CN110837662A - Honeypot module for cryptographic algorithm IP core - Google Patents
Honeypot module for cryptographic algorithm IP core Download PDFInfo
- Publication number
- CN110837662A CN110837662A CN201911131144.XA CN201911131144A CN110837662A CN 110837662 A CN110837662 A CN 110837662A CN 201911131144 A CN201911131144 A CN 201911131144A CN 110837662 A CN110837662 A CN 110837662A
- Authority
- CN
- China
- Prior art keywords
- module
- interface
- core
- cryptographic algorithm
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/75—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation
- G06F21/755—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by inhibiting the analysis of circuitry or operation with measures against power attack
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of digital chip design, and particularly relates to a honeypot module for a cryptographic algorithm IP core. The honeypot module detects whether the current cryptographic algorithm IP core is attacked or not during application, and returns scrambled data during attack, so that the security of the cryptographic algorithm IP core is enhanced. The invention has the beneficial effects that when the cryptographic algorithm IP core is attacked, sensitive data such as a protection key and the like are not easy to steal, thereby enhancing the security of the cryptographic algorithm IP core.
Description
Technical Field
The invention belongs to the technical field of digital chip design, and particularly relates to a honeypot module for a cryptographic algorithm IP core.
Background
The cryptographic algorithm IP core is the most core functional part in the information security chip and can provide security functions such as key generation, data encryption and identity authentication. However, the cryptographic algorithm IP core, as a slave device in the chip architecture, usually does not have an active protection function, so once the information system is cracked, the cryptographic algorithm IP core can only passively respond to an operation request of an attacker, so that a secret key and sensitive data are revealed.
Disclosure of Invention
Technical problem to be solved
The technical problem to be solved by the invention is as follows: how to provide a technical scheme applied to a cryptographic algorithm IP core, the sensitive data is protected from being stolen when the cryptographic algorithm IP core is attacked.
(II) technical scheme
In order to solve the above technical problem, the present invention provides a honeypot module for a cryptographic algorithm IP core, where the cryptographic algorithm IP core that is used by the honeypot module includes: an interface module and an algorithm module;
the honeypot module includes: the device comprises a request filtering unit, an address filtering unit, a control unit and a data protection unit, wherein the request filtering unit, the address filtering unit, the control unit and the data protection unit are used for realizing the protection of an IP core of a cryptographic algorithm through the cooperative work of the request filtering unit, the address filtering unit, the control unit and the data protection unit;
the request filtering unit is used for receiving the interface request information from the interface module, judging whether the current interface request information is legal or not, generating an interface request judgment result and outputting the interface request judgment result to the control unit, and meanwhile, sending the interface request information from the interface module to the algorithm module;
the address filtering unit is used for receiving the interface address information requested by the interface module, judging whether the current interface address information is legal or not, generating an interface address judgment result and outputting the interface address judgment result to the control unit, and meanwhile, sending the interface address information from the interface module to the algorithm module;
the control unit is used for receiving the judgment result of the interface request, and sending a trigger instruction for starting protection to the data protection unit if the request is illegal;
the control unit is also used for receiving the interface address judgment result, judging whether the current cryptographic algorithm IP core is in a debugging mode if the address is illegal, and sending a trigger instruction for starting protection to the data protection unit if the current cryptographic algorithm IP core is not in the debugging mode;
and the data protection unit is used for calling the random number generation unit in the data protection unit to generate a random number after receiving a trigger instruction for starting protection, and scrambling the data content in the data output from the algorithm module.
The interface module receives a data read or write request from the outside, generates interface request information and sends the interface request information to the request filtering unit, and the request filtering unit judges whether the transmission type, the data bit width, the burst type and the protection type of the interface request information are types supported by the IP core of the cryptographic algorithm, so that an interface request judgment result is generated.
The address filtering unit judges whether the requested interface address information is legal or not, and the illegal type is defined as the address change caused by abnormal use conditions including border crossing of an access address, unauthorized register address and continuous access of adjacent addresses.
The debugging mode of the cryptographic algorithm IP core is only used for chip factory test, and cannot be configured by a common user.
Wherein the random number generated by the data protection unit is replaced once every time data is output.
And the data protection unit outputs the original text of the state content irrelevant to the data safety in the data output of the algorithm module.
The state content comprises various state information including state machine information, error information, busy information and interrupt information of the algorithm.
After receiving a trigger instruction for opening protection, the data protection unit records a state for opening protection through a nonvolatile storage device in the data protection unit, and the state can be cleared only through a debugging mode.
Wherein the data content in the data output from the algorithm module comprises: and operation information including a key, an encryption result, and a decryption result.
The interface module represents a part of the cryptographic algorithm IP core connected with the outside and is used for data interaction with the outside; the algorithm module represents a part of the cryptographic algorithm IP core operation function and is used for realizing the logic functions of key generation, data encryption and identity authentication.
(III) advantageous effects
Compared with the prior art, the invention provides a honeypot module applied to a cryptographic algorithm IP core, which is used for detecting whether the current cryptographic algorithm IP core is attacked or not during application and returning scrambled data when the current cryptographic algorithm IP core is attacked, so that the security of the cryptographic algorithm IP core is enhanced. The invention has the beneficial effects that when the cryptographic algorithm IP core is attacked, sensitive data such as a protection key and the like are not easy to steal, thereby enhancing the security of the cryptographic algorithm IP core.
Drawings
Fig. 1 is a block diagram showing the overall structure of the present invention.
Detailed Description
In order to make the objects, contents, and advantages of the present invention clearer, the following detailed description of the embodiments of the present invention will be made in conjunction with the accompanying drawings and examples.
In order to solve the problems of the prior art, the invention provides a honeypot module for a cryptographic algorithm IP core, the honeypot technology is a technology for cheating an attacker, and false information is returned when the honeypot module detects the attack, so that the attacker is puzzled to protect real data.
The cryptographic algorithm IP core acted by the honeypot module comprises: an interface module and an algorithm module;
as shown in fig. 1, the honeypot module includes: the device comprises a request filtering unit, an address filtering unit, a control unit and a data protection unit, wherein the request filtering unit, the address filtering unit, the control unit and the data protection unit are used for realizing the protection of an IP core of a cryptographic algorithm through the cooperative work of the request filtering unit, the address filtering unit, the control unit and the data protection unit;
the request filtering unit is used for receiving the interface request information from the interface module, judging whether the current interface request information is legal or not, generating an interface request judgment result and outputting the interface request judgment result to the control unit, and meanwhile, sending the interface request information from the interface module to the algorithm module;
the address filtering unit is used for receiving the interface address information requested by the interface module, judging whether the current interface address information is legal or not, generating an interface address judgment result and outputting the interface address judgment result to the control unit, and meanwhile, sending the interface address information from the interface module to the algorithm module;
the control unit is used for receiving the judgment result of the interface request, and sending a trigger instruction for starting protection to the data protection unit if the request is illegal;
the control unit is also used for receiving the interface address judgment result, judging whether the current cryptographic algorithm IP core is in a debugging mode if the address is illegal, and sending a trigger instruction for starting protection to the data protection unit if the current cryptographic algorithm IP core is not in the debugging mode;
and the data protection unit is used for calling the random number generation unit in the data protection unit to generate a random number after receiving a trigger instruction for starting protection, and scrambling the data content in the data output from the algorithm module.
The interface module receives a data read or write request from the outside, generates interface request information and sends the interface request information to the request filtering unit, and the request filtering unit judges whether the transmission type, the data bit width, the burst type and the protection type of the interface request information are types supported by the IP core of the cryptographic algorithm, so that an interface request judgment result is generated.
The address filtering unit judges whether the requested interface address information is legal or not, and the illegal type is defined as the address change caused by abnormal use conditions including border crossing of an access address, unauthorized register address and continuous access of adjacent addresses.
The debugging mode of the cryptographic algorithm IP core is only used for chip factory test, and cannot be configured by a common user.
Wherein the random number generated by the data protection unit is replaced once every time data is output.
And the data protection unit outputs the original text of the state content irrelevant to the data safety in the data output of the algorithm module.
The state content comprises various state information including state machine information, error information, busy information and interrupt information of the algorithm.
After receiving a trigger instruction for opening protection, the data protection unit records a state for opening protection through a nonvolatile storage device in the data protection unit, and the state can be cleared only through a debugging mode. If the implementation process of the cryptographic algorithm IP core does not support the internal nonvolatile storage device, the information can be recorded by using the nonvolatile storage device or the key storage space of the chip.
Wherein the data content in the data output from the algorithm module comprises: and operation information including a key, an encryption result, and a decryption result.
The interface module represents a part of the cryptographic algorithm IP core connected with the outside and is used for data interaction with the outside; the algorithm module represents a part of the cryptographic algorithm IP core operation function and is used for realizing the logic functions of key generation, data encryption and identity authentication. The interface module and the algorithm module are functional modules of the cryptographic algorithm IP core, which are not the design provided by the invention, and if the cryptographic algorithm IP core has no honeypot module, the interface module and the algorithm module are directly interconnected. The interface request, the interface address, the interface write data and the interface read data in the interface module, and the data input, data processing and data output part in the algorithm module only represent related functions used when the algorithm module is interconnected with the honeypot module.
Example 1
The working principle and the working flow of the honeypot module for the cryptographic algorithm IP core are as follows:
step 1: the interface module receives an external data reading or writing request, a request filtering unit of the honeypot module judges whether control information such as a transmission type, a data bit width, a burst type and a protection type of the request is a type supported by a cryptographic algorithm IP core, and sends a judgment result to the control unit, and meanwhile sends an original interface request to the algorithm module;
step 2: the address filtering unit of the honeypot module judges whether the requested address information is legal or not, the illegal type is defined as address change caused by abnormal use conditions such as border crossing of an access address, unauthorized register addresses, continuous access of adjacent addresses and the like, the judgment result is sent to the control unit, and meanwhile, the original interface address is sent to the algorithm module;
and step 3: the control unit of the honeypot module receives the judgment result of the request filtering unit, and if the request is illegal, the result of starting protection is sent to the data protection unit; receiving a judgment result of the address filtering unit, if the address is illegal, judging whether the current cryptographic algorithm IP core is in a debugging mode (the debugging mode is only used for chip delivery test and cannot be configured by a common user), and if the current cryptographic algorithm IP core is not in the debugging mode, sending a protection starting result to the data protection unit;
and 4, step 4: the data protection unit of the honeypot module judges whether the data protection unit is in an open protection state or not, when the data protection unit is in the open protection state or receives open protection information of the control unit, a random number generation function in the data protection unit is called to generate a random number, scrambling operation is carried out on data content in data output of the algorithm module (the data content comprises operation information such as a secret key, an encryption result and a decryption result), and the random number is replaced once during each data output; and outputting original text of state contents irrelevant to data safety in the data output of the algorithm module (the state contents comprise state machine information, error information, busy information, interrupt information and other state information of the algorithm).
And 5: once the honeypot module detects an illegal attack, the honeypot module records an open state by using a nonvolatile storage device in the data protection unit, and the open state can be cleared only through a debugging mode. (if the implementation process of the cryptographic algorithm IP core does not support the internal nonvolatile storage device, the information can be recorded using the chip's nonvolatile storage device or key storage space)
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A honeypot module for use with a cryptographic IP core, the cryptographic IP core acted upon by the honeypot module comprising: an interface module and an algorithm module;
the honeypot module includes: the device comprises a request filtering unit, an address filtering unit, a control unit and a data protection unit, wherein the request filtering unit, the address filtering unit, the control unit and the data protection unit are used for realizing the protection of an IP core of a cryptographic algorithm through the cooperative work of the request filtering unit, the address filtering unit, the control unit and the data protection unit;
the request filtering unit is used for receiving the interface request information from the interface module, judging whether the current interface request information is legal or not, generating an interface request judgment result and outputting the interface request judgment result to the control unit, and meanwhile, sending the interface request information from the interface module to the algorithm module;
the address filtering unit is used for receiving the interface address information requested by the interface module, judging whether the current interface address information is legal or not, generating an interface address judgment result and outputting the interface address judgment result to the control unit, and meanwhile, sending the interface address information from the interface module to the algorithm module;
the control unit is used for receiving the judgment result of the interface request, and sending a trigger instruction for starting protection to the data protection unit if the request is illegal;
the control unit is also used for receiving the interface address judgment result, judging whether the current cryptographic algorithm IP core is in a debugging mode if the address is illegal, and sending a trigger instruction for starting protection to the data protection unit if the current cryptographic algorithm IP core is not in the debugging mode;
and the data protection unit is used for calling the random number generation unit in the data protection unit to generate a random number after receiving a trigger instruction for starting protection, and scrambling the data content in the data output from the algorithm module.
2. The honeypot module for a cryptographic algorithm IP core of claim 1, wherein the interface module receives a data read or write request from outside, generates interface request information, and sends the interface request information to the request filtering unit, and the request filtering unit determines whether a transmission type, a data bit width, a burst type, and a protection type of the interface request information are types supported by the cryptographic algorithm IP core, thereby generating an interface request determination result.
3. The honey pot module for a cryptographic algorithm IP core of claim 1, wherein the address filtering unit judges whether the requested interface address information is legal, and the illegal type is defined as an address change occurring in an abnormal use case including an access address out of bounds, an unauthorized register address, and a consecutive access adjacent address.
4. The honeypot module for a cryptographic algorithm IP core of claim 1, wherein the debug mode of the cryptographic algorithm IP core is only used for chip factory testing and is not configurable by a general user.
5. The honeypot module for a cryptographic algorithm IP core of claim 1, wherein the random number generated by the data protection unit is replaced with a random number each time data is output.
6. The honeypot module for cryptographic algorithm IP cores of claim 1, wherein the data protection unit outputs in-text a state content of a data output of the algorithm module that is unrelated to data security.
7. The honeypot module for cryptographic algorithm IP cores of claim 6, wherein the status content comprises various status information including state machine information, error information, busy information, interrupt information for an algorithm.
8. The honey module for a cryptographic algorithm IP core of claim 1, wherein the data protection unit, upon receiving a trigger instruction to turn on protection, will also record the state of turning on protection via its internal non-volatile storage device, which can only be cleared via debug mode.
9. The honeypot module for cryptographic algorithm IP cores of claim 1, wherein the data content in the data output from the algorithm module comprises: and operation information including a key, an encryption result, and a decryption result.
10. The honeypot module for a cryptographic algorithm IP core of claim 1, wherein the interface module represents a portion of the cryptographic algorithm IP core connected to an outside for data interaction with the outside; the algorithm module represents a part of the cryptographic algorithm IP core operation function and is used for realizing the logic functions of key generation, data encryption and identity authentication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911131144.XA CN110837662B (en) | 2019-11-19 | 2019-11-19 | Honeypot module for cryptographic algorithm IP core |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911131144.XA CN110837662B (en) | 2019-11-19 | 2019-11-19 | Honeypot module for cryptographic algorithm IP core |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110837662A true CN110837662A (en) | 2020-02-25 |
| CN110837662B CN110837662B (en) | 2023-07-28 |
Family
ID=69576901
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911131144.XA Active CN110837662B (en) | 2019-11-19 | 2019-11-19 | Honeypot module for cryptographic algorithm IP core |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110837662B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004005267A (en) * | 2002-05-31 | 2004-01-08 | Le Tekku:Kk | Chip for controlling game machine and game machine control method |
| US20040114759A1 (en) * | 2002-12-06 | 2004-06-17 | Pioneer Corporation | Information processing apparatus, information recording apparatus, information recording medium, computer program and information processing method |
| CN104484583A (en) * | 2014-12-15 | 2015-04-01 | 天津大学 | Protection method of IP (internet protocol) core with determined validity |
| US20180367309A1 (en) * | 2016-04-28 | 2018-12-20 | Arnold G. Reinhold | System and method for securely storing and utilizing password validation data |
-
2019
- 2019-11-19 CN CN201911131144.XA patent/CN110837662B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2004005267A (en) * | 2002-05-31 | 2004-01-08 | Le Tekku:Kk | Chip for controlling game machine and game machine control method |
| US20040114759A1 (en) * | 2002-12-06 | 2004-06-17 | Pioneer Corporation | Information processing apparatus, information recording apparatus, information recording medium, computer program and information processing method |
| CN104484583A (en) * | 2014-12-15 | 2015-04-01 | 天津大学 | Protection method of IP (internet protocol) core with determined validity |
| US20180367309A1 (en) * | 2016-04-28 | 2018-12-20 | Arnold G. Reinhold | System and method for securely storing and utilizing password validation data |
Non-Patent Citations (2)
| Title |
|---|
| 张跃军: "基于正交混淆的多硬件IP核安全防护设计" * |
| 赵英豪;吴朔媚;宋建卫;: "嵌入式数据库加密管理系统的设计" * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110837662B (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TW382681B (en) | Securely generating a computer system password by utilizing an external encryption algorithm | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| CN104951409B (en) | A kind of hardware based full disk encryption system and encryption method | |
| KR101885393B1 (en) | Device for and method of handling sensitive data | |
| CN101533445B (en) | Microprocessor device for providing secure execution environment and method for executing secure code thereof | |
| KR100607016B1 (en) | Memory device | |
| CN107066887A (en) | Processing unit with sensitive data access module | |
| CN110659458A (en) | Central processor design method supporting software code data secret credible execution | |
| JP2007526661A (en) | Reliable peripheral mechanism | |
| CN103440462A (en) | Embedded control method for improving security and secrecy performance of security microprocessor | |
| US20060253714A1 (en) | Information processor, tamper-proof method, and tamper-proof program | |
| CN110765470A (en) | Method and device for realizing safety keyboard, computer equipment and storage medium | |
| JPS5947646A (en) | Computer data processing apparatus and method | |
| CN110912881B (en) | Honeypot scrambling method for cryptographic algorithm IP core | |
| CN110837662B (en) | Honeypot module for cryptographic algorithm IP core | |
| CN111737773A (en) | Embedded secure memory with SE security module function | |
| CN101217366A (en) | A digital signature device with write protection | |
| US8095805B2 (en) | Security flash memory, data encryption device and method for accessing security flash memory | |
| CN102880818A (en) | Software protection method | |
| CN101930523A (en) | File protection system and method | |
| US20160299854A1 (en) | Techniques for preventing physical attacks on contents of memory | |
| JP2002024091A (en) | Storage device and its control method | |
| CN117216813A (en) | Method, device and security chip for reading and writing data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |