The content of the invention
The present invention provides a kind of file encryption-decryption method based on TrustZone, device and terminal device, it is possible to increase text
The security of part encryption.
Other characteristics and advantage of the present invention will be apparent from by following detailed description, or partially by the present invention
Practice and acquistion.
According to an aspect of the present invention there is provided a kind of file encrypting method based on TrustZone, including:Receive file
Metadata CIPHERING REQUEST, metadata CIPHERING REQUEST includes:The metadata and class key identification of file, metadata include:For
Encrypt the file key of file;Search the corresponding class key of class key identification of storage;Held by common performing environment with credible
Customer interface between row environment, the trusted application into credible performing environment sends data encryption request, data encryption
Request includes:Class key and metadata;Trusted application is according to the master key being pre-stored within credible performing environment, to class
Key is decrypted;Metadata is encrypted according to the class key after decryption for trusted application;And trusted application
By customer interface, the metadata after encryption is back in common performing environment and stored.
According to an embodiment of the present invention, class key identification is corresponding with application scenarios;Application scenarios include:Terminal is set
It is standby start successfully after can access, terminal device start successfully after and legal login after can access, terminal device starts successfully
And it is legal login and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock
Timing can be only written.
According to an embodiment of the present invention, the above method also includes:It is right in credible performing environment according to file key
File is encrypted;Receive the metadata after encryption;And by the metadata after encryption and the Piece file mergence after encryption be one
File is stored.
According to an embodiment of the present invention, according to file key, file is encrypted in credible performing environment bag
Include:Divide documents into multiple data blocks;And multiple data blocks are independently encrypted.
According to an embodiment of the present invention, the size of data block is multiplied by 2 equal to the size of operating system nucleus page
N times power, wherein N is positive integer more than or equal to 2.
According to another aspect of the present invention there is provided it is a kind of be applied to as described above any one encryption method based on
TrustZone file decryption method, including:The metadata decoding request of file is received, metadata decoding request includes:File
Metadata to be decrypted and class key identification, metadata includes:File key for encrypting file;The class for searching storage is close
Key identifies corresponding class key;By the customer interface between common performing environment and credible performing environment, to credible execution ring
Trusted application in border sends data deciphering request, and data deciphering request includes:Class key and metadata to be decrypted;Can
Believe that application program, according to the master key being pre-stored within credible performing environment, class key is decrypted;Trusted application
According to the class key after decryption, metadata is decrypted;And trusted application is by customer interface, by the member after decryption
Data are back in common performing environment.
According to an embodiment of the present invention, the above method also includes:Receive the Client application journey in common performing environment
The operation requests to file that sequence is sent;And according to operation requests, send the metadata decoding request of file.
According to an embodiment of the present invention, the above method also includes:According to the file key in the metadata after decryption,
File is decrypted in credible performing environment;And
File after decryption is returned into client applications.
According to an embodiment of the present invention, the file key in the metadata after decryption, in credible performing environment
In file is decrypted including:The multiple encrypted data chunks marked off according to file are independently decrypted.
According to a further aspect of the invention there is provided a kind of document encrypting apparatus based on TrustZone, including:Encryption
Request receiving module, the metadata CIPHERING REQUEST for receiving file, metadata CIPHERING REQUEST includes:The metadata and class of file
Key identification, metadata includes:File key for encrypting file;First kind Key Acquisition Module, for searching storage
The corresponding class key of class key identification;CIPHERING REQUEST module, for by between common performing environment and credible performing environment
Customer interface, the trusted application into credible performing environment sends data encryption request, and data encryption request includes:Class is close
Key and metadata;First kind cipher key decryption block, for by trusted application according to being pre-stored within credible performing environment
In master key, class key is decrypted;Performing module is encrypted, for close according to the class after decryption by trusted application
Key, metadata is encrypted;And encryption data returns to module, for, by customer interface, being incited somebody to action by trusted application
Metadata after encryption is back in common performing environment and stored.
According to an embodiment of the present invention, class key identification is corresponding with application scenarios;Application scenarios include:Terminal is set
It is standby start successfully after can access, terminal device start successfully after and legal login after can access, terminal device starts successfully
And it is legal login and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock
Timing can be only written.
According to an embodiment of the present invention, said apparatus also includes:File encryption module, for according to file key,
File is encrypted in credible performing environment;Metadata receiving module, for receiving the metadata after encryption;And merge
Memory module, for being that a file is stored by the metadata after encryption and the Piece file mergence after encryption.
According to an embodiment of the present invention, file encryption module includes:Data block divides submodule, for file to be drawn
It is divided into multiple data blocks;And data base encryption submodule, for multiple data blocks to be independently encrypted.
According to an embodiment of the present invention, the size of data block is multiplied by 2 equal to the size of operating system nucleus page
N times power, wherein N is positive integer more than or equal to 2.
According to a further aspect of the invention there is provided it is a kind of be applied to as above-mentioned any one encryption device based on
TrustZone file deciphering device, including:Decoding request receiving module, the metadata decoding request for receiving file, member
Data deciphering request includes:The metadata to be decrypted and class key identification of file, metadata include:Text for encrypting file
Part key;Equations of The Second Kind Key Acquisition Module, the corresponding class key of class key identification for searching storage;Decoding request module,
For by the customer interface between common performing environment and credible performing environment, the trusted application journey into credible performing environment
Sequence sends data deciphering request, and data deciphering request includes:Class key and metadata to be decrypted;Equations of The Second Kind secret key decryption mould
Block, for, according to the master key being pre-stored within credible performing environment, class key being decrypted by trusted application;
Performing module is decrypted, for, according to the class key after decryption, metadata being decrypted by trusted application;And decryption
Data return to module, for, by customer interface, the metadata after decryption being back into common execution by trusted application
In environment.
According to an embodiment of the present invention, said apparatus also includes:Operation requests receiving module, commonly holds for receiving
The operation requests to file that client applications in row environment is sent;And decoding request sending module, for according to behaviour
Ask, send the metadata decoding request of file.
According to an embodiment of the present invention, said apparatus also includes:File decryption module, for according to the member after decryption
File key in data, file is decrypted in credible performing environment;And decryption file returns to module, for that will solve
File after close returns to client applications.
According to an embodiment of the present invention, file decryption module includes:Data block decrypts submodule, for according to text
Multiple encrypted data chunks that part is marked off independently are decrypted.
According to a further aspect of the invention there is provided a kind of terminal device, including:Processor;And memory, for depositing
Store up the executable instruction of processor;Wherein processor is configured to perform such as above-mentioned any one via executable instruction is performed
Method.
According to a further aspect of the invention there is provided a kind of terminal device, including:Processor;And memory, for depositing
Store up the executable instruction of processor;Wherein processor is configured to perform such as above-mentioned any one via executable instruction is performed
Method.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
In addition, according to some embodiments, the file encrypting method based on TrustZone of embodiment of the present invention passes through
File key is encrypted in credible performing environment, the security of file encryption is further enhancing.In addition, by can
Operation is encrypted by logic encryption unit of single file in letter performing environment, the security of file is further enhancing.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary, this can not be limited
Invention.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, thesing embodiments are provided so that the present invention will more
Fully and completely, and by the design of example embodiment those skilled in the art is comprehensively conveyed to.Accompanying drawing is only the present invention
Schematic illustrations, be not necessarily drawn to scale.Identical reference represents same or similar part in figure, thus
Repetition thereof will be omitted.
Implement in addition, described feature, structure or characteristic can be combined in any suitable manner one or more
In mode.Embodiments of the present invention are fully understood so as to provide there is provided many details in the following description.So
And, it will be appreciated by persons skilled in the art that technical scheme can be put into practice and omit one in the specific detail
Or more, or can be using other methods, constituent element, device, step etc..In other cases, it is not shown in detail or describes
Known features, method, device, realization, material are operated to avoid that a presumptuous guest usurps the role of the host so that each aspect of the present invention becomes mould
Paste.
TrustZone technologies are a kind of credible performing environment (Trusted Execution on ARM platforms
Environment, TEE) standard, by the access isolation of hardware, there is provided held credible with the cooperation of security kernel software for it
The ability of safe executable portion code in row environment.Based on the credible execution ring constructed by TrustZone hardware isolated technologies
The application program for being related to sensitive data is divided into client applications (Client APP) and trusted application (Trusted by border
APP, TA), client applications be performed in common performing environment (Rich Execution Environment, REE) with
For handling most of non-sensitive business, common performing environment is the normal operating system (Rich of mobile terminal device
Operation System, Rich OS), and trusted application is performed to handle sensitive traffic in credible performing environment.
Common performing environment and credible performing environment are mutually isolated, and the client applications operated in common performing environment passes through client
The trusted application that interface (TrustZone Client API) access (access) is operated in credible performing environment, or it is logical
Cross the customer interface and exchange data with trusted application.
Fig. 1 is common performing environment and the configuration diagram of credible execution in terminal device according to an example.Fig. 2
It is a kind of flow chart of file encrypting method based on TrustZone according to an illustrative embodiments.With reference to Fig. 1 and
Method 10 shown in Fig. 2, Fig. 2 includes:
In step s 102, the metadata CIPHERING REQUEST of file is received.
The metadata CIPHERING REQUEST includes:The metadata and class key identification (ID) of file.The metadata includes:For
Encrypt the file key of file.
Realize that servicing the file key sent encrypts by file encryption for example, being received by the encryption and decryption storage service in Fig. 1
Request.File encryption realizes that service sends this document key CIPHERING REQUEST, request encryption and decryption storage clothes to encryption and decryption storage service
It is engaged in being encrypted to include the metadata of the file key for encrypting the data file in Fig. 1.
Encryption and decryption storage service and file encryption realize that the code set to be made up of at least one function can be achieved in service
Close, each function includes:It is part or all of in function name, function call information and function realization.When there is multiple functions, one
Individual function, which is realized, can also include calling other defined functions etc..
This document key CIPHERING REQUEST for example passes through interprocess communication (Inter-Process Communication, IPC)
Send, such as Dbus, Biner inter-process communication mechanisms.
With the above-mentioned metadata of parametric form carrying and class key identification in this document key CIPHERING REQUEST.
In step S104, the corresponding class key of class key identification of storage is searched.
For example, searching the corresponding class key of class key identification of storage by encryption and decryption storage service.Store and take in encryption and decryption
In business, the class key being stored with corresponding to all kinds of key identifications, wherein all kinds of keys are close using master in credible performing environment
Ciphertext after key encryption.
In certain embodiments, the application scenarios of application program of the class key identification with calling the database file are relative
Should.Application scenarios for example including:
1) it can be accessed after terminal device starts successfully:The scene is generally used for demand of the resident system service to encryption;
2) it can be accessed after terminal device starts successfully and after legal login:The scene is generally used for system service and system
The encryption requirements of application;
3) terminal device start successfully and it is legal login and user interface unlock after can access:The scene is generally used
In the encryption requirements of normal client application program;Or,
4) terminal device start successfully and it is legal login and user interface locking when can be only written:The scene is generally used for
The encryption requirements of resident applications, such as short message, mail, instant messaging (IM) are, it is necessary to situation about being locked in user interface
The lower write-in data to system safety.
Because security strategy of the application program under different application scene is different, application scenarios select one selection every time
A kind of above-mentioned application scenarios are to determine corresponding class key, and the application scenarios of differentiation can improve the safety of application data
Property.For example, start successfully and legal login and user interface if the strategy of an encrypted entry is arranged to terminal device
It can be accessed after unlocking, then the access request at other moment can be rejected, and corresponding class key also can be by from internal memory
In clear out, so as to further improve the security of encryption.
Key is the primary challenge point of black box AES, it is therefore desirable to ensure safety of the key when storing and using
Property.The security of storage is primarily referred to as attacker can not be written and read access to it, and the security used is primarily referred to as key
By the possibility of dynamic attacks in internal memory.In the method, in order to strengthen the security of key, it will be stored in commonly performing ring
Class key in border is stored with ciphertext form.
In certain embodiments, encryption and decryption storage service is in initialization procedure, in addition it is also necessary to by customer interface, to credible
Application program confirms whether the master key can use.
In certain embodiments, this method 10 can further include following steps before step S104:
In step 1, encryption and decryption storage service sends each application scenarios correspondence by customer interface to trusted application
Class key.
In step 2, master key of the trusted application in TrustZone contexts is close to the class of each application scenarios
Key is encrypted.
In step 3, trusted application is returned the corresponding class key of each application scenarios after encryption by customer interface
It is back in the encryption and decryption storage service in common performing environment and stores.
In step s 106, by the customer interface between common performing environment and credible performing environment, performed to credible
Trusted application in environment sends data encryption request.
Data encryption request includes:Class key and metadata.
For example, data encryption request is sent from trusted application of the encryption and decryption storage service into credible performing environment,
Data encryption request includes:The class key and metadata found in step s 102.
As shown in fig. 1, in the specific implementation, encryption and decryption storage service can be by TrustZone customer interfaces, and profit
With the communication mechanism in common performing environment in kernel spacing and credible performing environment, encryption storage service and exclusive service are realized
Calling between the trusted application of key encryption and decryption, that is, the communication encrypted between storage service and trusted application takes
Business.It should be noted that common performing environment and the communication mechanism in credible performing environment are people in the art in kernel spacing
Member is known, will not be repeated here.
In certain embodiments, customer interface uses forced symmetric centralization (MAC) rights management mechanism, such as uses
SELinux access control mechanisms.
SELinux is a set of security system based on label (Label).In SELinux strategies, pass through the setting of label
Carry out control of the realization body to object.Wherein main body can be each process for running in terminal device, during object is then system
All resources, including:File system, catalogue, file, file start designator, port, message interface and network interface etc..
Each process is owned by the label of oneself, and each object object is also owned by the label of oneself.Pass through the SELinux plans write
Slightly, to control process label to be conducted interviews to object object tag, such as file access, read-write and SOCKET operations.Example
Such as, pass through strategy configuration, it is allowed to calling for the customer interface that the process that label is A is B to label, taken so as to ensure that encryption is stored
The interface of business is not abused arbitrarily.
In step S108, trusted application is close to class according to the master key being pre-stored within credible performing environment
Key is decrypted.
The each terminal device of master key independently possesses, during executable context initialization, the master key quilt
It is loaded into TrustZone image file, that is, is loaded into the TrustZone context of credible performing environment.Due to this
Master key is embedded into credible performing environment, will not be occurred in common performing environment, thus in common performing environment by
Class key can not be decrypted in the master key can not be obtained, so as to enhance the safety for the application data encrypted by class key
Property.
In step s 110, metadata is encrypted according to the class key after decryption for trusted application.
Trusted application can for example use AES (Advanced Encryption Standard, superencipherment mark
It is accurate) or the symmetric encipherment algorithm such as DES (Data Encryption Standard, data encryption standards), according to the class after decryption
Metadata is encrypted key, and the present invention is not limited.Available encryption mode includes:CBC(Cipher Block
Chaining, block password chain), OFB (Output Feedback, output feedback), (Cipher Feedback, encryption is anti-by CFB
Feedback).
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data encryption operation.
In step S112, the metadata after encryption is back to common execution by trusted application by customer interface
Stored in environment.
Trusted application is completed after encryption, and by customer interface, first number after encryption is returned into common performing environment
According to.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
It will be clearly understood that the present disclosure describe how forming and use particular example, but the principle of the present invention is not limited to
Any details of these examples.On the contrary, the teaching based on present disclosure, these principles can be applied to many other
Embodiment.
Fig. 3 is the stream of another file encrypting method based on TrustZone according to an illustrative embodiments
Cheng Tu.Method 20 shown in Fig. 3 includes:
In step S202, according to file key, file is encrypted in credible performing environment.
For example, can be with as shown in figure 1, file encryption realizes that service is real by the trusted application in credible performing environment
Now to the encryption of file.
File encryption realizes that service is designed as and general advanced file access interface (area to the access interface of data file
Not in the bottom document interface of Linux or Windows systems) try one's best it is close, except specified file password or encrypt class parameter in addition to,
The details substantially encrypted is transparent to user.
File encryption realizes that file to be encrypted is sent to trusted application by service, by trusted application to file
It is encrypted.In the specific implementation, file encryption realizes that service can be by TrustZone customer interfaces, and utilizes kernel sky
Between in common performing environment and the communication mechanism in credible performing environment, realize that file encryption realizes service and trusted application
Between call, i.e., file encryption realize service trusted application between communication service.It should be noted that kernel is empty
Between in common performing environment with communication mechanism in credible performing environment is known to those skilled in the art knows, it is no longer superfluous herein
State.
Encryption of the trusted application to this document, is that overall encryption is carried out by logic encryption unit of single file, and
The non-any type of encryption to general generic data block, data flow, nor it is common based on file system or block device
File encryption.
Trusted application can for example use AES (Advanced Encryption Standard, superencipherment mark
It is accurate) or the symmetric encipherment algorithm such as DES (Data Encryption Standard, data encryption standards), according to file key pair
File is encrypted, and the present invention is not limited.
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data encryption operation.
In certain embodiments, in order to obtain balance between systematic function and security, trusted application can be by
File is divided into multiple data blocks, and multiple data blocks are independently encrypted.Relevance is had no between each data block, therefore
Trusted application can realize the parallel encryption operation to multiple data blocks.The size of data block can be adjusted as needed
It is whole, can for example be multiplied by 2 n times power with the size of mobile terminal device operating system nucleus page, wherein N be more than or equal to
2 positive integer.For example, for 32-bit operating system, page size be 4KB, then data block size can for 16KB,
64KB, 256KB etc.;For 64 bit manipulation systems, page size is 64KB, then data block size can for 128KB, 256KB,
1024KB etc..Data block size depends on platform resource, configuration and the selection of AES.In general, piecemeal is bigger, then goes here and there
Row access speed is faster, for example, replicate file operation;Piecemeal is smaller, and random access performance is better, such as random read take and write-in
Operation.
Fig. 4 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.In certain embodiments, as shown in figure 4, file encryption realizes that service can also can by second in credible performing environment
File is encrypted letter application program.File encryption realizes that the plaintext of file and file key to be encrypted is sent to by service
Second trusted application, is encrypted by the second trusted application for file.In the specific implementation, file encryption realizes clothes
Business can be by TrustZone customer interfaces, and utilize common performing environment in kernel spacing and leading in credible performing environment
Letter mechanism, realize file encryption realize service the second trusted application between calling, i.e., file encryption realize service with
Communication service between second trusted application.And the first trusted application in Fig. 4 is used in implementation method 10 to member
The cryptographic operation of data.It should be noted that common performing environment is with the communication mechanism in credible performing environment in kernel spacing
It is known to those skilled in the art to know, it will not be repeated here.In addition, in order to obtain balance between systematic function and security, the
Two trusted applications can divide documents into multiple data blocks, and multiple data blocks are independently encrypted.Specifically
Data block partition description will not be repeated here with above-mentioned.
Fig. 9 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.In certain embodiments, as shown in figure 9, encryption realizes that service is drawn by the general hardware encryption in credible performing environment
Hold up and file is encrypted.File encryption realizes that the plaintext of file and file key to be encrypted is sent to credible execution by service
Hardware cryptographic engine in environment, is encrypted by hardware cryptographic engine for file.In the specific implementation, file encryption realizes clothes
Business can be by TrustZone customer interfaces, and utilize common performing environment in kernel spacing and leading in credible performing environment
Letter mechanism, realizes that file encryption realizes that calling between service and hardware cryptographic engine, i.e. file encryption realize service and hardware
Communication service between crypto engine.It should be noted that logical in common performing environment and credible performing environment in kernel spacing
Letter mechanism is known to those skilled in the art to be known, and will not be repeated here.In addition, in order to be obtained between systematic function and security
Balance, file encryption realizes that service can divide documents into multiple data blocks, and asks hardware cryptographic engine to multiple data
Block is independently encrypted.Specific data block partition description will not be repeated here with above-mentioned.
In step S204, the metadata after encryption is received.
For example, realizing that service receives the metadata after being encrypted through method 10 by the file encryption in Fig. 1.
It is that a file is stored by the metadata after encryption and the Piece file mergence after encryption in step S206.
Metadata after encryption and encryption file unification so that encryption file be free to replicate, it is mobile.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
File key is encrypted, the security of file encryption is further enhancing.In addition, by credible performing environment with list
Individual file is that operation is encrypted in logic encryption unit, further enhancing the security of file.
Fig. 5 is a kind of flow of file decryption method based on TrustZone according to an illustrative embodiments
Figure.The decryption method is applicable to above-mentioned file encrypting method 10 and 20.With reference to Fig. 1, the method 30 shown in Fig. 5 includes:
In step s 302, the metadata decoding request of file is received.
For example, encryption and decryption storage service as shown in Figure 1, which is received, is realized that servicing the metadata sent decrypts by file encryption
Request.
The metadata decoding request is, for example, that the password establishment sent by interprocess communication is called, and such as Dbus, Biner enters
Communication mechanism etc. between journey.
The metadata decoding request for example carries the metadata to be decrypted and class key identification of file, member with parametric form
Data include:File key for encrypting file.
In step s 304, the corresponding class key of the class key identification of storage is searched.
For example, searching the corresponding class key of class key identification of storage by encryption and decryption storage service.Store and take in encryption and decryption
In business, the class key being stored with corresponding to all kinds of key identifications, wherein all kinds of keys are close using master in credible performing environment
Ciphertext after key encryption.
In certain embodiments, the application scenarios of application program of the class key identification with calling the database file are relative
Should.The classification of application scenarios ibid, will not be repeated here.
Key is the primary challenge point of black box AES, it is therefore desirable to ensure safety of the key when storing and using
Property.The security of storage is primarily referred to as attacker can not be written and read access to it, and the security used is primarily referred to as key
By the possibility of dynamic attacks in internal memory.In the method, in order to strengthen the security of key, it will be stored in commonly performing ring
Class key in border is stored with ciphertext form.
In step S306, by the customer interface between common performing environment and credible performing environment, performed to credible
Trusted application in environment sends data deciphering request.
For example, data encryption request is sent from trusted application of the encryption and decryption storage service into credible performing environment,
Data encryption request includes:The class key found in step s 304 and metadata to be decrypted.
As shown in fig. 1, in the specific implementation, encryption and decryption storage service can be by TrustZone customer interfaces, and profit
With the communication mechanism in common performing environment in kernel spacing and credible performing environment, encryption storage service and exclusive service are realized
Calling between the trusted application of encryption and decryption, that is, encrypt storage service and the exclusive trusted application journey for serving encryption and decryption
Communication service between sequence.It should be noted that the communication mechanism in kernel spacing in common performing environment and credible performing environment
It is known to those skilled in the art to know, it will not be repeated here.
In step S308, trusted application is right according to the master key being pre-stored within the credible performing environment
Class key is decrypted.
The each terminal device of master key independently possesses, during executable context initialization, the master key quilt
It is loaded into TrustZone image file, that is, is loaded into the TrustZone context of credible performing environment.Due to this
Master key is embedded into credible performing environment, will not be occurred in common performing environment, thus in common performing environment by
Class key can not be decrypted in the master key can not be obtained, so as to enhance the safety for the application data encrypted by class key
Property.
In step S310, metadata to be decrypted is decrypted according to the class key after decryption for trusted application.
AES used in the above-mentioned ciphering process of correspondence, treats ciphertext data and operation is decrypted.
In step S312, trusted application is back to encryption and decryption by customer interface, by the metadata after decryption and deposited
In storage service.
Trusted application is completed after decryption, and by customer interface, first number after decryption is returned into common performing environment
According to.
Fig. 6 is the stream of another file decryption method based on TrustZone according to an illustrative embodiments
Cheng Tu.As shown in fig. 6, method 40 includes:
In step S402, the operation requests to file that the client applications in common performing environment is sent are received.
For example, as shown in fig. 1, when client applications needs to open this document, service hair is realized to file encryption
Give the operation requests.
Need explanation but, in the specific implementation, file encryption realizes that in each application program, i.e., service can be realized
Each call the inside of the service.Can also be independent service, each application program is realized by mechanism such as such as interprocess communications
The service is called.
In step s 404, according to the operation requests, the metadata decoding request of file is sent.
So as to perform the decryption oprerations in method 30 to metadata.
In certain embodiments, method 40 also includes:
In step S406, according to the file key in the metadata after decryption, file is entered in credible performing environment
Row decryption.
For example, can be with as shown in figure 1, file encryption realizes that service is real by the trusted application in credible performing environment
Now to the decryption of file.
File encryption realizes that file to be decrypted is sent to trusted application by service, by trusted application to file
It is decrypted.In the specific implementation, file encryption realizes that service can be by TrustZone customer interfaces, and utilizes kernel sky
Between in common performing environment and the communication mechanism in credible performing environment, realize that file encryption realizes service and trusted application
Between call, i.e., file encryption realize service trusted application between communication service.
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data deciphering operation.
In certain embodiments, when file to be decrypted is made up of multiple encrypted data chunks, the first trusted application
According to file key, multiple encrypted data chunks are independently decrypted.
In certain embodiments, as shown in figure 4, file encryption realizes that service can also be by the in credible performing environment
File is decrypted two trusted applications.File encryption realizes that the plaintext of file and file key to be decrypted is sent out in service
The second trusted application is given, is encrypted by the second trusted application for file.In the specific implementation, file encryption is real
Now service can be by TrustZone customer interfaces, and utilize in kernel spacing in common performing environment and credible performing environment
Communication mechanism, realize file encryption realize service the second trusted application between calling, i.e., file encryption realize clothes
Communication service between business and the second trusted application.
In certain embodiments, as shown in figure 9, encryption realizes that service is added by the general hardware in credible performing environment
File is decrypted ciphertext engine.It is credible that file encryption realizes that the plaintext of file and file key to be decrypted is sent to by service
Hardware cryptographic engine in performing environment, is encrypted by hardware cryptographic engine for file.In the specific implementation, file encryption is real
Now service can be by TrustZone customer interfaces, and utilize in kernel spacing in common performing environment and credible performing environment
Communication mechanism, realize file encryption realize service hardware cryptographic engine between calling, i.e., file encryption realize service with
Communication service between hardware cryptographic engine.
In step S408, the file after decryption is returned into client applications.
It will be appreciated by those skilled in the art that realizing that all or part of step of above-mentioned embodiment is implemented as being held by CPU
Capable computer program.When the computer program is performed by CPU, it is above-mentioned that the above method that the execution present invention is provided is limited
Function.Described program can be stored in a kind of computer-readable recording medium, and the storage medium can be read-only storage,
Disk or CD etc..
Further, it should be noted that above-mentioned accompanying drawing is only according to included by the method for exemplary embodiment of the invention
What is handled schematically illustrates, rather than limitation purpose.It can be readily appreciated that above-mentioned processing shown in the drawings is not intended that or limits these
The time sequencing of processing.In addition, being also easy to understand, these processing can for example either synchronously or asynchronously be performed in multiple modules
's.
Following is apparatus of the present invention embodiment, can be used for performing the inventive method embodiment.It is real for apparatus of the present invention
The details not disclosed in example is applied, the inventive method embodiment is refer to.
Fig. 7 is a kind of block diagram of document encrypting apparatus based on TrustZone according to an illustrative embodiments.
As shown in fig. 7, device 50 includes:CIPHERING REQUEST receiving module 502, first kind Key Acquisition Module 504, CIPHERING REQUEST module
506th, first kind cipher key decryption block 508, encryption performing module 510 and encryption data return to module 512.
Wherein, CIPHERING REQUEST receiving module 502 is used for the metadata CIPHERING REQUEST for receiving file, metadata CIPHERING REQUEST bag
Include:The metadata and class key identification of file, metadata include:File key for encrypting file.
First kind Key Acquisition Module 504 is used for the corresponding class key of class key identification for searching storage.
In certain embodiments, class key identification is corresponding with application scenarios;Application scenarios include:Terminal device starts into
Can be accessed after work(, terminal device start successfully after and legal login after can access, terminal device starts successfully and legal stepped on
Record and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock when only may be used
To write.
CIPHERING REQUEST module 506 is used to pass through the customer interface between common performing environment and credible performing environment, Xiang Ke
Believe that the trusted application in performing environment sends data encryption request, data encryption request includes:Class key and metadata.
First kind cipher key decryption block 508 is used for by trusted application according to being pre-stored within credible performing environment
Master key, class key is decrypted.
Encrypting performing module 510 is used for by trusted application according to the class key after decryption, and metadata is added
It is close.
Encryption data, which returns to module 512, to be used for by trusted application by customer interface, by the metadata after encryption
It is back in common performing environment and stores.
In certain embodiments, device 50 also includes:File encryption module 514, metadata receiving module 516 and merging are deposited
Store up module 518.Wherein, file encryption module 514 is used for according to file key, and file is added in credible performing environment
It is close.Metadata receiving module 516 is used to receive the metadata after encryption.Merging memory module 518 is used for first number after encryption
It is that a file is stored according to the Piece file mergence after encryption.
In certain embodiments, file encryption module 514 includes:Data block divides submodule 5142 and data base encryption
Module 5144.Wherein, data block divides submodule 5142 and is used to divide documents into multiple data blocks.Data base encryption submodule
5144 are used to multiple data blocks are independently encrypted.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
Fig. 8 is a kind of block diagram of file deciphering device based on TrustZone according to an illustrative embodiments.
The decryption device is applied to above-mentioned encryption device 50.As shown in figure 8, the decryption device 60 includes:Decoding request receiving module
602nd, Equations of The Second Kind Key Acquisition Module 604, decoding request module 606, Equations of The Second Kind cipher key decryption block 608, decryption performing module
610 and ciphertext data return module 612.
Wherein, decoding request receiving module 602 is used for the metadata decoding request for receiving file, metadata decoding request bag
Include:The metadata to be decrypted and class key identification of file, metadata include:File key for encrypting file.
Equations of The Second Kind Key Acquisition Module 604 is used for the corresponding class key of class key identification for searching storage.
Decoding request module 606 is used to pass through the customer interface between common performing environment and credible performing environment, Xiang Ke
Believe that the trusted application in performing environment sends data deciphering request, data deciphering request includes:Class key and to be decrypted
Metadata.
Equations of The Second Kind cipher key decryption block 608 is used for by trusted application according to being pre-stored within credible performing environment
Master key, class key is decrypted.
Decrypting performing module 610 is used for by trusted application according to the class key after decryption, and metadata is solved
It is close.
Ciphertext data, which returns to module 612, to be used for by trusted application by customer interface, by the metadata after decryption
It is back in common performing environment.
In certain embodiments, device 60 also includes:Operation requests receiving module 614 and decoding request sending module 616.
Wherein, operation requests receiving module 614 is used to receive the behaviour to file that the client applications in common performing environment is sent
Ask.Decoding request sending module 616 is used for the metadata decoding request that file is sent according to operation requests.
In certain embodiments, device 60 also includes:File decryption module 618 and decryption file return to module 620.File
Deciphering module 618 is used for the file key in the metadata after decryption, and file is decrypted in credible performing environment.
Decryption file, which returns to module 620, to be used to the file after decryption returning to client applications.
In certain embodiments, file decryption module 618 includes:Data block decrypts submodule 6182, for according to text
Multiple encrypted data chunks that part is marked off independently are decrypted.
It should be noted that the block diagram shown in above-mentioned accompanying drawing is functional entity, not necessarily must with physically or logically
Independent entity is corresponding.Can realize these functional entitys using software form, or in one or more hardware modules or
These functional entitys are realized in integrated circuit, or are realized in heterogeneous networks and/or processor device and/or microcontroller device
These functional entitys.
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can be realized by software, can also be realized by way of software combines necessary hardware.Therefore, according to the present invention
The technical scheme of embodiment can be embodied in the form of software product, the software product can be stored in one it is non-volatile
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are to cause a calculating
Equipment (can be personal computer, server, mobile terminal or network equipment etc.) is performed according to embodiment of the present invention
Method.
The illustrative embodiments of the present invention are particularly shown and described above.It should be appreciated that the present invention is not limited
In detailed construction described herein, set-up mode or implementation method;On the contrary, it is intended to cover included in appended claims
Spirit and scope in various modifications and equivalence setting.