CN106980794A - TrustZone-based file encryption and decryption method and device and terminal equipment - Google Patents
TrustZone-based file encryption and decryption method and device and terminal equipment Download PDFInfo
- Publication number
- CN106980794A CN106980794A CN201710214710.8A CN201710214710A CN106980794A CN 106980794 A CN106980794 A CN 106980794A CN 201710214710 A CN201710214710 A CN 201710214710A CN 106980794 A CN106980794 A CN 106980794A
- Authority
- CN
- China
- Prior art keywords
- file
- metadata
- key
- performing environment
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000003860 storage Methods 0.000 claims abstract description 42
- 238000004891 communication Methods 0.000 description 24
- 230000007246 mechanism Effects 0.000 description 18
- 230000006870 function Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 7
- 238000013478 data encryption standard Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000002708 enhancing effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 3
- 230000009897 systematic effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000000151 deposition Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 238000007711 solidification Methods 0.000 description 1
- 230000008023 solidification Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The application discloses a TrustZone-based file encryption and decryption method, device and terminal equipment. The method comprises the following steps: receiving a metadata encryption request for a file, the metadata encryption request comprising: metadata and class key identification of the file, wherein the metadata comprises: a file key for encrypting the file; searching a class key corresponding to the stored class key identification; sending a data encryption request to a trusted application in the trusted execution environment through a client interface between the normal execution environment and the trusted execution environment, the data encryption request including: class keys and metadata; the trusted application program decrypts the class key according to the master key pre-stored in the trusted execution environment; the trusted application program encrypts the metadata according to the decrypted class key; and the trusted application program returns the encrypted metadata to the common execution environment for storage through the client interface. The method can improve the security of file encryption.
Description
Technical field
The present invention relates to mobile terminal device security technology area, in particular to a kind of text based on TrustZone
Part encipher-decipher method, device and terminal device.
Background technology
At present, common file encryption scheme has following several:
(1) encipherment scheme based on file system, such as eCryptoFS;
(2) encipherment scheme based on block device, such as dm-crypto;
(3) encipherment scheme based on file, such as various privately owned cipher modes.
Above-mentioned various file encryption schemes using be to be encrypted based on local key code system by the way of, therefore fill
The key chain of point safety is the basis for ensureing file encryption security, the protection of key need system provide reliable root of trust with
Build firm protection chain.Certain the commonly provided hardware unique mark of common secure hardware, or not erasable solidification root
Key is used as the unique root of trust of system.Every other key in system directly or indirectly derives from or carried out according to root of trust
Encipherment protection.
Above- mentioned information is only used for strengthening the understanding of the background to the present invention, therefore it disclosed in the background section
It can include not constituting the information to prior art known to persons of ordinary skill in the art.
The content of the invention
The present invention provides a kind of file encryption-decryption method based on TrustZone, device and terminal device, it is possible to increase text
The security of part encryption.
Other characteristics and advantage of the present invention will be apparent from by following detailed description, or partially by the present invention
Practice and acquistion.
According to an aspect of the present invention there is provided a kind of file encrypting method based on TrustZone, including:Receive file
Metadata CIPHERING REQUEST, metadata CIPHERING REQUEST includes:The metadata and class key identification of file, metadata include:For
Encrypt the file key of file;Search the corresponding class key of class key identification of storage;Held by common performing environment with credible
Customer interface between row environment, the trusted application into credible performing environment sends data encryption request, data encryption
Request includes:Class key and metadata;Trusted application is according to the master key being pre-stored within credible performing environment, to class
Key is decrypted;Metadata is encrypted according to the class key after decryption for trusted application;And trusted application
By customer interface, the metadata after encryption is back in common performing environment and stored.
According to an embodiment of the present invention, class key identification is corresponding with application scenarios;Application scenarios include:Terminal is set
It is standby start successfully after can access, terminal device start successfully after and legal login after can access, terminal device starts successfully
And it is legal login and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock
Timing can be only written.
According to an embodiment of the present invention, the above method also includes:It is right in credible performing environment according to file key
File is encrypted;Receive the metadata after encryption;And by the metadata after encryption and the Piece file mergence after encryption be one
File is stored.
According to an embodiment of the present invention, according to file key, file is encrypted in credible performing environment bag
Include:Divide documents into multiple data blocks;And multiple data blocks are independently encrypted.
According to an embodiment of the present invention, the size of data block is multiplied by 2 equal to the size of operating system nucleus page
N times power, wherein N is positive integer more than or equal to 2.
According to another aspect of the present invention there is provided it is a kind of be applied to as described above any one encryption method based on
TrustZone file decryption method, including:The metadata decoding request of file is received, metadata decoding request includes:File
Metadata to be decrypted and class key identification, metadata includes:File key for encrypting file;The class for searching storage is close
Key identifies corresponding class key;By the customer interface between common performing environment and credible performing environment, to credible execution ring
Trusted application in border sends data deciphering request, and data deciphering request includes:Class key and metadata to be decrypted;Can
Believe that application program, according to the master key being pre-stored within credible performing environment, class key is decrypted;Trusted application
According to the class key after decryption, metadata is decrypted;And trusted application is by customer interface, by the member after decryption
Data are back in common performing environment.
According to an embodiment of the present invention, the above method also includes:Receive the Client application journey in common performing environment
The operation requests to file that sequence is sent;And according to operation requests, send the metadata decoding request of file.
According to an embodiment of the present invention, the above method also includes:According to the file key in the metadata after decryption,
File is decrypted in credible performing environment;And
File after decryption is returned into client applications.
According to an embodiment of the present invention, the file key in the metadata after decryption, in credible performing environment
In file is decrypted including:The multiple encrypted data chunks marked off according to file are independently decrypted.
According to a further aspect of the invention there is provided a kind of document encrypting apparatus based on TrustZone, including:Encryption
Request receiving module, the metadata CIPHERING REQUEST for receiving file, metadata CIPHERING REQUEST includes:The metadata and class of file
Key identification, metadata includes:File key for encrypting file;First kind Key Acquisition Module, for searching storage
The corresponding class key of class key identification;CIPHERING REQUEST module, for by between common performing environment and credible performing environment
Customer interface, the trusted application into credible performing environment sends data encryption request, and data encryption request includes:Class is close
Key and metadata;First kind cipher key decryption block, for by trusted application according to being pre-stored within credible performing environment
In master key, class key is decrypted;Performing module is encrypted, for close according to the class after decryption by trusted application
Key, metadata is encrypted;And encryption data returns to module, for, by customer interface, being incited somebody to action by trusted application
Metadata after encryption is back in common performing environment and stored.
According to an embodiment of the present invention, class key identification is corresponding with application scenarios;Application scenarios include:Terminal is set
It is standby start successfully after can access, terminal device start successfully after and legal login after can access, terminal device starts successfully
And it is legal login and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock
Timing can be only written.
According to an embodiment of the present invention, said apparatus also includes:File encryption module, for according to file key,
File is encrypted in credible performing environment;Metadata receiving module, for receiving the metadata after encryption;And merge
Memory module, for being that a file is stored by the metadata after encryption and the Piece file mergence after encryption.
According to an embodiment of the present invention, file encryption module includes:Data block divides submodule, for file to be drawn
It is divided into multiple data blocks;And data base encryption submodule, for multiple data blocks to be independently encrypted.
According to an embodiment of the present invention, the size of data block is multiplied by 2 equal to the size of operating system nucleus page
N times power, wherein N is positive integer more than or equal to 2.
According to a further aspect of the invention there is provided it is a kind of be applied to as above-mentioned any one encryption device based on
TrustZone file deciphering device, including:Decoding request receiving module, the metadata decoding request for receiving file, member
Data deciphering request includes:The metadata to be decrypted and class key identification of file, metadata include:Text for encrypting file
Part key;Equations of The Second Kind Key Acquisition Module, the corresponding class key of class key identification for searching storage;Decoding request module,
For by the customer interface between common performing environment and credible performing environment, the trusted application journey into credible performing environment
Sequence sends data deciphering request, and data deciphering request includes:Class key and metadata to be decrypted;Equations of The Second Kind secret key decryption mould
Block, for, according to the master key being pre-stored within credible performing environment, class key being decrypted by trusted application;
Performing module is decrypted, for, according to the class key after decryption, metadata being decrypted by trusted application;And decryption
Data return to module, for, by customer interface, the metadata after decryption being back into common execution by trusted application
In environment.
According to an embodiment of the present invention, said apparatus also includes:Operation requests receiving module, commonly holds for receiving
The operation requests to file that client applications in row environment is sent;And decoding request sending module, for according to behaviour
Ask, send the metadata decoding request of file.
According to an embodiment of the present invention, said apparatus also includes:File decryption module, for according to the member after decryption
File key in data, file is decrypted in credible performing environment;And decryption file returns to module, for that will solve
File after close returns to client applications.
According to an embodiment of the present invention, file decryption module includes:Data block decrypts submodule, for according to text
Multiple encrypted data chunks that part is marked off independently are decrypted.
According to a further aspect of the invention there is provided a kind of terminal device, including:Processor;And memory, for depositing
Store up the executable instruction of processor;Wherein processor is configured to perform such as above-mentioned any one via executable instruction is performed
Method.
According to a further aspect of the invention there is provided a kind of terminal device, including:Processor;And memory, for depositing
Store up the executable instruction of processor;Wherein processor is configured to perform such as above-mentioned any one via executable instruction is performed
Method.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
In addition, according to some embodiments, the file encrypting method based on TrustZone of embodiment of the present invention passes through
File key is encrypted in credible performing environment, the security of file encryption is further enhancing.In addition, by can
Operation is encrypted by logic encryption unit of single file in letter performing environment, the security of file is further enhancing.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary, this can not be limited
Invention.
Brief description of the drawings
Its example embodiment is described in detail by referring to accompanying drawing, above and other target, feature and advantage of the invention will
Become more fully apparent.
Fig. 1 is common performing environment and the configuration diagram of credible execution in terminal device according to an example.
Fig. 2 is a kind of flow of file encrypting method based on TrustZone according to an illustrative embodiments
Figure.
Fig. 3 is the stream of another file encrypting method based on TrustZone according to an illustrative embodiments
Cheng Tu.
Fig. 4 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.
Fig. 5 is a kind of flow of file decryption method based on TrustZone according to an illustrative embodiments
Figure.
Fig. 6 is the stream of another file decryption method based on TrustZone according to an illustrative embodiments
Cheng Tu.
Fig. 7 is a kind of block diagram of document encrypting apparatus based on TrustZone according to an illustrative embodiments.
Fig. 8 is a kind of block diagram of file deciphering device based on TrustZone according to an illustrative embodiments.
Fig. 9 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.
Embodiment
Example embodiment is described more fully with referring now to accompanying drawing.However, example embodiment can be with a variety of shapes
Formula is implemented, and is not understood as limited to example set forth herein;On the contrary, thesing embodiments are provided so that the present invention will more
Fully and completely, and by the design of example embodiment those skilled in the art is comprehensively conveyed to.Accompanying drawing is only the present invention
Schematic illustrations, be not necessarily drawn to scale.Identical reference represents same or similar part in figure, thus
Repetition thereof will be omitted.
Implement in addition, described feature, structure or characteristic can be combined in any suitable manner one or more
In mode.Embodiments of the present invention are fully understood so as to provide there is provided many details in the following description.So
And, it will be appreciated by persons skilled in the art that technical scheme can be put into practice and omit one in the specific detail
Or more, or can be using other methods, constituent element, device, step etc..In other cases, it is not shown in detail or describes
Known features, method, device, realization, material are operated to avoid that a presumptuous guest usurps the role of the host so that each aspect of the present invention becomes mould
Paste.
TrustZone technologies are a kind of credible performing environment (Trusted Execution on ARM platforms
Environment, TEE) standard, by the access isolation of hardware, there is provided held credible with the cooperation of security kernel software for it
The ability of safe executable portion code in row environment.Based on the credible execution ring constructed by TrustZone hardware isolated technologies
The application program for being related to sensitive data is divided into client applications (Client APP) and trusted application (Trusted by border
APP, TA), client applications be performed in common performing environment (Rich Execution Environment, REE) with
For handling most of non-sensitive business, common performing environment is the normal operating system (Rich of mobile terminal device
Operation System, Rich OS), and trusted application is performed to handle sensitive traffic in credible performing environment.
Common performing environment and credible performing environment are mutually isolated, and the client applications operated in common performing environment passes through client
The trusted application that interface (TrustZone Client API) access (access) is operated in credible performing environment, or it is logical
Cross the customer interface and exchange data with trusted application.
Fig. 1 is common performing environment and the configuration diagram of credible execution in terminal device according to an example.Fig. 2
It is a kind of flow chart of file encrypting method based on TrustZone according to an illustrative embodiments.With reference to Fig. 1 and
Method 10 shown in Fig. 2, Fig. 2 includes:
In step s 102, the metadata CIPHERING REQUEST of file is received.
The metadata CIPHERING REQUEST includes:The metadata and class key identification (ID) of file.The metadata includes:For
Encrypt the file key of file.
Realize that servicing the file key sent encrypts by file encryption for example, being received by the encryption and decryption storage service in Fig. 1
Request.File encryption realizes that service sends this document key CIPHERING REQUEST, request encryption and decryption storage clothes to encryption and decryption storage service
It is engaged in being encrypted to include the metadata of the file key for encrypting the data file in Fig. 1.
Encryption and decryption storage service and file encryption realize that the code set to be made up of at least one function can be achieved in service
Close, each function includes:It is part or all of in function name, function call information and function realization.When there is multiple functions, one
Individual function, which is realized, can also include calling other defined functions etc..
This document key CIPHERING REQUEST for example passes through interprocess communication (Inter-Process Communication, IPC)
Send, such as Dbus, Biner inter-process communication mechanisms.
With the above-mentioned metadata of parametric form carrying and class key identification in this document key CIPHERING REQUEST.
In step S104, the corresponding class key of class key identification of storage is searched.
For example, searching the corresponding class key of class key identification of storage by encryption and decryption storage service.Store and take in encryption and decryption
In business, the class key being stored with corresponding to all kinds of key identifications, wherein all kinds of keys are close using master in credible performing environment
Ciphertext after key encryption.
In certain embodiments, the application scenarios of application program of the class key identification with calling the database file are relative
Should.Application scenarios for example including:
1) it can be accessed after terminal device starts successfully:The scene is generally used for demand of the resident system service to encryption;
2) it can be accessed after terminal device starts successfully and after legal login:The scene is generally used for system service and system
The encryption requirements of application;
3) terminal device start successfully and it is legal login and user interface unlock after can access:The scene is generally used
In the encryption requirements of normal client application program;Or,
4) terminal device start successfully and it is legal login and user interface locking when can be only written:The scene is generally used for
The encryption requirements of resident applications, such as short message, mail, instant messaging (IM) are, it is necessary to situation about being locked in user interface
The lower write-in data to system safety.
Because security strategy of the application program under different application scene is different, application scenarios select one selection every time
A kind of above-mentioned application scenarios are to determine corresponding class key, and the application scenarios of differentiation can improve the safety of application data
Property.For example, start successfully and legal login and user interface if the strategy of an encrypted entry is arranged to terminal device
It can be accessed after unlocking, then the access request at other moment can be rejected, and corresponding class key also can be by from internal memory
In clear out, so as to further improve the security of encryption.
Key is the primary challenge point of black box AES, it is therefore desirable to ensure safety of the key when storing and using
Property.The security of storage is primarily referred to as attacker can not be written and read access to it, and the security used is primarily referred to as key
By the possibility of dynamic attacks in internal memory.In the method, in order to strengthen the security of key, it will be stored in commonly performing ring
Class key in border is stored with ciphertext form.
In certain embodiments, encryption and decryption storage service is in initialization procedure, in addition it is also necessary to by customer interface, to credible
Application program confirms whether the master key can use.
In certain embodiments, this method 10 can further include following steps before step S104:
In step 1, encryption and decryption storage service sends each application scenarios correspondence by customer interface to trusted application
Class key.
In step 2, master key of the trusted application in TrustZone contexts is close to the class of each application scenarios
Key is encrypted.
In step 3, trusted application is returned the corresponding class key of each application scenarios after encryption by customer interface
It is back in the encryption and decryption storage service in common performing environment and stores.
In step s 106, by the customer interface between common performing environment and credible performing environment, performed to credible
Trusted application in environment sends data encryption request.
Data encryption request includes:Class key and metadata.
For example, data encryption request is sent from trusted application of the encryption and decryption storage service into credible performing environment,
Data encryption request includes:The class key and metadata found in step s 102.
As shown in fig. 1, in the specific implementation, encryption and decryption storage service can be by TrustZone customer interfaces, and profit
With the communication mechanism in common performing environment in kernel spacing and credible performing environment, encryption storage service and exclusive service are realized
Calling between the trusted application of key encryption and decryption, that is, the communication encrypted between storage service and trusted application takes
Business.It should be noted that common performing environment and the communication mechanism in credible performing environment are people in the art in kernel spacing
Member is known, will not be repeated here.
In certain embodiments, customer interface uses forced symmetric centralization (MAC) rights management mechanism, such as uses
SELinux access control mechanisms.
SELinux is a set of security system based on label (Label).In SELinux strategies, pass through the setting of label
Carry out control of the realization body to object.Wherein main body can be each process for running in terminal device, during object is then system
All resources, including:File system, catalogue, file, file start designator, port, message interface and network interface etc..
Each process is owned by the label of oneself, and each object object is also owned by the label of oneself.Pass through the SELinux plans write
Slightly, to control process label to be conducted interviews to object object tag, such as file access, read-write and SOCKET operations.Example
Such as, pass through strategy configuration, it is allowed to calling for the customer interface that the process that label is A is B to label, taken so as to ensure that encryption is stored
The interface of business is not abused arbitrarily.
In step S108, trusted application is close to class according to the master key being pre-stored within credible performing environment
Key is decrypted.
The each terminal device of master key independently possesses, during executable context initialization, the master key quilt
It is loaded into TrustZone image file, that is, is loaded into the TrustZone context of credible performing environment.Due to this
Master key is embedded into credible performing environment, will not be occurred in common performing environment, thus in common performing environment by
Class key can not be decrypted in the master key can not be obtained, so as to enhance the safety for the application data encrypted by class key
Property.
In step s 110, metadata is encrypted according to the class key after decryption for trusted application.
Trusted application can for example use AES (Advanced Encryption Standard, superencipherment mark
It is accurate) or the symmetric encipherment algorithm such as DES (Data Encryption Standard, data encryption standards), according to the class after decryption
Metadata is encrypted key, and the present invention is not limited.Available encryption mode includes:CBC(Cipher Block
Chaining, block password chain), OFB (Output Feedback, output feedback), (Cipher Feedback, encryption is anti-by CFB
Feedback).
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data encryption operation.
In step S112, the metadata after encryption is back to common execution by trusted application by customer interface
Stored in environment.
Trusted application is completed after encryption, and by customer interface, first number after encryption is returned into common performing environment
According to.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
It will be clearly understood that the present disclosure describe how forming and use particular example, but the principle of the present invention is not limited to
Any details of these examples.On the contrary, the teaching based on present disclosure, these principles can be applied to many other
Embodiment.
Fig. 3 is the stream of another file encrypting method based on TrustZone according to an illustrative embodiments
Cheng Tu.Method 20 shown in Fig. 3 includes:
In step S202, according to file key, file is encrypted in credible performing environment.
For example, can be with as shown in figure 1, file encryption realizes that service is real by the trusted application in credible performing environment
Now to the encryption of file.
File encryption realizes that service is designed as and general advanced file access interface (area to the access interface of data file
Not in the bottom document interface of Linux or Windows systems) try one's best it is close, except specified file password or encrypt class parameter in addition to,
The details substantially encrypted is transparent to user.
File encryption realizes that file to be encrypted is sent to trusted application by service, by trusted application to file
It is encrypted.In the specific implementation, file encryption realizes that service can be by TrustZone customer interfaces, and utilizes kernel sky
Between in common performing environment and the communication mechanism in credible performing environment, realize that file encryption realizes service and trusted application
Between call, i.e., file encryption realize service trusted application between communication service.It should be noted that kernel is empty
Between in common performing environment with communication mechanism in credible performing environment is known to those skilled in the art knows, it is no longer superfluous herein
State.
Encryption of the trusted application to this document, is that overall encryption is carried out by logic encryption unit of single file, and
The non-any type of encryption to general generic data block, data flow, nor it is common based on file system or block device
File encryption.
Trusted application can for example use AES (Advanced Encryption Standard, superencipherment mark
It is accurate) or the symmetric encipherment algorithm such as DES (Data Encryption Standard, data encryption standards), according to file key pair
File is encrypted, and the present invention is not limited.
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data encryption operation.
In certain embodiments, in order to obtain balance between systematic function and security, trusted application can be by
File is divided into multiple data blocks, and multiple data blocks are independently encrypted.Relevance is had no between each data block, therefore
Trusted application can realize the parallel encryption operation to multiple data blocks.The size of data block can be adjusted as needed
It is whole, can for example be multiplied by 2 n times power with the size of mobile terminal device operating system nucleus page, wherein N be more than or equal to
2 positive integer.For example, for 32-bit operating system, page size be 4KB, then data block size can for 16KB,
64KB, 256KB etc.;For 64 bit manipulation systems, page size is 64KB, then data block size can for 128KB, 256KB,
1024KB etc..Data block size depends on platform resource, configuration and the selection of AES.In general, piecemeal is bigger, then goes here and there
Row access speed is faster, for example, replicate file operation;Piecemeal is smaller, and random access performance is better, such as random read take and write-in
Operation.
Fig. 4 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.In certain embodiments, as shown in figure 4, file encryption realizes that service can also can by second in credible performing environment
File is encrypted letter application program.File encryption realizes that the plaintext of file and file key to be encrypted is sent to by service
Second trusted application, is encrypted by the second trusted application for file.In the specific implementation, file encryption realizes clothes
Business can be by TrustZone customer interfaces, and utilize common performing environment in kernel spacing and leading in credible performing environment
Letter mechanism, realize file encryption realize service the second trusted application between calling, i.e., file encryption realize service with
Communication service between second trusted application.And the first trusted application in Fig. 4 is used in implementation method 10 to member
The cryptographic operation of data.It should be noted that common performing environment is with the communication mechanism in credible performing environment in kernel spacing
It is known to those skilled in the art to know, it will not be repeated here.In addition, in order to obtain balance between systematic function and security, the
Two trusted applications can divide documents into multiple data blocks, and multiple data blocks are independently encrypted.Specifically
Data block partition description will not be repeated here with above-mentioned.
Fig. 9 is that common performing environment and the framework of credible execution are illustrated in another terminal device according to an example
Figure.In certain embodiments, as shown in figure 9, encryption realizes that service is drawn by the general hardware encryption in credible performing environment
Hold up and file is encrypted.File encryption realizes that the plaintext of file and file key to be encrypted is sent to credible execution by service
Hardware cryptographic engine in environment, is encrypted by hardware cryptographic engine for file.In the specific implementation, file encryption realizes clothes
Business can be by TrustZone customer interfaces, and utilize common performing environment in kernel spacing and leading in credible performing environment
Letter mechanism, realizes that file encryption realizes that calling between service and hardware cryptographic engine, i.e. file encryption realize service and hardware
Communication service between crypto engine.It should be noted that logical in common performing environment and credible performing environment in kernel spacing
Letter mechanism is known to those skilled in the art to be known, and will not be repeated here.In addition, in order to be obtained between systematic function and security
Balance, file encryption realizes that service can divide documents into multiple data blocks, and asks hardware cryptographic engine to multiple data
Block is independently encrypted.Specific data block partition description will not be repeated here with above-mentioned.
In step S204, the metadata after encryption is received.
For example, realizing that service receives the metadata after being encrypted through method 10 by the file encryption in Fig. 1.
It is that a file is stored by the metadata after encryption and the Piece file mergence after encryption in step S206.
Metadata after encryption and encryption file unification so that encryption file be free to replicate, it is mobile.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
File key is encrypted, the security of file encryption is further enhancing.In addition, by credible performing environment with list
Individual file is that operation is encrypted in logic encryption unit, further enhancing the security of file.
Fig. 5 is a kind of flow of file decryption method based on TrustZone according to an illustrative embodiments
Figure.The decryption method is applicable to above-mentioned file encrypting method 10 and 20.With reference to Fig. 1, the method 30 shown in Fig. 5 includes:
In step s 302, the metadata decoding request of file is received.
For example, encryption and decryption storage service as shown in Figure 1, which is received, is realized that servicing the metadata sent decrypts by file encryption
Request.
The metadata decoding request is, for example, that the password establishment sent by interprocess communication is called, and such as Dbus, Biner enters
Communication mechanism etc. between journey.
The metadata decoding request for example carries the metadata to be decrypted and class key identification of file, member with parametric form
Data include:File key for encrypting file.
In step s 304, the corresponding class key of the class key identification of storage is searched.
For example, searching the corresponding class key of class key identification of storage by encryption and decryption storage service.Store and take in encryption and decryption
In business, the class key being stored with corresponding to all kinds of key identifications, wherein all kinds of keys are close using master in credible performing environment
Ciphertext after key encryption.
In certain embodiments, the application scenarios of application program of the class key identification with calling the database file are relative
Should.The classification of application scenarios ibid, will not be repeated here.
Key is the primary challenge point of black box AES, it is therefore desirable to ensure safety of the key when storing and using
Property.The security of storage is primarily referred to as attacker can not be written and read access to it, and the security used is primarily referred to as key
By the possibility of dynamic attacks in internal memory.In the method, in order to strengthen the security of key, it will be stored in commonly performing ring
Class key in border is stored with ciphertext form.
In step S306, by the customer interface between common performing environment and credible performing environment, performed to credible
Trusted application in environment sends data deciphering request.
For example, data encryption request is sent from trusted application of the encryption and decryption storage service into credible performing environment,
Data encryption request includes:The class key found in step s 304 and metadata to be decrypted.
As shown in fig. 1, in the specific implementation, encryption and decryption storage service can be by TrustZone customer interfaces, and profit
With the communication mechanism in common performing environment in kernel spacing and credible performing environment, encryption storage service and exclusive service are realized
Calling between the trusted application of encryption and decryption, that is, encrypt storage service and the exclusive trusted application journey for serving encryption and decryption
Communication service between sequence.It should be noted that the communication mechanism in kernel spacing in common performing environment and credible performing environment
It is known to those skilled in the art to know, it will not be repeated here.
In step S308, trusted application is right according to the master key being pre-stored within the credible performing environment
Class key is decrypted.
The each terminal device of master key independently possesses, during executable context initialization, the master key quilt
It is loaded into TrustZone image file, that is, is loaded into the TrustZone context of credible performing environment.Due to this
Master key is embedded into credible performing environment, will not be occurred in common performing environment, thus in common performing environment by
Class key can not be decrypted in the master key can not be obtained, so as to enhance the safety for the application data encrypted by class key
Property.
In step S310, metadata to be decrypted is decrypted according to the class key after decryption for trusted application.
AES used in the above-mentioned ciphering process of correspondence, treats ciphertext data and operation is decrypted.
In step S312, trusted application is back to encryption and decryption by customer interface, by the metadata after decryption and deposited
In storage service.
Trusted application is completed after decryption, and by customer interface, first number after decryption is returned into common performing environment
According to.
Fig. 6 is the stream of another file decryption method based on TrustZone according to an illustrative embodiments
Cheng Tu.As shown in fig. 6, method 40 includes:
In step S402, the operation requests to file that the client applications in common performing environment is sent are received.
For example, as shown in fig. 1, when client applications needs to open this document, service hair is realized to file encryption
Give the operation requests.
Need explanation but, in the specific implementation, file encryption realizes that in each application program, i.e., service can be realized
Each call the inside of the service.Can also be independent service, each application program is realized by mechanism such as such as interprocess communications
The service is called.
In step s 404, according to the operation requests, the metadata decoding request of file is sent.
So as to perform the decryption oprerations in method 30 to metadata.
In certain embodiments, method 40 also includes:
In step S406, according to the file key in the metadata after decryption, file is entered in credible performing environment
Row decryption.
For example, can be with as shown in figure 1, file encryption realizes that service is real by the trusted application in credible performing environment
Now to the decryption of file.
File encryption realizes that file to be decrypted is sent to trusted application by service, by trusted application to file
It is decrypted.In the specific implementation, file encryption realizes that service can be by TrustZone customer interfaces, and utilizes kernel sky
Between in common performing environment and the communication mechanism in credible performing environment, realize that file encryption realizes service and trusted application
Between call, i.e., file encryption realize service trusted application between communication service.
As shown in figure 1, trusted application can be real by calling hardware cryptographic engine general in credible performing environment
Apply above-mentioned data deciphering operation.
In certain embodiments, when file to be decrypted is made up of multiple encrypted data chunks, the first trusted application
According to file key, multiple encrypted data chunks are independently decrypted.
In certain embodiments, as shown in figure 4, file encryption realizes that service can also be by the in credible performing environment
File is decrypted two trusted applications.File encryption realizes that the plaintext of file and file key to be decrypted is sent out in service
The second trusted application is given, is encrypted by the second trusted application for file.In the specific implementation, file encryption is real
Now service can be by TrustZone customer interfaces, and utilize in kernel spacing in common performing environment and credible performing environment
Communication mechanism, realize file encryption realize service the second trusted application between calling, i.e., file encryption realize clothes
Communication service between business and the second trusted application.
In certain embodiments, as shown in figure 9, encryption realizes that service is added by the general hardware in credible performing environment
File is decrypted ciphertext engine.It is credible that file encryption realizes that the plaintext of file and file key to be decrypted is sent to by service
Hardware cryptographic engine in performing environment, is encrypted by hardware cryptographic engine for file.In the specific implementation, file encryption is real
Now service can be by TrustZone customer interfaces, and utilize in kernel spacing in common performing environment and credible performing environment
Communication mechanism, realize file encryption realize service hardware cryptographic engine between calling, i.e., file encryption realize service with
Communication service between hardware cryptographic engine.
In step S408, the file after decryption is returned into client applications.
It will be appreciated by those skilled in the art that realizing that all or part of step of above-mentioned embodiment is implemented as being held by CPU
Capable computer program.When the computer program is performed by CPU, it is above-mentioned that the above method that the execution present invention is provided is limited
Function.Described program can be stored in a kind of computer-readable recording medium, and the storage medium can be read-only storage,
Disk or CD etc..
Further, it should be noted that above-mentioned accompanying drawing is only according to included by the method for exemplary embodiment of the invention
What is handled schematically illustrates, rather than limitation purpose.It can be readily appreciated that above-mentioned processing shown in the drawings is not intended that or limits these
The time sequencing of processing.In addition, being also easy to understand, these processing can for example either synchronously or asynchronously be performed in multiple modules
's.
Following is apparatus of the present invention embodiment, can be used for performing the inventive method embodiment.It is real for apparatus of the present invention
The details not disclosed in example is applied, the inventive method embodiment is refer to.
Fig. 7 is a kind of block diagram of document encrypting apparatus based on TrustZone according to an illustrative embodiments.
As shown in fig. 7, device 50 includes:CIPHERING REQUEST receiving module 502, first kind Key Acquisition Module 504, CIPHERING REQUEST module
506th, first kind cipher key decryption block 508, encryption performing module 510 and encryption data return to module 512.
Wherein, CIPHERING REQUEST receiving module 502 is used for the metadata CIPHERING REQUEST for receiving file, metadata CIPHERING REQUEST bag
Include:The metadata and class key identification of file, metadata include:File key for encrypting file.
First kind Key Acquisition Module 504 is used for the corresponding class key of class key identification for searching storage.
In certain embodiments, class key identification is corresponding with application scenarios;Application scenarios include:Terminal device starts into
Can be accessed after work(, terminal device start successfully after and legal login after can access, terminal device starts successfully and legal stepped on
Record and user interface unlock after can access, terminal device starts successfully and it is legal log in and user interface lock when only may be used
To write.
CIPHERING REQUEST module 506 is used to pass through the customer interface between common performing environment and credible performing environment, Xiang Ke
Believe that the trusted application in performing environment sends data encryption request, data encryption request includes:Class key and metadata.
First kind cipher key decryption block 508 is used for by trusted application according to being pre-stored within credible performing environment
Master key, class key is decrypted.
Encrypting performing module 510 is used for by trusted application according to the class key after decryption, and metadata is added
It is close.
Encryption data, which returns to module 512, to be used for by trusted application by customer interface, by the metadata after encryption
It is back in common performing environment and stores.
In certain embodiments, device 50 also includes:File encryption module 514, metadata receiving module 516 and merging are deposited
Store up module 518.Wherein, file encryption module 514 is used for according to file key, and file is added in credible performing environment
It is close.Metadata receiving module 516 is used to receive the metadata after encryption.Merging memory module 518 is used for first number after encryption
It is that a file is stored according to the Piece file mergence after encryption.
In certain embodiments, file encryption module 514 includes:Data block divides submodule 5142 and data base encryption
Module 5144.Wherein, data block divides submodule 5142 and is used to divide documents into multiple data blocks.Data base encryption submodule
5144 are used to multiple data blocks are independently encrypted.
According to the file encrypting method based on TrustZone of embodiment of the present invention, by credible performing environment
The metadata for including file key is encrypted, and in common performing environment storage file key ciphertext, it is ensured that
The safety of file key for encrypting file is stored with using.
Fig. 8 is a kind of block diagram of file deciphering device based on TrustZone according to an illustrative embodiments.
The decryption device is applied to above-mentioned encryption device 50.As shown in figure 8, the decryption device 60 includes:Decoding request receiving module
602nd, Equations of The Second Kind Key Acquisition Module 604, decoding request module 606, Equations of The Second Kind cipher key decryption block 608, decryption performing module
610 and ciphertext data return module 612.
Wherein, decoding request receiving module 602 is used for the metadata decoding request for receiving file, metadata decoding request bag
Include:The metadata to be decrypted and class key identification of file, metadata include:File key for encrypting file.
Equations of The Second Kind Key Acquisition Module 604 is used for the corresponding class key of class key identification for searching storage.
Decoding request module 606 is used to pass through the customer interface between common performing environment and credible performing environment, Xiang Ke
Believe that the trusted application in performing environment sends data deciphering request, data deciphering request includes:Class key and to be decrypted
Metadata.
Equations of The Second Kind cipher key decryption block 608 is used for by trusted application according to being pre-stored within credible performing environment
Master key, class key is decrypted.
Decrypting performing module 610 is used for by trusted application according to the class key after decryption, and metadata is solved
It is close.
Ciphertext data, which returns to module 612, to be used for by trusted application by customer interface, by the metadata after decryption
It is back in common performing environment.
In certain embodiments, device 60 also includes:Operation requests receiving module 614 and decoding request sending module 616.
Wherein, operation requests receiving module 614 is used to receive the behaviour to file that the client applications in common performing environment is sent
Ask.Decoding request sending module 616 is used for the metadata decoding request that file is sent according to operation requests.
In certain embodiments, device 60 also includes:File decryption module 618 and decryption file return to module 620.File
Deciphering module 618 is used for the file key in the metadata after decryption, and file is decrypted in credible performing environment.
Decryption file, which returns to module 620, to be used to the file after decryption returning to client applications.
In certain embodiments, file decryption module 618 includes:Data block decrypts submodule 6182, for according to text
Multiple encrypted data chunks that part is marked off independently are decrypted.
It should be noted that the block diagram shown in above-mentioned accompanying drawing is functional entity, not necessarily must with physically or logically
Independent entity is corresponding.Can realize these functional entitys using software form, or in one or more hardware modules or
These functional entitys are realized in integrated circuit, or are realized in heterogeneous networks and/or processor device and/or microcontroller device
These functional entitys.
Through the above description of the embodiments, those skilled in the art is it can be readily appreciated that example described herein is implemented
Mode can be realized by software, can also be realized by way of software combines necessary hardware.Therefore, according to the present invention
The technical scheme of embodiment can be embodied in the form of software product, the software product can be stored in one it is non-volatile
Property storage medium (can be CD-ROM, USB flash disk, mobile hard disk etc.) in or network on, including some instructions are to cause a calculating
Equipment (can be personal computer, server, mobile terminal or network equipment etc.) is performed according to embodiment of the present invention
Method.
The illustrative embodiments of the present invention are particularly shown and described above.It should be appreciated that the present invention is not limited
In detailed construction described herein, set-up mode or implementation method;On the contrary, it is intended to cover included in appended claims
Spirit and scope in various modifications and equivalence setting.
Claims (13)
1. a kind of file encrypting method based on TrustZone, it is characterised in that including:
The metadata CIPHERING REQUEST of file is received, the metadata CIPHERING REQUEST includes:The metadata and class key of the file
Mark, the metadata includes:File key for encrypting the file;
Search the corresponding class key of the class key identification of storage;
By the customer interface between common performing environment and credible performing environment, credible into the credible performing environment should
Data encryption is sent with program to ask, the data encryption request includes:The class key and the metadata;
The trusted application is carried out according to the master key being pre-stored within the credible performing environment to the class key
Decryption;
The metadata is encrypted according to the class key after decryption for the trusted application;And
The metadata after encryption is back to the common execution ring by the trusted application by the customer interface
Stored in border.
2. according to the method described in claim 1, it is characterised in that the class key identification is corresponding with application scenarios;It is described
Application scenarios include:Terminal device can be accessed after starting successfully, terminal device start successfully after and legal login after can visit
Ask, terminal device start successfully and it is legal login and user interface unlock after can access, terminal device start successfully and
It can be only written when legal login and user interface locking.
3. method according to claim 2, it is characterised in that also include:
According to the file key, the file is encrypted in the credible performing environment;
Receive the metadata after encryption;And
The metadata after encryption is stored with the Piece file mergence after encryption for a file.
4. method according to claim 3, it is characterised in that according to the file key, in the credible performing environment
In the file is encrypted including:
The file is divided into multiple data blocks;And
The multiple data block is independently encrypted.
5. method according to claim 4, it is characterised in that the size of the data block is equal to operating system nucleus internal memory
The size of page is multiplied by 2 n times power, and wherein N is the positive integer more than or equal to 2.
6. a kind of file decryption side based on TrustZone for being applied to the encryption method as described in claim any one of 1-5
Method, it is characterised in that including:
The metadata decoding request of file is received, the metadata decoding request includes:The metadata to be decrypted of the file
And class key identification, the metadata includes:File key for encrypting the file;
Search the corresponding class key of the class key identification of storage;
By the customer interface between common performing environment and credible performing environment, credible into the credible performing environment should
Data deciphering is sent with program to ask, the data deciphering request includes:The class key and the metadata to be decrypted;
The trusted application is carried out according to the master key being pre-stored within the credible performing environment to the class key
Decryption;
The metadata is decrypted according to the class key after decryption for the trusted application;And
The metadata after decryption is back to the common execution ring by the trusted application by the customer interface
In border.
7. method according to claim 6, it is characterised in that also include:
Receive the operation requests to the file that the client applications in the common performing environment is sent;And
According to the operation requests, the metadata decoding request of the file is sent.
8. method according to claim 7, it is characterised in that also include:
According to the file key in the metadata after decryption, the file is solved in the credible performing environment
It is close;And
The file after decryption is returned into the client applications.
9. method according to claim 8, it is characterised in that according to the file key in the metadata after decryption,
The file is decrypted in the credible performing environment including:
The multiple encrypted data chunks marked off according to the file are independently decrypted.
10. a kind of document encrypting apparatus based on TrustZone, it is characterised in that including:
CIPHERING REQUEST receiving module, the metadata CIPHERING REQUEST for receiving file, the metadata CIPHERING REQUEST includes:It is described
The metadata and class key identification of file, the metadata include:File key for encrypting the file;
First kind Key Acquisition Module, the corresponding class key of the class key identification for searching storage;
CIPHERING REQUEST module, for by the customer interface between common performing environment and credible performing environment, to described credible
Trusted application in performing environment sends data encryption request, and the data encryption request includes:The class key and institute
State metadata;
First kind cipher key decryption block, for by the trusted application according to being pre-stored within the credible performing environment
In master key, the class key is decrypted;
Encrypt performing module, for by the trusted application according to the class key after decryption, to the metadata
It is encrypted;And
Encryption data return module, for by the trusted application by the customer interface, described in after encryption
Metadata is back in the common performing environment and stored.
11. a kind of file deciphering device based on TrustZone suitable for encryption device as claimed in claim 10, it is special
Levy and be, including:
Decoding request receiving module, the metadata decoding request for receiving file, the metadata decoding request includes:It is described
The metadata to be decrypted and class key identification of file, the metadata include:File key for encrypting the file;
Equations of The Second Kind Key Acquisition Module, the corresponding class key of the class key identification for searching storage;
Decoding request module, for by the customer interface between common performing environment and credible performing environment, to described credible
Trusted application in performing environment sends data deciphering request, and the data deciphering request includes:The class key and institute
State metadata to be decrypted;
Equations of The Second Kind cipher key decryption block, for by the trusted application according to being pre-stored within the credible performing environment
In master key, the class key is decrypted;
Decrypt performing module, for by the trusted application according to the class key after decryption, to the metadata
It is decrypted;And
Ciphertext data return module, for by the trusted application by the customer interface, described in after decryption
Metadata is back in the common performing environment.
12. a kind of terminal device, it is characterised in that including:
Processor;And
Memory, the executable instruction for storing the processor;
Wherein described processor is configured to perform as described in claim any one of 1-5 via the executable instruction is performed
Method.
13. a kind of terminal device, it is characterised in that including:
Processor;And
Memory, the executable instruction for storing the processor;
Wherein described processor is configured to perform as described in claim any one of 6-9 via the executable instruction is performed
Method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710214710.8A CN106980794B (en) | 2017-04-01 | 2017-04-01 | TrustZone-based file encryption and decryption method and device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710214710.8A CN106980794B (en) | 2017-04-01 | 2017-04-01 | TrustZone-based file encryption and decryption method and device and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106980794A true CN106980794A (en) | 2017-07-25 |
| CN106980794B CN106980794B (en) | 2020-03-17 |
Family
ID=59344433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710214710.8A Active CN106980794B (en) | 2017-04-01 | 2017-04-01 | TrustZone-based file encryption and decryption method and device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106980794B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107609412A (en) * | 2017-09-19 | 2018-01-19 | 山东大学 | A kind of method for realizing that mobile terminal safety stores under mobile Internet based on TrustZone technologies |
| CN109684126A (en) * | 2018-12-25 | 2019-04-26 | 贵州华芯通半导体技术有限公司 | For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout |
| CN109905233A (en) * | 2017-12-08 | 2019-06-18 | 阿里巴巴集团控股有限公司 | A kind of device data processing method and system |
| CN110324138A (en) * | 2018-03-29 | 2019-10-11 | 阿里巴巴集团控股有限公司 | Data encryption, decryption method and device |
| CN110443078A (en) * | 2019-07-19 | 2019-11-12 | 南京芯驰半导体科技有限公司 | A kind of safe storage system based on privilege classification |
| CN110543764A (en) * | 2019-09-11 | 2019-12-06 | 天津飞腾信息技术有限公司 | System-on-chip memory protection method, password acceleration engine and memory protection device |
| CN111400726A (en) * | 2019-01-03 | 2020-07-10 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and machine readable medium |
| CN111566989A (en) * | 2018-06-14 | 2020-08-21 | 华为技术有限公司 | Key processing method and device |
| CN111917540A (en) * | 2020-08-07 | 2020-11-10 | 广州市百果园信息技术有限公司 | Data encryption and decryption method and device, mobile terminal and storage medium |
| CN112446042A (en) * | 2020-12-14 | 2021-03-05 | 中国科学院信息工程研究所 | Encryption method and device, decryption method and device, mobile terminal and storage medium |
| CN112596802A (en) * | 2019-09-17 | 2021-04-02 | 华为技术有限公司 | Information processing method and device |
| US11049099B2 (en) | 2018-11-30 | 2021-06-29 | Advanced New Technologies Co., Ltd. | Methods for implementing privacy protection in blockchain |
| WO2021164166A1 (en) * | 2020-02-20 | 2021-08-26 | 苏州浪潮智能科技有限公司 | Service data protection method, apparatus and device, and readable storage medium |
| CN113612746A (en) * | 2021-07-26 | 2021-11-05 | 建信金融科技有限责任公司 | Sensitive information storage method and system based on Android system |
| CN113672955A (en) * | 2021-08-19 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Data processing method, system and device |
| CN113821821A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Security architecture system, cryptographic operation method of security architecture system and computing device |
| CN115186300A (en) * | 2022-09-08 | 2022-10-14 | 粤港澳大湾区数字经济研究院(福田) | File security processing system and file security processing method |
| CN115242415A (en) * | 2021-04-23 | 2022-10-25 | 伊姆西Ip控股有限责任公司 | Data encryption method implemented at edge switch, electronic device, and program product |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187204A (en) * | 2015-09-29 | 2015-12-23 | 北京元心科技有限公司 | Encryption method and decryption method for file, and encryption and decryption system |
| CN105260663A (en) * | 2015-09-15 | 2016-01-20 | 中国科学院信息工程研究所 | Secure storage service system and method based on TrustZone technology |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN106464485A (en) * | 2014-02-11 | 2017-02-22 | 爱立信股份有限公司 | System and method for securing content keys delivered in manifest files |
-
2017
- 2017-04-01 CN CN201710214710.8A patent/CN106980794B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106464485A (en) * | 2014-02-11 | 2017-02-22 | 爱立信股份有限公司 | System and method for securing content keys delivered in manifest files |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN105260663A (en) * | 2015-09-15 | 2016-01-20 | 中国科学院信息工程研究所 | Secure storage service system and method based on TrustZone technology |
| CN105187204A (en) * | 2015-09-29 | 2015-12-23 | 北京元心科技有限公司 | Encryption method and decryption method for file, and encryption and decryption system |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107609412A (en) * | 2017-09-19 | 2018-01-19 | 山东大学 | A kind of method for realizing that mobile terminal safety stores under mobile Internet based on TrustZone technologies |
| CN109905233B (en) * | 2017-12-08 | 2022-07-29 | 阿里巴巴集团控股有限公司 | Equipment data processing method and system |
| CN109905233A (en) * | 2017-12-08 | 2019-06-18 | 阿里巴巴集团控股有限公司 | A kind of device data processing method and system |
| CN110324138A (en) * | 2018-03-29 | 2019-10-11 | 阿里巴巴集团控股有限公司 | Data encryption, decryption method and device |
| CN111566989A (en) * | 2018-06-14 | 2020-08-21 | 华为技术有限公司 | Key processing method and device |
| US11405202B2 (en) | 2018-06-14 | 2022-08-02 | Huawei Technologies Co., Ltd. | Key processing method and apparatus |
| US11049099B2 (en) | 2018-11-30 | 2021-06-29 | Advanced New Technologies Co., Ltd. | Methods for implementing privacy protection in blockchain |
| CN109684126B (en) * | 2018-12-25 | 2022-05-03 | 贵州华芯通半导体技术有限公司 | Memory verification method for ARM equipment and ARM equipment for executing memory verification |
| CN109684126A (en) * | 2018-12-25 | 2019-04-26 | 贵州华芯通半导体技术有限公司 | For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout |
| CN111400726A (en) * | 2019-01-03 | 2020-07-10 | 阿里巴巴集团控股有限公司 | Data processing method, device, equipment and machine readable medium |
| CN111400726B (en) * | 2019-01-03 | 2024-04-09 | 斑马智行网络(香港)有限公司 | Data processing method, device, equipment and machine-readable medium |
| CN110443078A (en) * | 2019-07-19 | 2019-11-12 | 南京芯驰半导体科技有限公司 | A kind of safe storage system based on privilege classification |
| CN110443078B (en) * | 2019-07-19 | 2021-05-28 | 南京芯驰半导体科技有限公司 | Security storage system based on privilege hierarchy |
| CN110543764B (en) * | 2019-09-11 | 2021-07-23 | 飞腾信息技术有限公司 | System-on-chip memory protection method, password acceleration engine and memory protection device |
| CN110543764A (en) * | 2019-09-11 | 2019-12-06 | 天津飞腾信息技术有限公司 | System-on-chip memory protection method, password acceleration engine and memory protection device |
| CN112596802B (en) * | 2019-09-17 | 2022-07-12 | 华为技术有限公司 | Information processing method and device |
| CN112596802A (en) * | 2019-09-17 | 2021-04-02 | 华为技术有限公司 | Information processing method and device |
| WO2021164166A1 (en) * | 2020-02-20 | 2021-08-26 | 苏州浪潮智能科技有限公司 | Service data protection method, apparatus and device, and readable storage medium |
| CN111917540A (en) * | 2020-08-07 | 2020-11-10 | 广州市百果园信息技术有限公司 | Data encryption and decryption method and device, mobile terminal and storage medium |
| CN112446042A (en) * | 2020-12-14 | 2021-03-05 | 中国科学院信息工程研究所 | Encryption method and device, decryption method and device, mobile terminal and storage medium |
| CN115242415A (en) * | 2021-04-23 | 2022-10-25 | 伊姆西Ip控股有限责任公司 | Data encryption method implemented at edge switch, electronic device, and program product |
| US11936635B2 (en) | 2021-04-23 | 2024-03-19 | EMC IP Holding Company LLC | Method, electronic device, and program product implemented at an edge switch for data encryption |
| CN113612746A (en) * | 2021-07-26 | 2021-11-05 | 建信金融科技有限责任公司 | Sensitive information storage method and system based on Android system |
| CN113672955A (en) * | 2021-08-19 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Data processing method, system and device |
| CN113672955B (en) * | 2021-08-19 | 2024-04-19 | 支付宝(杭州)信息技术有限公司 | Data processing method, system and device |
| CN113821821A (en) * | 2021-11-24 | 2021-12-21 | 飞腾信息技术有限公司 | Security architecture system, cryptographic operation method of security architecture system and computing device |
| CN113821821B (en) * | 2021-11-24 | 2022-02-15 | 飞腾信息技术有限公司 | Security architecture system, cryptographic operation method of security architecture system and computing device |
| CN115186300A (en) * | 2022-09-08 | 2022-10-14 | 粤港澳大湾区数字经济研究院(福田) | File security processing system and file security processing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106980794B (en) | 2020-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106980794A (en) | TrustZone-based file encryption and decryption method and device and terminal equipment | |
| CN111191286B (en) | HyperLegger Fabric block chain private data storage and access system and method thereof | |
| US7587608B2 (en) | Method and apparatus for storing data on the application layer in mobile devices | |
| US10341091B2 (en) | Secure memory storage | |
| CN106997439A (en) | TrustZone-based data encryption and decryption method and device and terminal equipment | |
| US11290446B2 (en) | Access to data stored in a cloud | |
| CN106992851A (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| JP4876169B2 (en) | Method, system, and computer program for securely storing data | |
| CN106980793A (en) | TrustZone-based universal password storage and reading method, device and terminal equipment | |
| US11626976B2 (en) | Information processing system, information processing device, information processing method and information processing program | |
| CN104618096A (en) | Method and device for protecting secret key authorized data, and TPM (trusted platform module) secrete key management center | |
| CN108768963A (en) | The communication means and system of trusted application and safety element | |
| CN103378971A (en) | Data encryption system and method | |
| WO2021218278A1 (en) | Method for processing data, and computing device | |
| Dey et al. | Message digest as authentication entity for mobile cloud computing | |
| US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
| CN116436682A (en) | Data processing method, device and system | |
| CN112822010B (en) | Removable storage medium management method based on quantum key and block chain | |
| CN111008400A (en) | Data processing method, device and system | |
| CN102752112A (en) | Authority control method and device based on signed message 1 (SM1)/SM2 algorithm | |
| Xu et al. | Virtualization of the encryption card for trust access in cloud computing | |
| CN102270182A (en) | Encrypted mobile storage equipment based on synchronous user and host machine authentication | |
| EP3193274B1 (en) | Secure memory storage | |
| EP2827276B1 (en) | Secure data processing | |
| CN117118613B (en) | Whole vehicle instrument data security protection method, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210204 Address after: 101300 room 153, 1 / F, building 17, 16 Caixiang East Road, Nancai Town, Shunyi District, Beijing Patentee after: Yuanxin Information Technology Group Co.,Ltd. Address before: 100176 room 2222, building D, building 33, 99 Kechuang 14th Street, Beijing Economic and Technological Development Zone, Beijing Patentee before: BEIJING YUANXIN SCIENCE & TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Application publication date: 20170725 Assignee: Beijing Yuanxin Junsheng Technology Co.,Ltd. Assignor: Yuanxin Information Technology Group Co.,Ltd. Contract record no.: X2021110000018 Denomination of invention: File encryption and decryption method, device and terminal device based on TrustZone Granted publication date: 20200317 License type: Common License Record date: 20210531 |
|
| EE01 | Entry into force of recordation of patent licensing contract |