN, and derives a corresponding public key from the private key by using an asymmetric key generation method.
Step 202: and sharing the public key to the encryption protection device.
After the embedded system device generates the private key and the corresponding public key, the generated public key is shared to the encryption protection device through the serial port, so that the encryption protection device can encrypt the decryption code for decrypting the ciphertext data according to the public key.
Step 203: the encrypted data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code are stored; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
After sharing the public key to the encryption protection device, the embedded system device stores the ciphertext data, the encrypted first decryption code and the second decryption code which are burned by the encryption protection device in Flash; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used to decrypt the ciphertext data.
After the embedded system device stores the ciphertext data, the encrypted first decryption code and the encrypted second decryption code, which are burned by the encryption protection device, in Flash, in order to obtain the key data to be protected, the ciphertext data needs to be decrypted in a memory, and after the key data to be protected is obtained and used up, an emptying operation is executed.
Specifically, when the embedded system device needs to decrypt ciphertext data, an Application Programming Interface (API) function is first called in a memory to dynamically obtain a private key generated according to an inherent characteristic identifier of the embedded system device, and then the encrypted first decryption code is decrypted according to the private key and a second decryption code to obtain a first decryption code; then, the obtained first decryption code is used for carrying out decryption operation on the ciphertext data to obtain key data to be protected; and after the key data to be protected is obtained and the data is used up, the clear operation is executed, so that the decryption operation of the ciphertext data is realized.
In the method for protecting key data provided by the embodiment of the invention, an embedded system device generates a private key according to an inherent characteristic identifier of the embedded system device, and derives a corresponding public key from the private key by using an asymmetric key generation method; sharing the public key to an encryption protection device; the encrypted data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code are stored; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data; the method and the device realize the protection of the key data in the embedded system, store the first decryption code for decrypting the ciphertext data in a form of ciphertext in Flash, make the difficulty of decrypting the key data higher and improve the safety of the data.
EXAMPLE III
FIG. 3 is a flowchart of a third embodiment of a method for protecting critical data according to the present invention; the method is applied to interaction between an encryption protection device and an embedded system device, wherein the encryption protection device is a PC encryption protection platform, the PC encryption protection platform and the embedded system device are mutually independent, and data interaction is carried out between the PC encryption protection platform and the embedded system device through a serial port; the first encryption Code in this embodiment is a data encryption Code, and is represented by Code; the key Data to be protected is represented by Data, and the ciphertext Data is represented by EData; the first decryption code is a data decryption code and is expressed by DCode; the second encryption code is an asymmetric encryption code and is represented by EC; the encrypted data decryption code is represented by EDcode; the second decryption code is a decryption code for decrypting the EDCode, called decryption code, denoted by DEC; as shown in fig. 3, the method for protecting critical data according to the embodiment of the present invention may include the following steps:
step 301: the embedded system device generates a private key Skey according to the inherent characteristic identifier of the embedded system device, and derives the private key Skey to obtain a corresponding public key Pkey by using an asymmetric key generation method.
Each embedded system device has some software and hardware identifiers different from other devices, such as supplier ID, SN, etc., and the embedded system device first generates a private key by using a specific algorithm, such as Hash algorithm, according to its own inherent characteristic identifiers, and derives a corresponding public key from the private key by using an asymmetric key generation method.
FIG. 4 is a schematic diagram illustrating a generation manner of a key pair in the method for protecting key data according to the present invention; as shown in fig. 4, in the embedded system device, the operating system calculates a value as a private key Skey in the asymmetric encryption algorithm by using an inherent characteristic identifier of the embedded system device through a specific algorithm, such as a Hash algorithm; and then obtaining a public key Pkey corresponding to the Skey according to the asymmetric key generation method to complete the generation of the key pair (namely the Skey and the Pkey).
Step 302: the embedded system device shares the public key Pkey to the PC encryption protection platform.
The embedded system device generates a private key Skey by using the inherent characteristic identifier of the embedded system device, derives a public key Pkey, and then is connected with the PC encryption protection platform through a serial port, the generated Pkey is shared to the PC encryption protection platform, and the generated Skey is directly stored in the embedded system device.
Step 303: the PC encryption protection platform encrypts the key Data to be protected according to the Data encryption Code to obtain ciphertext Data EData, and obtains a Data decryption Code DCode according to the Data encryption Code.
The PC encryption protection platform acquiring the Pkey firstly carries out encryption operation on key Data needing to be protected according to a Data encryption Code (a first encryption Code) to obtain key Data to be protected in a ciphertext form, namely ciphertext Data EData; meanwhile, the PC encryption protection platform determines a data decryption Code DCode (first decryption Code) for decrypting EData according to the data encryption Code.
Step 304: and the PC encryption protection platform encrypts the data decryption code DCode according to the public key Pkey and the asymmetric encryption code EC to obtain an encrypted data decryption code EDcode, and obtains a decryption code DEC according to the asymmetric encryption code EC.
The PC encryption protection platform obtaining the Pkey uses the Pkey and carries out encryption operation on a data decryption code DCode (first decryption code) according to an asymmetric encryption algorithm and an asymmetric encryption code EC (second encryption code) to obtain an encrypted data decryption code EDcode; meanwhile, the PC encryption protection platform obtains a decryption code DEC (second decryption code) for decrypting the EDCode from the asymmetric encryption code EC.
FIG. 5 is a schematic diagram of an embodiment of a method for protecting key data according to the present invention, in which a PC encryption protection platform performs an encryption operation on key data to be protected and a data decryption code; as shown in fig. 5, on the encryption protection platform of the PC, firstly, the key Data to be protected, i.e. the key Data to be protected, is encrypted by the Data encryption Code to obtain Data in the form of a ciphertext, i.e. ciphertext Data EData; after key Data to be protected are encrypted, a PC encryption protection platform obtaining a public key Pkey uses the key, and encrypts a Data decryption code DCode by using a selected asymmetric encryption code EC to obtain an encrypted Data decryption code EDcode, namely, encrypts the Data decryption code DCode by using a selected asymmetric encryption algorithm, such as an RSA encryption algorithm, an Elgamal algorithm, a knapsack algorithm and the like; and the decryption code corresponding to the asymmetric encryption code EC is DEC.
Step 305: and the PC encryption protection platform burns the obtained ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC into Flash of the embedded system device.
After the encryption protection platform of the PC performs encryption operation on key Data to be protected and the Data decryption code DCode to obtain ciphertext Data EData, encrypted Data decryption code EDCode and decryption code DEC, the ciphertext Data EData, the encrypted Data decryption code EDCode and the decryption code DEC are burned into Flash of the embedded system device through the serial port and stored.
Step 306: the embedded system device calls an API function in the memory to dynamically acquire the private key Skey.
After the PC encryption protection platform burns the ciphertext Data EData, the encrypted Data decryption code EDCode, and the decryption code DEC into the embedded system device, in order to obtain the original key Data, that is, to obtain the key Data to be protected, the embedded system device first needs to call an API function in a memory to dynamically obtain the private key Skey stored in the embedded system device.
Step 307: and the embedded system device decrypts the encrypted data decryption code EDcode according to the private key Skey and the decryption code DEC to obtain the data decryption code DCode.
After obtaining the private key Skey, the embedded system device calls the decryption code DEC from the memory and decrypts the encrypted data decryption code EDCode with the private key Skey to obtain the data decryption code DCode before encryption.
Step 308: the embedded system device utilizes the Data decryption code DCode to decrypt the ciphertext Data EData to obtain the key Data to be protected.
After the embedded system device obtains the Data decryption code DCode, the embedded system device calls the ciphertext Data EData in the memory, and decrypts the ciphertext Data EData by using the Data decryption code DCode to obtain the key Data to be protected.
Step 309: the embedded system device performs a flush operation.
After obtaining the key Data to be protected, the embedded system device immediately executes the clearing operation after using up the Data in the memory, and does not reserve the Data.
FIG. 6 is a schematic diagram illustrating the storage of data and code in an embedded system device according to an embodiment of the method for protecting critical data of the present invention; as shown in fig. 6, the embedded system device has two storage media, i.e., a memory and a Flash storage medium, and the memory in the embedded system device can be used as a storage medium of a file system, and it cannot keep original data unchanged under the condition of power failure, so the file system based on the memory can only be a temporary file system for storing temporary files; the advantages of the memory are that only the dynamic change in the memory exists, and the system is restarted without generating garbage; flash is also the most common file system storage medium in embedded system devices, and different from a memory, the Flash can keep files from being lost when power is off; therefore, in the present invention, the ciphertext data EData, the encrypted data decryption code EDCode, and the decryption code DEC are all stored in Flash, and when the code and the data are decrypted, the operation is completed in the memory, and the clear operation is performed immediately after the operation is completed.
FIG. 7 is a diagram illustrating a decryption operation performed on encrypted data decryption codes and ciphertext data in an embedded system device memory according to an embodiment of the method for protecting critical data of the present invention; as shown in fig. 7, to obtain original key Data, that is, key Data to be protected, first, an API function is called in a memory to obtain a private key Skey; then calling a decryption code DEC and carrying out decryption operation on the encrypted data decryption code EDcode according to the obtained private key Skey to obtain a data decryption code before encryption, namely obtaining a DCode; then, carrying out decryption operation on the ciphertext Data EData by calling a Data decryption code DCode in the memory to obtain plaintext Data, namely key Data to be protected; after the key Data to be protected are used up, the memory is emptied and the Data is not reserved.
In the process, the PC encryption protection platform not only carries out encryption protection on key data to be protected, but also carries out asymmetric encryption operation on data decryption codes (namely DCode) for decrypting ciphertext data, so that the data decryption codes are stored in Flash in a ciphertext mode; meanwhile, the private key generation method used by the asymmetric encryption operation is directly generated in the embedded system device by the specific software and hardware identifier according to a certain algorithm, and only when the ciphertext data needs to be decrypted in the memory of the embedded system device, the dynamic acquisition is realized from the embedded system device by calling the related API function; therefore, for an attacker, it is not easy to obtain the value of the private key, the security and the confidentiality of the key are high, and the difficulty of cracking the key data is increased.
According to the method for protecting the key data, the embedded system device generates the private key Skey according to the inherent characteristic identifier of the embedded system device, and the asymmetric key generation method is utilized to derive the corresponding public key Pkey from the private key Skey; the embedded system device shares the public key Pkey to the PC encryption protection platform; the PC encryption protection platform encrypts key Data to be protected according to the Data encryption Code to obtain ciphertext Data EData and a Data decryption Code DCode; the PC encryption protection platform encrypts the data decryption code DCode according to the public key Pkey and the asymmetric encryption code EC to obtain an encrypted data decryption code EDCode and a decryption code DEC; the PC encryption protection platform burns the obtained ciphertext data EData, the encrypted data decryption code EDCode and the decryption code DEC into Flash of the embedded system device; calling an API function in a memory by the embedded system device to dynamically acquire a private key Skey; the embedded system device decrypts the encrypted data decryption code EDcode according to the private key Skey and the decryption code DEC to obtain a data decryption code DCode; the embedded system device utilizes the Data decryption code DCode to decrypt the ciphertext Data EData to obtain key Data to be protected; the embedded system device executes the emptying operation; the key data to be protected are encrypted, the data decryption codes for decrypting the ciphertext data are encrypted, double encryption protection of the data is achieved through a software mode, the safety of the data is improved, and the implementation cost is lower than that of hardware implementation.
Example four
FIG. 8 is a schematic structural diagram of an embodiment of an encryption protection apparatus according to the present invention; as shown in fig. 8, the encryption protection apparatus 08 according to the embodiment of the present invention includes: an acquisition module 81, a first encryption module 82, a second encryption module 83, and a sending module 84; wherein,
the obtaining module 81 is configured to obtain a public key shared by the embedded system device;
the first encryption module 82 is configured to encrypt the key data to be protected according to a first encryption code to obtain ciphertext data, and obtain a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
the second encryption module 83 is configured to encrypt the first decryption code according to the public key and the second encryption code to obtain an encrypted first decryption code, and obtain a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code;
the sending module 84 is configured to send the ciphertext data, the encrypted first decryption code, and the second decryption code to the embedded system device.
Further, the second encrypted code is an asymmetric encrypted code;
the obtaining module 81 is specifically configured to obtain the public key shared by the embedded system device through a serial port;
the sending module 84 is specifically configured to burn the ciphertext data, the encrypted first decryption code, and the second decryption code into a Flash memory Flash of the embedded system device.
The encryption protection apparatus of this embodiment may be configured to implement the technical solutions of the above-described method embodiments, and the implementation principles and technical effects are similar, which are not described herein again.
In practical applications, the obtaining module 81, the first encryption module 82, the second encryption module 83, and the sending module 84 of the encryption protection device 08 may be implemented by a Central Processing Unit (CPU), a microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like in the encryption protection device 08.
EXAMPLE five
FIG. 9 is a schematic diagram of an embedded system device according to an embodiment of the present invention; as shown in fig. 9, an embedded system device 09 provided in an embodiment of the present invention includes: a generating module 91, a sharing module 92 and a storage module 93; wherein,
the generating module 91 is configured to generate a private key according to the inherent characteristic identifier of the private key, and derive the private key from a corresponding public key by using an asymmetric key generating method;
the sharing module 92 is configured to share the public key with an encryption protection device;
the storage module 93 is configured to store the ciphertext data sent by the encryption protection apparatus, the encrypted first decryption code, and the encrypted second decryption code; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
Further, the apparatus 09 further includes: a decryption module 94 and an emptying module 95; wherein,
the decryption module 94 is configured to decrypt the ciphertext data in the memory to obtain key data to be protected;
the clearing module 95 is configured to execute clearing operation after obtaining the key data to be protected;
the decryption module 94 is specifically configured to:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
Further, the generating module 91 is specifically configured to generate a private key according to the inherent characteristic identifier of the private key by using a hash algorithm; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing module 92 is specifically configured to share the public key with the encryption protection device through a serial port;
the storage module 93 is specifically configured to store the ciphertext data burned by the encryption protection apparatus, the encrypted first decryption code, and the second decryption code in a Flash memory Flash.
The embedded system apparatus of this embodiment may be configured to implement the technical solutions of the above-mentioned method embodiments, and the implementation principles and technical effects are similar, which are not described herein again.
In practical applications, the generating module 91, the sharing module 92, the storage module 93, the decrypting module 94, and the clearing module 95 of the embedded system device 09 can be implemented by a Central Processing Unit (CPU), a microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like in the embedded system device 09.
EXAMPLE six
FIG. 10 is a schematic structural diagram of an embodiment of a system for protecting critical data according to the present invention; as shown in fig. 10, the system 010 for protecting critical data according to the embodiment of the present invention includes: an encryption protection device 0101 and an embedded system device 0102; wherein,
the encryption protection device 0101 adopts the encryption protection device described in the above embodiment;
the embedded system device 0102 is the embedded system device according to the above embodiment.
The protection system of the key data of this embodiment may be used to implement the technical solutions of the above-described method embodiments, and the implementation principles and technical effects are similar, which are not described herein again.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.

Claims (11)

1. A method for protecting critical data, the method comprising:
acquiring a public key shared by an embedded system device;
encrypting key data to be protected according to a first encryption code to obtain ciphertext data, and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
encrypting the first decryption code according to the public key and a second encryption code to obtain an encrypted first decryption code, and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code;
and sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.
2. The method of claim 1, wherein the second encrypted code is an asymmetric encrypted code;
the acquiring the public key shared by the embedded system device comprises the following steps:
acquiring the public key shared by the embedded system device through a serial port;
the sending the ciphertext data, the encrypted first decryption code, and the second decryption code to the embedded system device includes:
and burning the ciphertext data, the encrypted first decryption code and the second decryption code into a Flash memory Flash of the embedded system device.
3. A method for protecting critical data, the method comprising:
generating a private key according to the inherent characteristic identifier of the private key, and deriving a corresponding public key from the private key by using an asymmetric key generation method;
sharing the public key to an encryption protection device;
the encrypted data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code are stored; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
4. The method according to claim 3, wherein after storing the ciphertext data, the encrypted first decryption code, and the second decryption code sent by the encryption protection apparatus, the method further comprises:
decrypting the ciphertext data in the memory to obtain key data to be protected;
after the key data to be protected are obtained, performing emptying operation;
the decrypting the ciphertext data in the memory to obtain the key data to be protected includes:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
5. The method of claim 3, wherein generating the private key according to the intrinsic characteristic identifier of the private key comprises:
generating a private key by utilizing a Hash algorithm according to the inherent characteristic identifier of the private key; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing the public key to the encryption protection device includes:
sharing the public key to the encryption protection device through a serial port;
the storing of the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code includes:
and storing the ciphertext data burned by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code in a Flash memory Flash.
6. An encryption protection apparatus, comprising:
the acquisition module is used for acquiring a public key shared by the embedded system device;
the first encryption module is used for encrypting the key data to be protected according to a first encryption code to obtain ciphertext data and obtaining a first decryption code according to the first encryption code; the first decryption code is used for decrypting the ciphertext data;
the second encryption module is used for encrypting the first decryption code according to the public key and the second encryption code to obtain an encrypted first decryption code and obtaining a second decryption code according to the second encryption code; the second decryption code is used for decrypting the encrypted first decryption code;
and the sending module is used for sending the ciphertext data, the encrypted first decryption code and the second decryption code to the embedded system device.
7. The apparatus of claim 6, wherein the second encryption code is an asymmetric encryption code;
the obtaining module is specifically configured to obtain the public key shared by the embedded system device through a serial port;
the sending module is specifically configured to burn the ciphertext data, the encrypted first decryption code, and the second decryption code into a Flash memory Flash of the embedded system device.
8. An embedded system apparatus, the apparatus comprising:
the generating module is used for generating a private key according to the inherent characteristic identifier of the generating module and deriving a corresponding public key from the private key by using an asymmetric key generating method;
the sharing module is used for sharing the public key to the encryption protection device;
the storage module is used for storing the ciphertext data sent by the encryption protection device, the encrypted first decryption code and the encrypted second decryption code; the second decryption code is used for decrypting the encrypted first decryption code; the first decryption code is used for decrypting the ciphertext data.
9. The apparatus of claim 8, further comprising:
the decryption module is used for decrypting the ciphertext data in the memory to obtain key data to be protected;
the clearing module is used for executing clearing operation after the key data to be protected are obtained;
the decryption module is specifically configured to:
calling an Application Programming Interface (API) function in a memory to dynamically acquire the private key;
decrypting the encrypted first decryption code according to the private key and the second decryption code to obtain a first decryption code;
and carrying out decryption operation on the ciphertext data by using the first decryption code to obtain the key data to be protected.
10. The apparatus according to claim 8, wherein the generating module is specifically configured to generate a private key according to its own inherent characteristic identifier by using a hash algorithm; wherein the inherent feature identifier comprises: supplier identity identifier (Vendor ID) and Serial Number (SN);
the sharing module is specifically configured to share the public key to the encryption protection device through a serial port;
the storage module is specifically configured to store the ciphertext data burned by the encryption protection device, the encrypted first decryption code, and the encrypted second decryption code in a Flash memory Flash.
11. A system for the protection of critical data, the system comprising an encryption protection device according to claim 6 or 7 and an embedded system device according to any one of claims 8 to 10.
CN201611240729.1A 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device Active CN108256346B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611240729.1A CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611240729.1A CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Publications (2)

Publication Number Publication Date
CN108256346A true CN108256346A (en) 2018-07-06
CN108256346B CN108256346B (en) 2020-12-01

Family

ID=62719048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611240729.1A Active CN108256346B (en) 2016-12-28 2016-12-28 Key data protection method, encryption protection device and embedded system device

Country Status (1)

Country Link
CN (1) CN108256346B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109753770A (en) * 2019-01-07 2019-05-14 北京地平线机器人技术研发有限公司 Determine method and device, method for burn-recording and device, the electronic equipment of burning data
CN113268717A (en) * 2021-04-08 2021-08-17 东信和平科技股份有限公司 SE-based code program protection method, device and storage medium
CN113326512A (en) * 2021-05-21 2021-08-31 深圳矽递科技股份有限公司 Electronic equipment and MCU firmware protection method thereof

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6643775B1 (en) * 1997-12-05 2003-11-04 Jamama, Llc Use of code obfuscation to inhibit generation of non-use-restricted versions of copy protected software applications
CN1465008A (en) * 2001-02-16 2003-12-31 索尼株式会社 Data processing method and its apparatus
CN101320410A (en) * 2008-05-20 2008-12-10 北京深思洛克数据保护中心 Copyright protection method of embedded system
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system
CN104486355A (en) * 2014-12-30 2015-04-01 大连楼兰科技股份有限公司 Method and device for preventing malicious manipulation of codes
CN104866738A (en) * 2014-02-25 2015-08-26 北京娜迦信息科技发展有限公司 Program code protection method and device
CN105164693A (en) * 2013-04-25 2015-12-16 瑞保企业 Method and system for exchanging encrypted messages between computing devices in a communication network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6643775B1 (en) * 1997-12-05 2003-11-04 Jamama, Llc Use of code obfuscation to inhibit generation of non-use-restricted versions of copy protected software applications
CN1465008A (en) * 2001-02-16 2003-12-31 索尼株式会社 Data processing method and its apparatus
CN101320410A (en) * 2008-05-20 2008-12-10 北京深思洛克数据保护中心 Copyright protection method of embedded system
CN103678174A (en) * 2012-09-11 2014-03-26 联想(北京)有限公司 Data safety method, storage device and data safety system
CN105164693A (en) * 2013-04-25 2015-12-16 瑞保企业 Method and system for exchanging encrypted messages between computing devices in a communication network
CN104866738A (en) * 2014-02-25 2015-08-26 北京娜迦信息科技发展有限公司 Program code protection method and device
CN104486355A (en) * 2014-12-30 2015-04-01 大连楼兰科技股份有限公司 Method and device for preventing malicious manipulation of codes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王雄等: "MD5加密逆向破解及安全性改进", 《西安文理学院学报:自然科学版》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109753770A (en) * 2019-01-07 2019-05-14 北京地平线机器人技术研发有限公司 Determine method and device, method for burn-recording and device, the electronic equipment of burning data
CN113268717A (en) * 2021-04-08 2021-08-17 东信和平科技股份有限公司 SE-based code program protection method, device and storage medium
CN113326512A (en) * 2021-05-21 2021-08-31 深圳矽递科技股份有限公司 Electronic equipment and MCU firmware protection method thereof

Also Published As

Publication number Publication date
CN108256346B (en) 2020-12-01

Similar Documents

Publication Publication Date Title
CN110650010B (en) Method, device and equipment for generating and using private key in asymmetric key
CA2837516C (en) Randomness for encryption operations
KR102051720B1 (en) Method and apparatus for encrypting/decrypting data on mobile terminal
CN109034796B (en) Alliance chain-based transaction supervision method, electronic device and readable storage medium
CN104205117A (en) Device file encryption and decryption method and device
US11308241B2 (en) Security data generation based upon software unreadable registers
CN110661748B (en) Log encryption method, log decryption method and log encryption device
CN105450620A (en) Information processing method and device
CN107453880B (en) Cloud data secure storage method and system
CN113609522B (en) Data authorization and data access method and device
CN106411504B (en) Data encryption system, method and device
CN108111622B (en) Method, device and system for downloading white box library file
CN104866784A (en) BIOS encryption-based safety hard disk, and data encryption and decryption method
CN102726028A (en) Encryption method, decryption method, and corresponding device and system
CN108256346B (en) Key data protection method, encryption protection device and embedded system device
CN102769525A (en) Backup and recovery method of user key of TCM (Trusted Cryptography Module)
CN113326518B (en) Data processing method and device
CN112417521B (en) Information security system based on FPGA+processor architecture and working method thereof
WO2016078382A1 (en) Hsm enciphered message synchronization implementation method, apparatus and system
CN109784072B (en) Security file management method and system
CN109361506B (en) Information processing method
CN108495309B (en) Information processing method, electronic device, and storage medium
CN116962067A (en) Information encryption method, device and equipment
CN104392153A (en) Software protection method and system
CN112000962B (en) Data encryption processing method, device and system based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 310012 building A01, 1600 yuhangtang Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province

Applicant after: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd.

Applicant after: China Mobile Communications Corp.

Address before: 310012, No. 14, building three, Chang Torch Hotel, No. 259, Wensanlu Road, Xihu District, Zhejiang, Hangzhou

Applicant before: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd.

Applicant before: China Mobile Communications Corp.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant