CN111368346A - Data writing method and related device - Google Patents

Data writing method and related device Download PDF

Info

Publication number
CN111368346A
CN111368346A CN202010144506.5A CN202010144506A CN111368346A CN 111368346 A CN111368346 A CN 111368346A CN 202010144506 A CN202010144506 A CN 202010144506A CN 111368346 A CN111368346 A CN 111368346A
Authority
CN
China
Prior art keywords
data
write data
authentication code
storage
processing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010144506.5A
Other languages
Chinese (zh)
Inventor
杜朝晖
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Publication of CN111368346A publication Critical patent/CN111368346A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a data writing method and a related device, wherein the data writing method comprises the following steps: receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written; storing the data to be written, and generating a storage end write data authentication code at least based on a shared key and the write integrity information, wherein the storage of each data packet to be written is parallel storage; judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not; and when the processing end write data authentication code is equal to the storage end write data authentication code, at least storing the processing end write data authentication code or the storage end write data authentication code. The data writing method can reduce the influence of operation bottleneck caused by the calculation of writing integrity information, thereby improving the data storage efficiency on the premise of ensuring the data integrity.

Description

Data writing method and related device
Technical Field
The present invention relates to the field of computer systems, and in particular, to a data writing method and related apparatus.
Background
In the existing computer system, data integrity needs to be guaranteed when the processor chip and the memory are mutually transmitted. Because the processor chip may read the wrong data if the integrity of the data is not guaranteed. By modifying the data sent by the memory, an attacker can utilize the vulnerability to invade the computer system.
An existing method for ensuring data integrity is that a memory generates an authentication code containing integrity information of data to be read by using all data to be read, and sends the authentication code and all data to be read to a processor chip, but corresponding integrity information can be generated only by reading all data to be read by an encryption storage unit of the memory, and the amount of data which can be processed in the memory at the same time is limited, so that the receiving and storing efficiency of the data is low.
Therefore, how to improve the efficiency of receiving and storing data between the processor chip and the memory on the premise of ensuring the integrity of the data becomes a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The technical problem to be solved by the embodiment of the invention is how to improve the receiving and storing efficiency of data between a processor chip and a memory on the premise of ensuring the integrity of the data.
To solve the above problem, an embodiment of the present invention provides a data writing method, including: receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written, wherein the data to be written comprises at least one data packet to be written, the data packets to be written are received in parallel, and the processing end write data authentication code is an authentication code generated at least based on a shared key and the write integrity information;
storing the data to be written, and generating a storage end write data authentication code at least based on the shared secret key and the write integrity information, wherein the storage of each data packet to be written is parallel storage;
judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not;
and when the processing end write data authentication code is equal to the storage end write data authentication code, at least storing the processing end write data authentication code or the storage end write data authentication code.
Optionally, the processing-end write data authentication code is an authentication code generated based on the shared key, the write integrity information, and the current processing-end write data counter value, where the processing-end write data counter value is a counter value obtained based on an initial value of the processing-end write data counter value and a count sequence of the processing-end write data counter, and after the processing-end write data authentication code is generated, a new processing-end write data counter value is obtained according to the current processing-end write data counter value and the count sequence of the processing-end write data counter, and is stored as the processing-end write data counter value;
the step of generating a storage-side write data authentication code based on at least the shared key and the write integrity information comprises: generating the storage end write data authentication code based on the shared key, the write integrity information and the current storage end write data counter value, acquiring a new storage end write data counter value according to the current storage end write data counter value and a counting sequence of the storage end write data counter, and storing the new storage end write data counter value as the storage end write data counter value, wherein the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a counting sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the counting sequence of the storage end write data counter is the same as the counting sequence of the processing end write data counter;
the step of storing at least the processing-side write data authentication code or the storage-side write data authentication code comprises: storing the current store-side write data counter value and one of the current processing-side write data authentication code and the current store-side write data authentication code.
Optionally, the data writing method further includes:
and when the processing end write data authentication code is not equal to the storage end write data authentication code, returning report information.
Optionally, the receiving of the data to be written is parallel to the receiving of the write integrity information of the data to be written and the receiving of the write data authentication code at the processing end of the data to be written.
Optionally, a common storage unit of the storage end is used to receive and store each to-be-written data packet, where each common storage unit that receives and stores each to-be-written data packet is different.
Optionally, an encryption storage unit of the storage end is used to receive write integrity information of the data to be written and a write data authentication code of a processing end of the data to be written; generating a storage end write data authentication code by utilizing an encryption storage unit of the storage end at least based on the shared secret key and the write integrity information; and storing the processing end write data authentication code or the storage end write data authentication code by utilizing an encryption storage unit of the storage end.
Optionally, the current storage-side write data counter value is stored by using a count storage unit of the storage side.
An embodiment of the present invention further provides a data writing device, including:
the data processing device comprises a storage end receiving module, a processing end data receiving module and a data processing module, wherein the storage end receiving module is suitable for receiving data to be written, writing integrity information of the data to be written and a processing end data writing authentication code of the data to be written, the data to be written comprises at least one data packet to be written, the receiving of the data packets to be written is parallel receiving, and the processing end data writing authentication code is an authentication code generated at least based on a shared secret key and the writing integrity information;
a storage end storage module, adapted to store the data to be written, and generate a storage end write data authentication code based on at least the shared secret key and the write integrity information, where the storage of each data packet to be written is parallel storage;
the storage end judging module is suitable for judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not;
a storage side validation module adapted to store at least the processing side write data authentication code or the storage side write data authentication code when the processing side write data authentication code is equal to the storage side write data authentication code.
Optionally, the processing-end write data authentication code is an authentication code generated based on the shared key, the write integrity information, and the current processing-end write data counter value, where the processing-end write data counter value is a counter value obtained based on an initial value of the processing-end write data counter value and a count sequence of the processing-end write data counter, and after the processing-end write data authentication code is generated, a new processing-end write data counter value is obtained according to the current processing-end write data counter value and the count sequence of the processing-end write data counter, and is stored as the processing-end write data counter value;
the storage end storage module is adapted to generate the storage end write data authentication code based on the shared key, the write integrity information, and the current storage end write data counter value, acquire a new storage end write data counter value according to the current storage end write data counter value and a count sequence of the storage end write data counter, and store the new storage end write data counter value as the storage end write data counter value, where the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a count sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the count sequence of the storage end write data counter is the same as the count sequence of the processing end write data counter;
the storage end confirmation module is suitable for storing the current storage end write data counter value and one of the current processing end write data authentication code and the current storage end write data authentication code.
An embodiment of the present invention further provides a memory, including:
the number of the common storage units is more than or equal to 2, the common storage units are suitable for receiving and storing data to be written, the data to be written comprises at least one data packet to be written, and each common storage unit is suitable for receiving each data packet to be written in parallel and storing each data packet to be written in parallel;
the encryption storage unit is suitable for receiving write integrity information of the data to be written and a processing end write data authentication code of the data to be written, generating a storage end write data authentication code at least based on the shared key and the write integrity information, and judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not, wherein the processing end write data authentication code is an authentication code generated at least based on the shared key and the write integrity information;
and the counting storage unit is suitable for storing at least the processing end write data authentication code or the storage end write data authentication code when the processing end write data authentication code is equal to the storage end write data authentication code.
Optionally, the processing-end write data authentication code is an authentication code generated based on the shared key, the write integrity information, and the current processing-end write data counter value, where the processing-end write data counter value is a counter value obtained based on an initial value of the processing-end write data counter value and a count sequence of the processing-end write data counter, and after the processing-end write data authentication code is generated, a new processing-end write data counter value is obtained according to the current processing-end write data counter value and the count sequence of the processing-end write data counter, and is stored as the processing-end write data counter value;
the encryption storage unit is adapted to generate the storage end write data authentication code based on the shared key, the write integrity information, and a current storage end write data counter value, acquire a new storage end write data counter value according to the current storage end write data counter value and a count sequence of the storage end write data counter, and store the new storage end write data counter value as the storage end write data counter value, where the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a count sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the count sequence of the storage end write data counter is the same as the count sequence of the processing end write data counter;
the count storage unit is adapted to store the current storage-side write data counter value and one of the current processing-side write data authentication code and the current storage-side write data authentication code.
The embodiment of the invention also provides a memory, wherein the memory stores a program suitable for data writing so as to realize the data writing method.
The embodiment of the invention also provides a memory chip which comprises the data writing device or the memory.
The embodiment of the invention also provides electronic equipment comprising the memory chip.
Compared with the prior art, the technical scheme of the embodiment of the invention has the following advantages:
in the data writing method provided by the embodiment of the invention, data to be written comprises at least one data packet to be written, a storage end can receive and store each data packet to be written in parallel, write integrity information of the data to be written calculated at a processing end and a processing end write data authentication code of the data to be written are received, then a storage end write data authentication code is generated at least based on the shared secret key and the write integrity information, and the integrity of the data to be written is verified by comparing the processing end write data authentication code with the storage end write data authentication code, so that on one hand, the data receiving and storing efficiency between a processor chip and a memory can be improved by using a method for receiving and storing each data packet to be written in parallel; meanwhile, the data integrity can be ensured by comparing the processing end write data authentication code with the storage end write data authentication code; furthermore, the write integrity information of the data to be written, which is received by the storage end and calculated at the processing end, can be used for generating the write data authentication code at the storage end, so that the write data authentication code at the processing end is compared with the write data authentication code at the storage end, the write integrity information does not need to be calculated at the storage end by using the data to be written again, the influence of the operation bottleneck caused by the calculation of the write integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flow chart illustrating a data writing method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an apparatus for a data writing method and a data reading method according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a data writing method according to another embodiment of the present invention;
FIG. 4 is a flowchart illustrating a data reading method according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a data reading method according to another embodiment of the present invention;
FIG. 6 is a flowchart illustrating a data reading method according to another embodiment of the present invention;
FIG. 7 is a flowchart illustrating a data obtaining step to be read according to an embodiment of the present invention;
FIG. 8 is a flowchart illustrating a further data obtaining step to be read according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a data writing apparatus according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a data reading apparatus according to an embodiment of the present invention.
Fig. 11 is a schematic structural diagram of a system on chip according to an embodiment of the present invention.
Detailed Description
As can be seen from the background art, in the prior art, on the premise of ensuring data integrity, the efficiency of receiving and storing data between the processor chip and the memory is low.
To solve the above problem, an embodiment of the present invention provides a data writing method, including:
receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written, wherein the data to be written comprises at least one data packet to be written, the data packets to be written are received in parallel, and the processing end write data authentication code is an authentication code generated at least based on a shared key and the write integrity information;
storing the data to be written, and generating a storage end write data authentication code at least based on the shared secret key and the write integrity information, wherein the storage of each data packet to be written is parallel storage;
judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not;
and when the processing end write data authentication code is equal to the storage end write data authentication code, at least storing the processing end write data authentication code or the storage end write data authentication code.
In this way, in the data writing method provided in the embodiment of the present invention, the data to be written includes at least one data packet to be written, the storage end may receive and store each data packet to be written in parallel, receive the write integrity information of the data to be written, which is calculated at the processing end, and the processing end write data authentication code of the data to be written, then generate a storage end write data authentication code based on at least the shared key and the write integrity information, and verify the integrity of the data to be written by comparing the processing end write data authentication code with the storage end write data authentication code, so that on one hand, the data receiving and storing efficiency between the processor chip and the memory may be improved by using a method of receiving and storing each data packet to be written in parallel; meanwhile, the data integrity can be ensured by comparing the processing end write data authentication code with the storage end write data authentication code; furthermore, the received write integrity information of the data to be written, which is calculated at the processing end, is used for generating the storage end write data authentication code, and then the processing end write data authentication code is compared with the storage end write data authentication code, the write integrity information is calculated at the storage end without using the data to be written again, the influence of operation bottleneck caused by calculation of the write integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a data writing method according to an embodiment of the invention.
As shown in the figure, the data writing method provided by the embodiment of the present invention includes:
step S11, receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written, wherein the data to be written comprises at least one data packet to be written, the reception of each data packet to be written is parallel reception, and the processing end write data authentication code is an authentication code generated at least based on a shared secret key and the write integrity information.
It can be understood that the processing end that sends the data to be written, the write integrity information of the data to be written, and the write data authentication code of the processing end that sends the data to be written is the processing end, and the processing end may be a processor chip or other device that can perform a write operation. The storage end is used for receiving data to be written, the write integrity information of the data to be written and the write data authentication code of the processing end of the data to be written, and the storage end can be a memory or other equipment with a storage function.
The data to be written comprises at least one data packet to be written, the receiving of each data packet to be written is parallel receiving, and the meaning that the receiving of each data packet to be written is parallel receiving is as follows: the receiving of the data packets to be written can be carried out simultaneously; of course, the simultaneous performance described herein may include both the case where the simultaneous start and the simultaneous end are performed, and the case where the simultaneous start and the simultaneous end are not performed, that is: the case where another packet to be written is in progress while an operation is in progress.
For convenience of description, please refer to fig. 2, and fig. 2 is a schematic diagram of an apparatus for a data writing method and a data reading method according to an embodiment of the present invention.
As shown in fig. 2, the apparatus of the data writing method according to the embodiment of the present invention includes: when the storage end 2 receives the data to be written sent by the processing end 1, in order to improve sending efficiency, the data to be written may be split into a plurality of data packets to be written, and then the data packets to be written are sent to the storage end 2 in parallel. In one embodiment, to ensure the transmission efficiency and reduce the cost, a plurality of normal storage units 21 of the storage end 2 may be used to receive each data packet to be written. In one embodiment, as shown in fig. 2, the normal memory unit 21 includes a first normal memory unit, a second normal memory unit, a third normal memory unit and a fourth normal memory unit. Of course, in another specific embodiment, the general storage unit 21 may include a greater number or a smaller number of general storage units.
When each of the ordinary storage units 21 receives the data packet to be written, it is not required that the reception of one data packet to be written is completed before the reception of another data packet to be written is started. Of course, each of the normal storage units 21 may also receive the data packet to be written at the same time. In order to increase the receiving speed, the number of packets to be written may be set to be the same as the number of normal memory cells 21 on the memory side.
The size of each data packet to be written may be equal to the size of one word in the processing end or the storage end, or may be larger or smaller than the size of one word in the processing end or the storage end.
The size of each data packet to be written may be the same or different.
In one embodiment, the size of each packet to be written may be 16 bytes.
In order to ensure data integrity, in addition to receiving data to be written, a processing end write data authentication code is also received, wherein the processing end write data authentication code is generated by the processing end at least based on the shared key of the processing end and the sent write integrity information of the data to be written.
It is understood that the shared secret key is a secret key obtained by the processing end and the storage end through mutual negotiation. The shared key may be derived by a key agreement algorithm. Before obtaining the shared secret key, the processing terminal and the storage terminal may mutually authenticate each other by methods such as digital signature in advance.
The integrity information may be a hash value of the data to be written obtained according to the MD5 algorithm, the SHA-1 algorithm, or other algorithms, or may be other information that may reflect the integrity of the data.
The size of the data writing authentication code of the processing end of the data to be written may also be set as required, and in a specific embodiment, the size of the data writing authentication code of the processing end of the data to be written may also be 16 bytes.
Further, in order to reduce the computation bottleneck, it is also necessary to receive write integrity information of the data to be written, where the size of the write integrity information of the data to be written may be set as needed, and in a specific embodiment, the size of the write integrity information of the data to be written may be 16 bytes.
The receiving of the data to be written, the receiving of the write integrity information of the data to be written and the receiving of the write data authentication code of the processing end of the data to be written may be serial receiving or parallel receiving. In a specific embodiment, in order to increase the receiving speed, the receiving of the data to be written, the receiving of the write integrity information of the data to be written, and the receiving of the write data authentication code at the processing end of the data to be written are received in parallel.
Because the receiving of the data to be written is parallel to the receiving of the writing integrity information of the data to be written and the receiving of the data writing authentication code of the processing end of the data to be written, the storage end can simultaneously receive the data to be written, the writing integrity information of the data to be written and the data writing authentication code of the processing end of the data to be written, thereby improving the receiving efficiency and reducing the time required by receiving.
And step S12, storing the data to be written, generating a storage end write data authentication code at least based on the shared secret key and the write integrity information, and storing each data packet to be written into in parallel.
Similarly, the meaning that the storage of each packet to be written is parallel storage is: the storage of the data packets to be written may be performed simultaneously.
The storage position of each data packet to be written can also be set according to the requirement.
With reference to fig. 2, in an embodiment, a common storage unit 21 of the storage end is used to store each to-be-written data packet, where each common storage unit 21 storing each to-be-written data packet is different. As shown in fig. 2, in a specific embodiment, the first normal storage unit, the second normal storage unit, the third normal storage unit, and the fourth normal storage unit respectively store the data packets to be written.
Because different common storage units receive the data packets to be written, the storage end can simultaneously store the data packets to be written, thereby improving the storage efficiency and reducing the time required by storage.
And the storage end writing data authentication code is generated by the storage end at least based on the shared secret key of the storage end and the received writing integrity information. The storage end write data authentication code and the processing end write data authentication code are generated by using the same derived key algorithm.
The size of the storage side write data authentication code of the data to be written may also be set as required, as long as the size of the storage side write data authentication code of the data to be written is the same as that of the processing side write data authentication code, so in a specific embodiment, the size of the storage side write data authentication code of the data to be written may be 16 bytes.
Since the encrypted storage unit of the storage end can be used to receive the write integrity information of the data to be written and the write data authentication code of the processing end of the data to be written, the generation of the write data authentication code of the storage end can also be performed by the encrypted storage unit of the storage end for the convenience of comparison.
Step S13, judging whether the processing end write data authentication code is equal to the storage end write data authentication code; if yes, go to step S14.
After a storage end write data authentication code is obtained, judging whether the processing end write data authentication code is equal to the storage end write data authentication code, if so, indicating that the shared key of the processing end and the storage end is consistent, and the write integrity information of the data to be written sent by the processing end is consistent with the write integrity information received by the storage end; when the storage end does not generate other errors, the data to be written sent by the processing end is consistent with the data to be written received and stored by the storage end, so that the integrity of the data to be written can be ensured.
And step S14, at least storing the processing end write data authentication code or the storage end write data authentication code.
The storing of at least the processing-side write data authentication code or the storage-side write data authentication code is storing of at least one of the processing-side write data authentication code or the storage-side write data authentication code. Since the processing-side write data authentication code or the storage-side write data authentication code is the same at this time, only one of the processing-side write data authentication code or the storage-side write data authentication code may be stored.
The storage position of the processing end write data authentication code or the storage end write data authentication code can be set according to requirements. Specifically, with continued reference to fig. 2, in one embodiment, the encryption storage unit 22 of the storage end may be used to store one of the processing-end write data authentication code or the storage-end write data authentication code.
The data writing method can be isolated from the common storage unit by utilizing the encryption storage unit of the storage end to store the processing end write data authentication code or the storage end write data authentication code, so that the safety of the data writing method can be enhanced.
In a normal situation, the write data authentication code of the processing end is not equal to the write data authentication code of the storage end, which is an abnormal expression, at this time, the storage end may return related information to the processing end, so that the processing end performs processing by using other methods, or may not return related information to the processing end.
Therefore, in one embodiment, when the processing-side write data authentication code is not equal to the storage-side write data authentication code, step S15 may be executed: and returning report information.
It can be understood that the report information may include information that the processing-side write data authentication code is not equal to the storage-side write data authentication code, may also include information such as size information and location information of the data to be written, may also include time information for receiving the data to be written, and may also include other information. The report information may be returned from the storage end to the processing end, or may be returned from the storage end to another device.
In this way, when the processing end write data authentication code is not equal to the storage end write data authentication code, the storage end can return related report information to the processing end or other equipment, so that the processing end can conveniently perform the next operation.
It can be seen that in the data writing method provided in the embodiment of the present invention, the data to be written includes at least one data packet to be written, the storage end may receive and store each data packet to be written in parallel, and receive the write integrity information of the data to be written calculated at the processing end and the process end write data authentication code of the data to be written, and then generate a storage end write data authentication code based on at least the shared key and the write integrity information, and verify the integrity of the data to be written by comparing the process end write data authentication code with the storage end write data authentication code, so that on one hand, the data receiving and storing efficiency between the processor chip and the memory may be improved by using a method of receiving and storing each data packet to be written in parallel; meanwhile, the data integrity can be ensured by comparing the processing end write data authentication code with the storage end write data authentication code; furthermore, the received write integrity information of the data to be written, which is calculated at the processing end, is utilized to generate the storage end write data authentication code, and then the processing end write data authentication code is compared with the storage end write data authentication code, the write integrity information is calculated at the storage end without utilizing the data to be written again, the influence of operation bottleneck caused by calculation of the write integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
Of course, although the write data authentication code generated based on the shared key and the write integrity information of the data to be written can ensure the integrity of the data to be written, when the processing end or a third end other than the processing end and the storage end sends the data to be written, the write integrity information of the data to be written, and the write data authentication code of the processing end of the data to be written, which have been sent before, to the storage end, the storage end cannot recognize whether the third end of the information is sent by the processing end, but can only perform writing of the data to be written again, which may be used by an attacker, so as to achieve the purpose of covering the content stored in the storage end.
Therefore, in order to improve the security of the data writing method, in another specific implementation, an embodiment of the present invention further provides a data writing method, please refer to fig. 3, and fig. 3 is a schematic flow chart of another data writing method according to an embodiment of the present invention.
As shown in fig. 3, the data writing method according to the embodiment of the present invention includes:
step S21: and receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written.
Please refer to the content of step S11 shown in fig. 1 for a part of the content of step S21, which is not described herein again.
In this embodiment, the processing-side write data authentication code is an authentication code generated by the processing side based on the shared key of the processing side, the write integrity information of the data to be written and the current processing-side write data counter value.
It is understood that the processing-side write data counter value is a counter value obtained based on an initial value of the processing-side write data counter value and a count sequence of the processing-side write data counter, and each time the processing-side write data authentication code is generated, a new processing-side write data counter value may be obtained from a current processing-side write data counter value and the count sequence of the processing-side write data counter and stored as the processing-side write data counter value.
The processing end write data counter value is a counter value obtained based on an initial value of the processing end write data counter value and a counting sequence of the processing end write data counter, wherein the counting sequence of the processing end write data counter is a digital sequence with different numbers between each bit, so that when one processing end write data counter value is obtained, the counter value of the front and back appointed number of bits can be obtained.
The form of the counting sequence of the data-writing counter at the processing end is various and can be selected according to the requirement. For convenience, in a specific embodiment, the count sequence of the processing-side write data counter and the count sequence of the storage-side write data counter may be an arithmetic sequence with 0 as a first item and 1 as a tolerance.
That is, if a represents the processing-side write data counter value, the initial value of the processing-side write data counter value is set to be 0, and the count sequence of the processing-side write data counter is 1, the assignment formula of the processing-side write data counter value is a +1, after the processing-side write data authentication code is generated 1 times, the processing-side write data counter value is 1, after the processing-side write data authentication code is generated 2 times, the processing-side write data counter value is 2, and so on.
And step S22, generating the storage end write data authentication code based on the shared secret key, the write integrity information and the current storage end write data counter value, acquiring a new storage end write data counter value according to the current storage end write data counter value and the counting sequence of the storage end write data counter, and storing the new storage end write data counter value as the storage end write data counter value.
Please refer to the content of step S12 shown in fig. 1 for a part of the content of step S22, which is not described herein again.
The storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a counting sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the counting sequence of the storage end write data counter is the same as the counting sequence of the processing end write data counter.
In this way, the storage-side write data authentication code is an authentication code generated by the storage side based on the shared key of the storage side, the write integrity information received by the storage side, and the current storage-side write data counter value.
The storage end data writing counter value is a counter value obtained based on an initial value of the storage end data writing counter value and a counting sequence of the storage end data writing counter, wherein the counting sequence of the storage end data writing counter is a digital sequence with different numbers between each bit, so that when one storage end data writing counter value is obtained, the counter value of the front and back appointed number of bits can be obtained.
The counting sequence of the storage-side write data counter has various forms, and can be selected according to requirements. As long as the condition that the count sequence of the storage-side write data counter is the same as the count sequence of the processing-side write data counter is satisfied.
Since the initial value of the storage-side write data counter value is the same as the initial value of the processing-side write data counter value, and the count sequence of the storage-side write data counter is the same as the count sequence of the processing-side write data counter, the storage-side write data counter value and the processing-side write data counter value can always remain equal when the storage-side write data counter value and the processing-side write data counter value perform the same operation, for example, when the next value of the current counter value is taken as a new counter value.
It can be understood that the initial value of the storage-side write data counter value is the same as the initial value of the processing-side write data counter value, which may be implemented by one of the storage side and the processing side sending the current write data counter value to the other, and the other assigning the received write data counter value to its own write data counter value. The initial value of the write data counter value of the storage end is the same as the initial value of the write data counter value of the processing end, and the initial value of the write data counter value of the storage end can be realized when the processing end and the storage end jointly negotiate to obtain the shared secret key, or can be realized when the processing end and the storage end mutually authenticate the identity in advance through digital signatures before the shared secret key is obtained.
Step S23, judging whether the processing end write data authentication code is equal to the storage end write data authentication code; if yes, go to step S24. If not, step S25 may also be performed.
After a storage end write data authentication code is obtained, whether the processing end write data authentication code is equal to the storage end write data authentication code or not is judged, if yes, the shared key of the processing end and the storage end is consistent, the write integrity information of the data to be written sent by the processing end is consistent with the write integrity information received by the storage end, and the value of a storage end write data counter is the same as that of the processing end write data counter; when the storage end does not generate other errors, the data to be written sent by the processing end is consistent with the data to be written received and stored by the storage end, so that the integrity of the data to be written is ensured. And when the processing end or a third end outside the processing end and the storage end sends the data to be written, the write integrity information of the data to be written and the processing end write data authentication code of the data to be written, which are sent before, to the storage end, because the processing end write data counter value based on the processing end write data authentication code of the data to be written is not the same as the current storage end write data counter value at this time, the storage end can recognize the data to be written and does not write the data to be written any more, thereby avoiding the use of an attacker, preventing the content stored by the storage end from being covered and improving the safety of the data writing method.
Step S24, storing the current storage-side write data counter value and one of the current processing-side write data authentication code and the current storage-side write data authentication code.
Please refer to step S14 shown in fig. 1 for a part of the content of step S24, which is not described herein again.
In addition, in order to ensure the integrity of the data to be written during data reading, please continue to refer to fig. 3, in an embodiment, the current storage-side write data counter value may also be stored.
When the current storage end write data counter value is stored, the current storage end write data counter value and the current data to be written can be corresponded by methods of adding marks and the like, so that the integrity of the written data to be written can be protected when the data to be written is read.
The storage position of the data-writing counter value at the storage end can be set according to requirements. Specifically, with continued reference to fig. 2, in one embodiment, the current write data counter value of the storage may be stored by using the count storage unit 23 of the storage. Of course, in another embodiment, the current storage-side write data counter value may also be stored in the encrypted storage unit 22 of the storage side.
The current storage end write data counter value is stored by utilizing the counting storage unit of the storage end, so that the data writing method can be isolated from the common storage unit, and the safety of the data writing method can be enhanced.
Step S25: and returning report information.
Please refer to step S15 shown in fig. 1 for details of step S25, which are not described herein again.
It can be understood that, after data is written, data reading is also performed as needed, and in a specific implementation manner, an embodiment of the present invention may further provide a data reading method for facilitating understanding.
Referring to fig. 4, fig. 4 is a schematic flow chart illustrating a data reading method according to an embodiment of the invention.
As shown in the figure, a data reading method provided by an embodiment of the present invention includes:
and step S31, at least receiving the data to be read and the memory terminal read data authentication code of the data to be read.
The data to be read comprises at least one data packet to be read, the data packets to be read are received in parallel, and the storage end data reading authentication code is an authentication code generated at least based on a shared secret key and writing integrity information of the data to be read.
Of course, the data to be read includes at least one data packet to be read, and the receiving of each data packet to be read is parallel receiving, which also includes the case that the data to be read includes only one data packet to be read.
It can be understood that the storage terminal that receives at least the data to be read and the data-to-be-read authentication code is a processing terminal, which may be a processor chip or other device capable of performing a write operation. The storage end is used for at least sending the data to be read and the storage end data reading authentication code of the data to be read, and the storage end can be a memory or other equipment with a storage function.
The data to be read comprises at least one data packet to be read, the receiving of each data packet to be read is parallel receiving, and the meaning that the receiving of each data packet to be read is parallel receiving is as follows: the reception of each of the data packets to be read may be performed simultaneously.
For convenience of explanation, please continue to refer to fig. 2.
As shown in fig. 2, the apparatus of the data reading method according to the embodiment of the present invention includes: when the storage end 2 sends the data to be read to the processing end 1, in order to improve sending efficiency, the data to be read may be split into a plurality of data packets to be read, and then the data packets are sent to the processing end 1 in parallel.
In one embodiment, to ensure the transmission efficiency and reduce the cost, a plurality of normal storage units 21 of the storage end 2 may be used to transmit each data packet to be read. As shown in fig. 2, the first normal storage unit, the second normal storage unit, the third normal storage unit, and the fourth normal storage unit may all send data packets to be read.
When each of the normal memory units 21 transmits the data packet to be read, it is not required that one data packet to be read is transmitted after the transmission of the other data packet to be read is completed. Of course, each of the normal storage units 21 may also send the data packet to be read at the same time. In order to increase the transmission speed, it may be provided that the number of data packets to be read per transmission is the same as the number of normal memory cells 21 on the memory side.
The size of each data packet to be read may be equal to the size of one word in the processing end or the storage end, or may be larger or smaller than the size of one word in the processing end or the storage end. In one embodiment, each of the data packets to be read may have a size of 16 bytes.
In order to ensure data integrity, in addition to receiving data to be read, a storage end data reading authentication code is also received, wherein the storage end data reading authentication code is an authentication code generated by the storage end at least based on the shared secret key of the storage end and write integrity information received when the data to be read is written. Specifically, the storage-side read data authentication code may be generated based on at least one of the shared key of the storage side and a processing-side write data authentication code or the storage-side write data authentication code stored when the data to be read is written. And the processing end write data authentication code or the storage end write data authentication code stored when the data to be read is written is generated at least based on the shared secret key and the write integrity information received when the data to be read is written.
It is understood that the shared secret key is a secret key obtained by the processing end and the storage end through mutual negotiation. The shared key may be derived by a key agreement algorithm. Before obtaining the shared secret key, the processing terminal and the storage terminal may mutually verify identities through digital signatures in advance.
The read integrity information may be a hash value of the data to be read, which is obtained by the processing terminal according to an MD5 algorithm, an SHA-1 algorithm, or other algorithms, or may be other information that may reflect the integrity of the data.
The size of the data reading authentication code of the storage end of the data to be read can also be set according to needs, and in a specific implementation manner, the size of the data reading authentication code of the storage end of the data to be read can also be 16 bytes.
The receiving of the data to be read and the receiving of the data reading authentication code of the storage end of the data to be read can be serial receiving or parallel receiving. In a specific embodiment, in order to increase the receiving speed, the receiving of the data to be read and the receiving of the data reading authentication code at the storage terminal of the data to be read are received in parallel.
The receiving of the data to be read and the receiving of the storage end data reading authentication code of the data to be read are parallel receiving, and the data to be read and the storage end data reading authentication code of the data to be read can be simultaneously received, so that the receiving efficiency is improved, and the time required by receiving is reduced.
The sending position of each data packet to be read can also be set according to the requirement.
Referring to fig. 2, in an embodiment, each data packet to be read is sent by a common memory unit of the memory side, and the common memory unit sending each data packet to be read is different.
Because each common storage unit sends each data packet to be read, the storage end can send the data to be read at the same time, thereby improving the sending efficiency and reducing the time required by sending.
The sending position of the data reading authentication code of the storage terminal can be set according to the requirement. Specifically, with continued reference to fig. 2, in an embodiment, the data reading authentication code of the storage side of the data to be read is sent by the encrypted storage unit of the storage side.
The data writing method has the advantages that the storage end reading data authentication code of the data to be read is sent by the encryption storage unit of the storage end, the data can be isolated from the common storage unit, and the safety of the data writing method can be enhanced.
Step S32, storing the data to be read, generating the read integrity information of the data to be read by using the data to be read, generating a processing terminal read data authentication code at least based on the shared secret key and the read integrity information, and storing each data packet to be read as parallel storage.
Similarly, the meaning that the storage of each data packet to be read is parallel storage is as follows: the storage of the data packets to be read may be performed simultaneously.
The processing terminal data reading authentication code is generated by the processing terminal based on at least the shared secret key of the storage terminal and the reading integrity information of the data to be read generated by the data to be read. The processing terminal read data authentication code and the storage terminal read data authentication code are generated by using the same derived key algorithm. Specifically, the processing end may generate an authentication code that is the same as a data writing authentication code of the processing end when the data to be read is written, based on at least the shared key of the processing end and read integrity information that is generated by using the data to be read. And then generating the processing terminal read data authentication code at least based on the authentication code which is the same as the processing terminal write data authentication code when the data to be read is written and the shared key.
The size of the data reading authentication code of the processing end of the data to be read can also be set as required, as long as the size of the data reading authentication code of the processing end of the data to be read is the same as that of the data reading authentication code of the processing end, so in a specific implementation manner, the size of the data reading authentication code of the processing end of the data to be read can be 16 bytes.
Step S33, judging whether the storage end read data authentication code is equal to the processing end read data authentication code; yes, step S34 is executed.
When the processing end read data authentication code is equal to the storage end read data authentication code, the shared key of the processing end is consistent with that of the storage end, and the read integrity information generated by the processing end by using the data to be read is consistent with the write integrity information received by the storage end when the data to be read is written; when the storage end does not generate other errors, the data to be read received by the processing end is consistent with the data to be read sent by the storage end, so that the integrity of the data to be read is ensured.
And step S34, confirming the integrity of the data to be read.
And when the data reading authentication code of the storage terminal is equal to the data reading authentication code of the processing terminal, confirming the integrity of the data to be read.
Under normal conditions, the fact that the processing terminal reads the data authentication code and is not equal to the storage terminal reads the data authentication code is an abnormal expression, and at this time, the processing terminal may return related information, so that the processing terminal performs processing by using other methods, or may not return the related information.
Therefore, in a specific embodiment, when the processing side read data authentication code is not equal to the storage side read data authentication code, step S35 is executed: and returning report information.
It can be understood that the report information may include information that the processing terminal read data authentication code is not equal to the storage terminal read data authentication code, may also include information such as size information and location information of the data to be read, may also include time information for receiving the data to be read, and may also include other information.
Therefore, when the data reading authentication code of the processing terminal is not equal to the data reading authentication code of the storage terminal, the processing terminal can return related report information, thereby facilitating the next operation.
In this way, in the data reading method provided by the embodiment of the present invention, the data to be read includes at least one data packet to be read, the processing end may receive and store each data packet to be read in parallel, receive the processing end read data authentication code of the data to be read, then generate the read integrity information of the data to be read by using the data to be read, generate the processing end read data authentication code based on at least the shared key and the read integrity information, and verify the integrity of the data to be read by comparing the processing end read data authentication code with the storage end read data authentication code, so that on one hand, the data receiving and storing efficiency between the processor chip and the memory may be improved by using the method of receiving and storing each data packet to be read in parallel; meanwhile, the data integrity can be ensured by comparing the data reading authentication code of the processing terminal with the data reading authentication code of the storage terminal; furthermore, the storage end generates a storage end data reading authentication code by using the write integrity information stored in the write process, and then compares the processing end data reading authentication code with the storage end data reading authentication code, the integrity information is not required to be calculated in the storage end by using the data to be read, the influence of operation bottleneck caused by calculation of the integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
Of course, although the data reading method can ensure the integrity of the data to be read, when the storage end or a third end other than the storage end and the processing end sends the data to be read that has been sent before and the storage end read data authentication code of the data to be read to the processing end, the processing end cannot identify the data to be read, so that repeated operation is performed on the data to be read, which may be utilized by an attacker and affect the security of the processing end.
Therefore, in order to improve the security of the data reading method, in another specific implementation, an embodiment of the present invention further provides a data reading method, please refer to fig. 5, and fig. 5 is a schematic flow chart of another data reading method provided in the embodiment of the present invention.
As shown in fig. 5, the data reading method provided by the embodiment of the present invention includes:
and step S41, at least receiving the data to be read and the memory terminal read data authentication code of the data to be read.
Please refer to the content of step S31 shown in fig. 4 for a part of the content of step S41, which is not described herein again.
In this embodiment, the storage-side read data authentication code is an authentication code generated at least based on the shared secret key, the write integrity information, and the storage-side read data counter value.
It can be understood that the value of the storage-side read data counter is a counter value obtained based on an initial value of the storage-side read data counter and a count sequence of the storage-side read data counter, and after the storage-side read data authentication code is generated, a new value of the storage-side read data counter is obtained according to the current value of the storage-side read data counter and the count sequence of the storage-side read data counter and stored as the value of the storage-side read data counter.
In this way, the storage-side read data authentication code is an authentication code generated by the storage side based on the shared secret key of the storage side, the write integrity information of the sent data to be read, and the current storage-side read data counter value.
The counter value of the data reading counter at the storage end is a counter value obtained based on an initial value of the counter value of the data reading counter at the storage end and a counting sequence of the data reading counter at the storage end, wherein the counting sequence of the data reading counter at the storage end is a digital sequence with different numbers between each bit, so that when one counter value of the data reading counter at the storage end is obtained, the counter value of the front and back appointed bits can be obtained.
The counting sequence of the memory read data counter has various forms, and can be selected according to needs. For convenience, in a specific embodiment, the count sequence of the storage side data reading counter and the count sequence of the storage side data writing counter are equal difference series with 0 as the first item and 1 as the tolerance.
Step S42, storing the data to be read, generating the read integrity information of the data to be read by using the data to be read, and generating the processing terminal read data authentication code at least based on the shared secret key, the read integrity information and the current processing terminal read data counter value; and after the processing terminal read data authentication code is generated, the processing terminal read data counter value takes the next value of the current processing terminal read data counter value as the processing terminal read data counter value according to the counting sequence of the processing terminal read data counter.
Please refer to the content of step S32 shown in fig. 4 for a part of the content of step S42, which is not described herein again.
The initial value of the storage end data reading counter is the same as the initial value of the processing end data reading counter, and the counting sequence of the storage end data reading counter is the same as the counting sequence of the processing end data reading counter.
The processing terminal data reading authentication code is an authentication code generated by the processing terminal based on at least the shared secret key of the processing terminal, the reading integrity information generated by the data to be read and the current processing terminal data reading counter value.
The processing terminal data reading counter value is a counter value obtained based on an initial value of the processing terminal data reading counter value and a counting sequence of the processing terminal data reading counter, wherein the counting sequence of the processing terminal data reading counter is a digital sequence with different numbers between each bit, so that when one processing terminal data reading counter value is obtained, the counter value of the front and back appointed bits can be obtained.
The counting sequence of the processing terminal read data counter has various forms, and can be selected according to needs. As long as the condition that the count sequence of the processing side read data counter is the same as the count sequence of the storage side read data counter is satisfied.
Since the initial value of the processing-side read data counter value is the same as the initial value of the storage-side read data counter value, and the count sequence of the processing-side read data counter is the same as the count sequence of the storage-side read data counter, when the processing-side read data counter value and the storage-side read data counter value perform the same operation, for example, the next value of the current counter value is used as a new counter value, the processing-side read data counter value and the storage-side read data counter value can always be kept equal.
It can be understood that the initial value of the processing terminal read data counter value is the same as the initial value of the storage terminal read data counter value, which can be implemented by one of the processing terminal and the storage terminal sending the current read data counter value to the other, and the other assigning the received read data counter value to its own read data counter value. The initial value of the processing end read data counter value is the same as the initial value of the storage end read data counter value, which can be realized when the storage end and the processing end negotiate together to obtain the shared secret key, or when the storage end and the processing end mutually verify identities through digital signatures in advance before obtaining the shared secret key.
Step S43, judging whether the storage end read data authentication code is equal to the processing end read data authentication code; if yes, go to step S44; if not, step S45 may also be performed.
Please refer to the content of step S33 shown in fig. 4 for a part of the content of step S43, which is not described herein again.
After a processing end read data authentication code is obtained, judging whether the storage end read data authentication code is equal to the processing end read data authentication code, if so, indicating that the shared key of the storage end is consistent with the shared key of the processing end, the write integrity information of the data to be read sent by the storage end is consistent with the read integrity information generated by the processing end by using the data to be read, and the processing end read data counter value is the same as the storage end read data counter value; when the processing end does not generate other errors, the data to be read sent by the storage end is consistent with the data to be read received and stored by the processing end, so that the integrity of the data to be read is ensured. When the storage end or a third end outside the storage end and the processing end sends the data to be read which is sent before and the storage end reading data authentication code of the data to be read to the processing end, because the value of the storage end reading data counter based on the storage end reading data authentication code of the data to be read is different from the current value of the processing end reading data counter, the processing end can recognize the data and does not operate the data to be read, thereby avoiding the use of an attacker and improving the safety of the data reading method.
And step S44, confirming the integrity of the data to be read.
Please refer to the content of step S34 shown in fig. 4 for a part of the content of step S44, which is not described herein again.
Step S45: and returning report information.
Please refer to the content of step S35 shown in fig. 4 for a part of the content of step S45, which is not described herein again.
Further, when the data to be read stores the storage end write data counter value during writing by using the data reading method, the integrity of the data to be read can be further protected by using the storage end write data counter value.
Therefore, in an embodiment, please refer to fig. 6, and fig. 6 is a flowchart illustrating a data reading method according to another embodiment of the present invention.
As shown in fig. 6, the data reading method provided by the embodiment of the present invention includes:
and step S51, receiving the data to be read, and storing the storage end write data counter value and the storage end read data authentication code when the data to be read is written by using the data writing method.
Please refer to the content of step S31 shown in fig. 4 for a part of the content of step S51, which is not described herein again.
In this embodiment, the storage-side data reading authentication code is an authentication code generated by the storage side based on the shared secret key of the storage side, the write integrity information during storage of the data to be read, the storage-side data writing counter value during storage of the data to be read, and the current storage-side data reading counter value. Specifically, the storage-side data reading authentication code may be generated based on the shared key of the storage side, a current storage-side data reading counter value, and one of a processing-side data writing authentication code and the storage-side data writing authentication code stored when the data to be read is written. And the processing end write data authentication code or the storage end write data authentication code stored when the data to be read is written is generated based on the shared secret key, the write integrity information received when the data to be read is written and the storage end write data counter value when the data to be read is stored.
The receiving of the data writing counter value of the storage end and the receiving of the data to be read and the data reading authentication code of the storage end of the data to be read can be serial receiving or parallel receiving. Therefore, in a specific embodiment, the receiving of the data-writing counter value at the storage end and the receiving of the data to be read and the data-reading authentication code at the storage end of the data to be read are received in parallel.
The receiving of the data writing counter value of the storage end and the receiving of the data to be read and the data reading authentication code of the storage end of the data to be read are parallel, so that the data writing counter value of the storage end, the data to be read and the data reading authentication code of the storage end of the data to be read can be stored simultaneously, the storage efficiency is improved, and the time required by storage is shortened.
The sending position of the data writing counter value of the storage end when the data to be read is stored can be set according to the requirement. Specifically, with continued reference to fig. 2, in one embodiment, the storage write data counter value is sent by a count storage unit of the storage.
The counter value of the data writing-in data of the storage end is sent by the counting storage unit of the storage end, so that the data writing-in counter value can be isolated from the common storage unit, and the safety of the data writing-in method can be enhanced.
Step S52, storing the data to be read, generating the read integrity information of the data to be read by using the data to be read, and generating the processing end read data authentication code based on the shared key, the read integrity information, the current processing end read data counter value and the storage end write data counter value; and after the processing terminal read data authentication code is generated, the processing terminal read data counter value takes the next value of the current processing terminal read data counter value as the processing terminal read data counter value according to the counting sequence of the processing terminal read data counter.
Please refer to the content of step S32 shown in fig. 4 for a part of the content of step S52, which is not described herein again.
The processing terminal data reading authentication code is an authentication code generated by the processing terminal based on at least the shared secret key of the processing terminal, the reading integrity information generated by the data to be read and the current processing terminal data reading counter value. Specifically, the processing end may generate, based on at least the shared key of the processing end, read integrity information of the data to be read generated by using the data to be read, and a received storage end write data counter value when the data to be read is stored, an authentication code that is the same as the processing end write data authentication code when the data to be read is written. And then generating the processing terminal read data authentication code at least based on the authentication code which is the same as the processing terminal write data authentication code when the data to be read is written, the shared key and the current processing terminal read data counter value.
Step S53, judging whether the storage end read data authentication code is equal to the processing end read data authentication code; if yes, go to step S54. If not, step S55 may also be performed.
Please refer to the content of step S33 shown in fig. 4 for a part of the content of step S53, which is not described herein again.
When the storage end reads the data authentication code and the processing end reads the data authentication code, the shared key of the storage end is consistent with that of the processing end, the write integrity information of the data to be read sent by the storage end is consistent with the read integrity information generated by the processing end by using the data to be read, the value of the counter of the data read by the processing end is the same as that of the counter of the data read by the storage end, and the data to be read is data corresponding to the value of the counter of the data write by the storage end when the data to be read is stored and received by the processing end; when the processing end does not generate other errors, the data to be read sent by the storage end is consistent with the data to be read received and stored by the processing end, so that the safety of the data reading method is improved.
And step S54, confirming the integrity of the data to be read.
Please refer to the content of step S34 shown in fig. 4 for a part of the content of step S54, which is not described herein again.
Step S55: and returning report information.
Please refer to the content of step S35 shown in fig. 4 for a part of the content of step S55, which is not described herein again.
Of course, in the acquisition of the data to be read, the integrity of the address can also be ensured on the premise of parallel transmission of the data address bits.
Therefore, referring to fig. 7, fig. 7 is a schematic flow chart illustrating a step of acquiring data to be read according to an embodiment of the present invention;
as shown in the figure, in the data writing method provided in the embodiment of the present invention, the step of acquiring the data to be read includes:
and step S61, the storage end receives the data address of the data to be read and the processing end read request authentication code of the data address.
The data address comprises at least one data address bit, the data address bits are received in parallel, and the processing end read request authentication code is an authentication code generated at least based on a shared secret key and the data address.
The meaning that the receiving of each data address bit is parallel receiving is as follows: the receipt of each of the data address bits may occur simultaneously.
For convenience of explanation, please continue to refer to fig. 2.
As shown in fig. 2, when the storage 2 receives the data address sent by the processing side 1, in order to improve the receiving efficiency, the data address may be divided into a plurality of data address bits, and each data address bit may be received by a plurality of normal memory cells 21 of the storage 2.
When each normal memory cell 21 receives the data address bits, it is not required that the reception of one data address bit is completed before the reception of another data address bit is started. Of course, each of the normal memory cells 21 may also receive the data address bits at the same time. In order to increase the receiving speed, the number of data address bits may be set to be the same as the number of the normal memory cells 21 of the memory side.
In order to ensure data integrity, in addition to receiving a data address, a processing end read request authentication code is also received, and the processing end read request authentication code is generated by the processing end at least based on the shared secret key of the processing end and the sent data address.
The receiving of each data address bit and the receiving of the processing end reading request authentication code of the data address can be serial receiving or parallel receiving. In one embodiment, in order to increase the receiving speed, the receiving of the data address bits and the receiving of the processing end read request authentication code of the data address are received in parallel.
Because the receiving of the data address bits and the receiving of the processing end reading request authentication code of the data address are received in parallel, the data address bits and the processing end reading request authentication code of the data address can be received simultaneously, thereby improving the receiving efficiency and reducing the time required by receiving.
The receiving positions of the data address bits and the data address processing end read request authentication codes can also be set according to requirements.
With continued reference to fig. 2, in an embodiment, each data address bit is received by a normal memory cell 21 of the memory side, and the normal memory cell 21 corresponding to each data address is different. In another specific embodiment, the data address and the processing end read request authentication code of the data address may also be received by using the encryption storage unit 22 of the storage end.
Because each common storage unit receives each data packet to be read, the encryption storage unit 22 of the storage end receives the data address and the processing end read request authentication code of the data address, and the storage end can simultaneously receive the data to be read, the storage efficiency is improved, the time required by storage is reduced, and the storage units are mutually isolated, so that the safety of the data reading method can be enhanced. .
And step S62, generating a storage end reading request authentication code at least based on the shared secret key and the data address.
The storage end reading request authentication code is generated by the storage end based on at least the shared secret key and the data address to generate the storage end reading request authentication code. The storage end reading request authentication code and the processing end reading request authentication code are generated by using the same derived key algorithm.
Since the data address and the processing side read request authentication code of the data address can be received by the encryption storage unit 22 of the storage side, the generation of the storage side read request authentication code can also be performed by the encryption storage unit of the storage side for the convenience of comparison.
Step S63, judging whether the processing end reading request authentication code is equal to the storage end reading request authentication code; if yes, go to step S64.
When the processing terminal reads the request authentication code and the storage terminal reads the request authentication code, the shared key of the processing terminal is consistent with that of the storage terminal, and the data address sent by the processing terminal is consistent with the data address received by the storage terminal, so that the integrity of the data address is ensured.
And step S64, acquiring the data to be read according to the data address.
Under normal conditions, the fact that the processing end read request authentication code is not equal to the storage end read request authentication code is an abnormal expression, at this time, the storage end may return related information to the processing end, so that the processing end performs processing by using other methods, or may not return related information to the processing end.
Therefore, in one embodiment, when the processing side read request authentication code is not equal to the storage side read request authentication code, step S65 is executed: and returning report information.
It is understood that the report information may include information that the processing side read request authentication code is not equal to the storage side read request authentication code, and may also include other information. The report information may be returned from the storage end to the processing end, or may be returned from the storage end to another device.
In this way, when the processing terminal read request authentication code is not equal to the storage terminal read request authentication code, the storage terminal may return related report information to the processing terminal or other devices, thereby facilitating the processing terminal or other devices to perform the next operation.
Of course, although the verification method of the data read request can ensure the integrity of the data address, when the processing end or a third end other than the processing end and the storage end sends the data address that has been sent before and the processing end read request authentication code of the data address to the storage end, the storage end cannot identify the data address and can only read the data according to the data address again, which may be used by an attacker to read the content stored in the storage end.
Therefore, in order to improve the security of the data reading method, in another specific implementation manner, an embodiment of the present invention further provides a step of obtaining data to be read, please refer to fig. 8, and fig. 8 is a schematic flow diagram of another step of obtaining data to be read according to the embodiment of the present invention.
As shown in fig. 8, the step of acquiring data to be read provided by the embodiment of the present invention includes:
and step S71, the storage end receives the data address of the data to be read and the processing end read request authentication code of the data address.
Please refer to the content of step S61 shown in fig. 7 for a part of the content of step S71, which is not described herein again.
In this embodiment, the processing-side read request authentication code is an authentication code generated by the processing side based on the shared secret key of the processing side, the sent data address, and the current processing-side read request counter value stored when the data to be read is written.
It can be understood that the processing side read request counter value is a counter value obtained based on an initial value of the processing side read request counter value and a counting sequence of the processing side read request counter, where the counting sequence of the processing side read request counter is a number sequence with different numbers between each bit, so that when one processing side read request counter value is known, the counter values of the front and rear designated bits can be known.
The counting sequence of the processing end read request counter has various forms, and can be selected according to needs. For convenience, in a specific embodiment, the count sequence of the processing-side read request counter is 0 as a leading item, and 1 is an arithmetic sequence of a tolerance.
And step S72, generating the storage end write data authentication code based on the shared secret key, the write integrity information and the current storage end read request counter value, acquiring a new storage end read request counter value according to the current storage end read request counter value and the counting sequence of the storage end read request counter, and storing the new storage end read request counter value as the storage end read request counter value.
Please refer to the content of step S62 shown in fig. 7 for a part of the content of step S72, which is not described herein again.
The storage end read request counter value is a counter value obtained based on an initial value of the storage end read request counter value and a counting sequence of the storage end read request counter, the initial value of the storage end read request counter value is the same as the initial value of the processing end read request counter value, and the counting sequence of the storage end read request counter is the same as the counting sequence of the processing end read request counter.
In this way, the storage-side write data authentication code is an authentication code generated by the storage side based on the shared key of the storage side, the received write integrity information, and the current storage-side write data counter value.
The value of the storage end read request counter is a counter value obtained based on an initial value of the storage end read request counter and a counting sequence of the storage end read request counter, wherein the counting sequence of the storage end read request counter is a digital sequence with different numbers between each digit, so that when one value of the storage end read request counter is obtained, the counter values of the front and back appointed digits can be obtained.
The form of the counting sequence of the memory read request counter is various and can be selected according to needs. As long as the condition that the count sequence of the storage side read request counter is the same as the count sequence of the processing side read request counter is satisfied.
Since the initial value of the memory side read request counter value is the same as the initial value of the processing side read request counter value, and the counting sequence of the memory side read request counter is the same as the counting sequence of the processing side read request counter, when the memory side read request counter value and the processing side read request counter value perform the same operation, for example, the next value of the current counter value is taken as a new counter value, the memory side read request counter value and the processing side read request counter value can be always kept equal.
It can be understood that the initial value of the storage side read request counter value is the same as the initial value of the processing side read request counter value, which can be implemented by one of the storage side and the processing side sending the current read request counter value to the other side, and the other side assigning the received read request counter value to its own read request counter value. The initial value of the storage end read request counter value is the same as the initial value of the processing end read request counter value, which can be realized when the processing end and the storage end negotiate together to obtain the shared secret key, or when the processing end and the storage end mutually authenticate each other through a digital signature before obtaining the shared secret key.
The storage location of the storage-side read request counter value can be set as required. Therefore, in one embodiment, the current value of the bank read request counter is stored by using a count storage unit of the bank. The current value of the counter of the reading request of the storage terminal is stored by utilizing the counting storage unit of the storage terminal and is isolated from other storage units, so that the safety of the verification method of the data reading request can be enhanced.
Step S73, judging whether the processing end write data authentication code is equal to the storage end write data authentication code; if yes, go to step S74. If not, step S75 may also be performed.
Please refer to the content of step S63 shown in fig. 7 for a part of the content of step S73, which is not described herein again.
When the processing end read request authentication code is equal to the storage end read request authentication code, the shared key of the processing end is consistent with that of the storage end, the data address sent by the processing end is consistent with the data address received by the storage end, and the storage end read request counter value is the same as the processing end read request counter value; when the storage end does not generate other errors, the data address sent by the processing end is consistent with the data address received by the storage end, so that the integrity of the data address is ensured. When the processing end or a third end except the processing end and the storage end sends a data address which has been sent before and a processing end read request authentication code of the data address to the storage end, because the processing end read request counter value based on the processing end read request authentication code of the data address is different from the current storage end read request counter value at the moment, the storage end can recognize the data and does not read the data according to the data address, thereby avoiding the use of an attacker, preventing the attacker from reading the content stored in the storage end, and improving the safety.
And step S74, acquiring the data to be read according to the data address. Please refer to the content of step S64 shown in fig. 7 for a part of the content of step S74, which is not described herein again.
Step S75: and returning report information. Please refer to the content of step S65 shown in fig. 7 for a part of the content of step S75, which is not described herein again.
The data writing device and the data reading device provided by the embodiments of the present invention and the related devices are described below, and the data writing device and the data reading device may be regarded as program modules provided for implementing the data writing method and the data reading method provided by the embodiments of the present invention. The data writing device and the data reading device described below may be referred to in correspondence with the contents of the methods described above.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a data writing device according to an embodiment of the present invention, and the data writing device 3 according to the embodiment of the present invention includes:
a storage receiving module 31, where the storage receiving module 31 is adapted to receive data to be written, write integrity information of the data to be written, and a processing end write data authentication code of the data to be written, where the data to be written includes at least one data packet to be written, the receiving of the data packets to be written is parallel receiving, and the processing end write data authentication code is an authentication code generated based on at least a shared key and the write integrity information;
a storage side storage module 32, where the storage side storage module 32 is adapted to store the data to be written, and generate a storage side write data authentication code at least based on the shared secret key and the write integrity information, where storage of each data packet to be written is parallel storage;
a storage end judging module 33, where the storage end judging module 33 is adapted to judge whether the processing end write data authentication code is equal to the storage end write data authentication code;
a storage side validation module 34, the storage side validation module 34 adapted to store at least the processing side write data authentication code or the storage side write data authentication code when the processing side write data authentication code is equal to the storage side write data authentication code.
It can be understood that the processing terminal may be configured with a corresponding module to cooperate with the storage terminal to implement the data writing method.
It can be seen that, in the data writing device provided in the embodiment of the present invention, the data to be written includes at least one data packet to be written, the storage receiving module can receive the data packets to be written in parallel, and receiving the write integrity information of the data to be written calculated at the processing end and the write data authentication code of the processing end of the data to be written, the storage end storage module can receive and store each data packet to be written in parallel, a storage-side write data authentication code is then generated based on at least the shared key and the write integrity information, verifying the integrity of the data to be written by comparing the processing end write data authentication code with the storage end write data authentication code, therefore, on one hand, the receiving and storing efficiency of the data between the processor chip and the memory can be improved by using the method of receiving and storing the data packets to be written in parallel; meanwhile, the data integrity can be ensured by comparing the processing end write data authentication code with the storage end write data authentication code; furthermore, the received write integrity information of the data to be written, which is calculated at the processing end, is utilized to generate the storage end write data authentication code, and then the processing end write data authentication code is compared with the storage end write data authentication code, the write integrity information is calculated at the storage end without utilizing the data to be written again, the influence of operation bottleneck caused by calculation of the write integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
In another specific implementation manner, in the data writing device provided in this embodiment of the present invention, the processing-side write data authentication code is an authentication code generated based on the shared key, the write integrity information, and the current processing-side write data counter value, the processing-side write data counter value is a counter value obtained based on an initial value of the processing-side write data counter value and a count sequence of the processing-side write data counter, and after the processing-side write data authentication code is generated, a new processing-side write data counter value is obtained according to the current processing-side write data counter value and the count sequence of the processing-side write data counter and is stored as the processing-side write data counter value;
the storage side storage module 32 is adapted to generate the storage side write data authentication code based on the shared key, the write integrity information, and the current storage side write data counter value, obtain a new storage side write data counter value according to the current storage side write data counter value and a count sequence of the storage side write data counter, and store the new storage side write data counter value as the storage side write data counter value, where the storage side write data counter value is a counter value obtained based on an initial value of the storage side write data counter value and a count sequence of the storage side write data counter, the initial value of the storage side write data counter value is the same as the initial value of the processing side write data counter value, and the count sequence of the storage side write data counter is the same as the count sequence of the processing side write data counter;
the storage side validation module 34 is adapted to store the current storage side write data counter value and one of the current processing side write data authentication code and the current storage side write data authentication code.
Referring to fig. 2, an embodiment of the invention further provides a memory, including:
the number of the common storage units is greater than or equal to 2, the common storage units are suitable for receiving and storing data to be written, the data to be written comprises at least one data packet to be written, and each common storage unit is suitable for receiving each data packet to be written in parallel and storing each data packet to be written in parallel;
the encryption storage unit 22 is adapted to receive write integrity information of the data to be written and a processing-side write data authentication code of the data to be written, generate a storage-side write data authentication code based on at least the shared key and the write integrity information, and determine whether the processing-side write data authentication code is equal to the storage-side write data authentication code, where the processing-side write data authentication code is an authentication code generated based on at least the shared key and the write integrity information;
a count storage unit 23 adapted to store at least the processing-side write data authentication code or the storage-side write data authentication code when the processing-side write data authentication code is equal to the storage-side write data authentication code.
By adopting the memory of the above embodiment of the present invention, the data to be written includes at least one data packet to be written, the general storage unit of the memory can receive and store each data packet to be written in parallel, the encryption storage unit can receive the write integrity information of the data to be written calculated at the processing end and the processing end write data authentication code of the data to be written, then generate a storage end write data authentication code based on at least the shared key and the write integrity information, and verify the integrity of the data to be written by comparing the processing end write data authentication code with the storage end write data authentication code, so that on one hand, the receiving and storing efficiency of the data between the processor chip and the memory can be improved by using the method of receiving and storing each data packet to be written in parallel; meanwhile, the data integrity can be ensured by comparing the processing end write data authentication code with the storage end write data authentication code; furthermore, the received write integrity information of the data to be written, which is calculated at the processing end, is utilized to generate the storage end write data authentication code, and then the processing end write data authentication code is compared with the storage end write data authentication code, the write integrity information is calculated at the storage end without utilizing the data to be written again, the influence of operation bottleneck caused by calculation of the write integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
Optionally, the processing-end write data authentication code is an authentication code generated based on the shared key, the write integrity information, and the current processing-end write data counter value, where the processing-end write data counter value is a counter value obtained based on an initial value of the processing-end write data counter value and a count sequence of the processing-end write data counter, and after the processing-end write data authentication code is generated, a new processing-end write data counter value is obtained according to the current processing-end write data counter value and the count sequence of the processing-end write data counter, and is stored as the processing-end write data counter value;
the encrypting and storing unit is adapted to receive write integrity information of the data to be written and a processing end write data authentication code of the data to be written, generate a storage end write data authentication code based on at least the shared key and the write integrity information, and determine whether the processing end write data authentication code is equal to the storage end write data authentication code, and includes: generating the storage end write data authentication code based on the shared key, the write integrity information and the current storage end write data counter value, acquiring a new storage end write data counter value according to the current storage end write data counter value and a counting sequence of the storage end write data counter, and storing the new storage end write data counter value as the storage end write data counter value, wherein the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a counting sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the counting sequence of the storage end write data counter is the same as the counting sequence of the processing end write data counter;
the counting storage unit is suitable for at least storing the processing end write data authentication code or the storage end write data authentication code and comprises: storing the current store-side write data counter value and one of the current processing-side write data authentication code and the current store-side write data authentication code.
Embodiments of the present invention further provide a memory, where the memory stores a program suitable for data writing to implement the data writing method, and specific data writing methods, principles, and effects thereof can be described with reference to the foregoing embodiments, and are not described herein again.
An embodiment of the present invention further provides a memory chip, which may include the data writing device or the memory according to any of the foregoing embodiments, and reference may be specifically made to the foregoing embodiment schemes, which are not described herein again.
An embodiment of the present invention further provides an electronic device, which may include the memory chip according to the foregoing embodiment, and reference may be specifically made to the foregoing embodiment, which is not described herein again.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a data reading device according to an embodiment of the present invention, and the data reading device 4 according to the embodiment of the present invention includes:
a processing terminal receiving module 41, adapted to receive at least data to be read and a storage terminal read data authentication code of the data to be read; the data to be read comprises at least one data packet to be read, the data packets to be read are received in parallel, and the storage end data reading authentication code is an authentication code generated at least based on a shared key and writing integrity information of the data to be read;
a processing-side storage module 42, adapted to store the data to be read, generate read integrity information of the data to be read by using the data to be read, generate a processing-side read data authentication code based on at least the shared key and the read integrity information, and store each data packet to be written as parallel storage;
a processing terminal judging module 43, adapted to judge whether the storage terminal read data authentication code is equal to the processing terminal read data authentication code;
a processing side confirmation module 44, adapted to confirm the integrity of the data to be read when the storage side read data authentication code is equal to the processing side read data authentication code.
It can be understood that the storage end may be provided with a corresponding module to cooperate with the processing end to implement the data writing method.
In this way, in the data reading apparatus provided in the embodiment of the present invention, the data to be read includes at least one data packet to be read, the processing-end receiving module may receive each data packet to be read in parallel, and receives the data-reading authentication code from the processing terminal of the data to be read, the memory module at the processing terminal can receive and store each data packet to be read in parallel, then, the data to be read is utilized to generate the read integrity information of the data to be read, a processing terminal read data authentication code is generated at least based on the shared secret key and the read integrity information, verifying the integrity of the data to be read by comparing the processing terminal read data authentication code with the storage terminal read data authentication code, therefore, on one hand, the receiving and storing efficiency of the data between the processor chip and the memory can be improved by utilizing the method for receiving and storing each data packet to be read in parallel; meanwhile, the data integrity can be ensured by comparing the data reading authentication code of the processing terminal with the data reading authentication code of the storage terminal; furthermore, the storage end generates a storage end read data authentication code by using the write integrity information stored in the write process, and then compares the processing end read data authentication code with the storage end read data authentication code, so that the integrity information is not required to be calculated in the storage end by using the data to be read, the influence of operation bottleneck caused by calculation of the integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the data integrity.
Optionally, the storage-side read data authentication code is an authentication code generated at least based on the shared key, the write integrity information, and a storage-side read data counter value, where the storage-side read data counter value is a counter value obtained based on an initial value of the storage-side read data counter value and a count sequence of the storage-side read data counter, and after the storage-side read data authentication code is generated, the storage-side read data counter value takes a next value of the storage-side read data counter value as the storage-side read data counter value according to the count sequence of the storage-side read data counter;
the processing-side storage module 42 is adapted to generate the processing-side read data authentication code at least based on the shared secret key, the read integrity information, and the current processing-side read data counter value; and after the processing end read data authentication code is generated, the processing end read data counter value takes the next value of the current processing end read data counter value as the processing end read data counter value according to the counting sequence of the processing end read data counter, wherein the initial value of the storage end read data counter value is the same as the initial value of the processing end read data counter value, and the counting sequence of the storage end read data counter is the same as the counting sequence of the processing end read data counter.
Optionally, the processing end receiving module 41 is adapted to receive the data to be read, the storage end write data counter value stored when the data to be read is written, and the storage end read data authentication code, where the storage end read data authentication code is an authentication code generated based on the shared key, one of the processing end write data authentication code and the storage end write data authentication code, and the current storage end read data counter value;
the processing-side storage module 44 is adapted to generate the processing-side read data authentication code based on the shared key, the read integrity information, the current processing-side read data counter value, and the storage-side write data counter value.
Referring to fig. 11, fig. 11 is a schematic structural diagram of a system on chip according to an embodiment of the present invention, and an embodiment of the present invention further provides a system on chip 5, including:
a general processor 51 comprising at least one processor core adapted to send a read data request to read data, including reading at least one data packet to be read, each processor core being adapted to receive each of said data packets to be read in parallel;
the encryption processor 52 is suitable for at least receiving the memory side read data authentication code of the data to be read; the data reading authentication code of the storage end is an authentication code generated at least based on a shared secret key and the writing integrity information of the data to be read; storing the data to be read, generating read integrity information of the data to be read by using the data to be read, generating a processing terminal read data authentication code at least based on the shared secret key and the read integrity information, and storing each data packet to be written in as parallel storage; and when the data reading authentication code of the storage terminal is equal to the data reading authentication code of the processing terminal, confirming the integrity of the data to be read.
Thus, in the system on chip 5 provided in the embodiment of the present invention, the data to be read includes at least one data packet to be read, the general processor 51 may receive and store each data packet to be read in parallel, the encryption processor 52 may receive a processing end data reading authentication code corresponding to the data to be read, then generate the reading integrity information of the data to be read by using the data to be read, generate a processing end data reading authentication code based on at least the shared key and the reading integrity information, and verify the integrity of the data to be read by comparing the processing end data reading authentication code with the storage end data reading authentication code, so that on one hand, the data receiving and storing efficiency between the system on chip and the memory can be improved by using a method of receiving and storing each data packet to be read in parallel; meanwhile, the data integrity can be ensured by comparing the data reading authentication code of the processing terminal with the data reading authentication code of the storage terminal; further, the encryption processor 52 further generates a storage-side read data authentication code by using the write integrity information stored in the write process, and then compares the processing-side read data authentication code with the storage-side read data authentication code, so that the integrity information is not required to be calculated at the storage side by using the data to be read, the influence of the operation bottleneck caused by the calculation of the integrity information is reduced, and the data storage efficiency is improved on the premise of ensuring the integrity of the data.
Optionally, the storage-side read data authentication code is an authentication code generated at least based on the shared key, the write integrity information, and a storage-side read data counter value, where the storage-side read data counter value is a counter value obtained based on an initial value of the storage-side read data counter value and a count sequence of the storage-side read data counter, and after the storage-side read data authentication code is generated, the storage-side read data counter value takes a next value of the storage-side read data counter value as the storage-side read data counter value according to the count sequence of the storage-side read data counter;
the encryption processor 52 is adapted to generate the processing-side read data authentication code based on at least the shared secret key, the read integrity information, and a current processing-side read data counter value; and after the processing end read data authentication code is generated, the processing end read data counter value takes the next value of the current processing end read data counter value as the processing end read data counter value according to the counting sequence of the processing end read data counter, wherein the initial value of the storage end read data counter value is the same as the initial value of the processing end read data counter value, and the counting sequence of the storage end read data counter is the same as the counting sequence of the processing end read data counter.
Optionally, the encryption processor 52 is further adapted to receive the storage-side write data counter value and the storage-side read data authentication code stored when the data to be read is written, where the storage-side read data authentication code is an authentication code generated based on the shared key, one of the processing-side write data authentication code and the storage-side write data authentication code, and the current storage-side read data counter value; and generating the processing end read data authentication code based on the shared secret key, the read integrity information, the current processing end read data counter value and the storage end write data counter value.
The embodiment of the invention also provides a processor, which is characterized in that the processor is configured to execute the data reading method. Specifically, reference may be made to the foregoing embodiment, which is not described herein again.
The embodiment of the present invention further provides an electronic device, which is characterized by including the data reading apparatus, or the system on chip, or the processor. Specifically, reference may be made to the foregoing embodiment, which is not described herein again.
Although the embodiments of the present invention are disclosed above, the embodiments of the present invention are not limited thereto. Various changes and modifications may be effected therein by one of ordinary skill in the pertinent art without departing from the scope or spirit of the present embodiments, and it is intended that the scope of the present embodiments be defined by the appended claims.

Claims (14)

1. A method of writing data, comprising:
receiving data to be written, write integrity information of the data to be written and a processing end write data authentication code of the data to be written, wherein the data to be written comprises at least one data packet to be written, the data packets to be written are received in parallel, and the processing end write data authentication code is an authentication code generated at least based on a shared key and the write integrity information;
storing the data to be written, and generating a storage end write data authentication code at least based on the shared secret key and the write integrity information, wherein the storage of each data packet to be written is parallel storage;
judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not;
and when the processing end write data authentication code is equal to the storage end write data authentication code, at least storing the processing end write data authentication code or the storage end write data authentication code.
2. The data writing method of claim 1, wherein the processing-side write data authentication code is an authentication code generated based on the shared secret key, the write integrity information, and a current processing-side write data counter value, the processing-side write data counter value is a counter value obtained based on an initial value of a processing-side write data counter value and a count sequence of a processing-side write data counter, and each time the processing-side write data authentication code is generated, a new processing-side write data counter value is obtained from the current processing-side write data counter value and the count sequence of the processing-side write data counter and stored as a processing-side write data counter value;
the step of generating a storage-side write data authentication code based on at least the shared key and the write integrity information comprises:
generating the storage end write data authentication code based on the shared key, the write integrity information and the current storage end write data counter value, acquiring a new storage end write data counter value according to the current storage end write data counter value and a counting sequence of the storage end write data counter, and storing the new storage end write data counter value as the storage end write data counter value, wherein the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a counting sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the counting sequence of the storage end write data counter is the same as the counting sequence of the processing end write data counter;
the step of storing at least the processing-side write data authentication code or the storage-side write data authentication code comprises:
storing the current store-side write data counter value and one of the current processing-side write data authentication code and the current store-side write data authentication code.
3. The data writing method according to claim 1 or 2, further comprising:
and when the processing end write data authentication code is not equal to the storage end write data authentication code, returning report information.
4. The data writing method according to claim 3, wherein the receiving of the data to be written is received in parallel with the receiving of the write integrity information of the data to be written and the data writing authentication code of the processing end of the data to be written.
5. The data writing method according to claim 3, wherein each of the to-be-written data packets is received and stored by using a common storage unit of the storage terminal, wherein each of the common storage units receiving and storing each of the to-be-written data packets is different.
6. The data writing method according to claim 3, wherein an encrypted storage unit of the storage end is used to receive writing integrity information of the data to be written and a processing end writing data authentication code of the data to be written;
generating a storage end write data authentication code by utilizing an encryption storage unit of the storage end at least based on the shared secret key and the write integrity information;
and storing the processing end write data authentication code or the storage end write data authentication code by utilizing an encryption storage unit of the storage end.
7. The data writing method of claim 3, wherein the current store-side write data counter value is stored using a count storage unit of the store side.
8. A data writing apparatus, comprising:
the data processing device comprises a storage end receiving module, a processing end data receiving module and a data processing module, wherein the storage end receiving module is suitable for receiving data to be written, writing integrity information of the data to be written and a processing end data writing authentication code of the data to be written, the data to be written comprises at least one data packet to be written, the receiving of the data packets to be written is parallel receiving, and the processing end data writing authentication code is an authentication code generated at least based on a shared secret key and the writing integrity information;
a storage end storage module, adapted to store the data to be written, and generate a storage end write data authentication code based on at least the shared secret key and the write integrity information, where the storage of each data packet to be written is parallel storage;
the storage end judging module is suitable for judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not;
a storage side validation module adapted to store at least the processing side write data authentication code or the storage side write data authentication code when the processing side write data authentication code is equal to the storage side write data authentication code.
9. The data writing apparatus of claim 8, wherein the process-side write data authentication code is an authentication code generated based on the shared secret key, the write integrity information, and a current process-side write data counter value, the process-side write data counter value is a counter value obtained based on an initial value of a process-side write data counter value and a count sequence of a process-side write data counter, and each time the process-side write data authentication code is generated, a new process-side write data counter value is obtained from the current process-side write data counter value and the count sequence of the process-side write data counter and stored as a process-side write data counter value;
the storage end storage module is adapted to generate the storage end write data authentication code based on the shared key, the write integrity information, and the current storage end write data counter value, acquire a new storage end write data counter value according to the current storage end write data counter value and a count sequence of the storage end write data counter, and store the new storage end write data counter value as the storage end write data counter value, where the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a count sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the count sequence of the storage end write data counter is the same as the count sequence of the processing end write data counter;
the storage end confirmation module is suitable for storing the current storage end write data counter value and one of the current processing end write data authentication code and the current storage end write data authentication code.
10. A memory, comprising:
the number of the common storage units is more than or equal to 2, the common storage units are suitable for receiving and storing data to be written, the data to be written comprises at least one data packet to be written, and each common storage unit is suitable for receiving each data packet to be written in parallel and storing each data packet to be written in parallel;
the encryption storage unit is suitable for receiving write integrity information of the data to be written and a processing end write data authentication code of the data to be written, generating a storage end write data authentication code at least based on the shared key and the write integrity information, and judging whether the processing end write data authentication code is equal to the storage end write data authentication code or not, wherein the processing end write data authentication code is an authentication code generated at least based on the shared key and the write integrity information;
and the counting storage unit is suitable for storing at least the processing end write data authentication code or the storage end write data authentication code when the processing end write data authentication code is equal to the storage end write data authentication code.
11. The memory of claim 10, wherein the process side write data authentication code is an authentication code generated based on the shared secret key, the write integrity information, and a current process side write data counter value, the process side write data counter value is a counter value derived based on an initial value of a process side write data counter value and a count sequence of a process side write data counter, and each time the process side write data authentication code is generated, a new process side write data counter value is obtained from the current process side write data counter value and the count sequence of the process side write data counter and stored as a process side write data counter value;
the encryption storage unit is adapted to generate the storage end write data authentication code based on the shared key, the write integrity information, and a current storage end write data counter value, acquire a new storage end write data counter value according to the current storage end write data counter value and a count sequence of the storage end write data counter, and store the new storage end write data counter value as the storage end write data counter value, where the storage end write data counter value is a counter value obtained based on an initial value of the storage end write data counter value and a count sequence of the storage end write data counter, the initial value of the storage end write data counter value is the same as the initial value of the processing end write data counter value, and the count sequence of the storage end write data counter is the same as the count sequence of the processing end write data counter;
the count storage unit is adapted to store the current storage-side write data counter value and one of the current processing-side write data authentication code and the current storage-side write data authentication code.
12. A memory storing a program adapted to write data to implement the data writing method according to any one of claims 1 to 7.
13. A memory chip comprising a data writing apparatus according to claim 8 or 9, or a memory according to any one of claims 10 to 12.
14. An electronic device comprising the memory chip of claim 13.
CN202010144506.5A 2019-12-23 2020-03-04 Data writing method and related device Pending CN111368346A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201911335324X 2019-12-23
CN201911335324 2019-12-23

Publications (1)

Publication Number Publication Date
CN111368346A true CN111368346A (en) 2020-07-03

Family

ID=71208598

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010144506.5A Pending CN111368346A (en) 2019-12-23 2020-03-04 Data writing method and related device
CN202010144970.4A Active CN111400717B (en) 2019-12-23 2020-03-04 Data reading method and related device

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202010144970.4A Active CN111400717B (en) 2019-12-23 2020-03-04 Data reading method and related device

Country Status (1)

Country Link
CN (2) CN111368346A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707450A (en) * 2004-06-08 2005-12-14 侯方勇 Method and apparatus for protecting data confidentiality and integrity in memory equipment
CN1920785A (en) * 2005-08-26 2007-02-28 国际商业机器公司 Apparatus, system, and method for mandatory end to end integrity checking in a storage system
CN102841998A (en) * 2012-07-11 2012-12-26 哈尔滨工程大学 Stored data integrity protection method of memory addition validator
CN105069379A (en) * 2015-07-29 2015-11-18 哈尔滨工程大学 Memory integrity protection method based on write counter
CN109976673A (en) * 2019-03-29 2019-07-05 新华三技术有限公司 A kind of method for writing data and device
CN110289947A (en) * 2019-04-29 2019-09-27 北京开态智慧科技有限公司 Data transmit consistency desired result method, apparatus, computer equipment and storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101882189B (en) * 2010-06-30 2012-05-30 华南理工大学 Embedded-type system for ensuring completeness of program and realization method thereof
US9690953B2 (en) * 2013-03-14 2017-06-27 Apple Inc. Generating efficient reads for a system having non-volatile memory
CN106293978A (en) * 2015-05-22 2017-01-04 炬芯(珠海)科技有限公司 A kind of method and apparatus of data feedback
CN108073353B (en) * 2016-11-15 2020-04-14 华为技术有限公司 Data processing method and device
US10540297B2 (en) * 2017-08-03 2020-01-21 Arm Limited Memory organization for security and reliability

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707450A (en) * 2004-06-08 2005-12-14 侯方勇 Method and apparatus for protecting data confidentiality and integrity in memory equipment
CN1920785A (en) * 2005-08-26 2007-02-28 国际商业机器公司 Apparatus, system, and method for mandatory end to end integrity checking in a storage system
CN102841998A (en) * 2012-07-11 2012-12-26 哈尔滨工程大学 Stored data integrity protection method of memory addition validator
CN105069379A (en) * 2015-07-29 2015-11-18 哈尔滨工程大学 Memory integrity protection method based on write counter
CN109976673A (en) * 2019-03-29 2019-07-05 新华三技术有限公司 A kind of method for writing data and device
CN110289947A (en) * 2019-04-29 2019-09-27 北京开态智慧科技有限公司 Data transmit consistency desired result method, apparatus, computer equipment and storage medium

Also Published As

Publication number Publication date
CN111400717B (en) 2022-03-22
CN111400717A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
US20170063853A1 (en) Data cipher and decipher based on device and data authentication
US11755406B2 (en) Error identification in executed code
US11349636B2 (en) Local ledger block chain for secure updates
CN107483419A (en) Method, apparatus, system, server and the computer-readable recording medium of server authentication access terminal
US11397814B2 (en) Local ledger block chain for secure electronic control unit updates
CN102693385A (en) Embedded terminal based on SD (secure digital) trusted computing module and implementation method thereof
US8738919B2 (en) Control of the integrity of a memory external to a microprocessor
US10862675B2 (en) Method for exchanging messages between security-relevant devices
US20210406407A1 (en) Block chain based validation of memory commands
US9076002B2 (en) Stored authorization status for cryptographic operations
CN111400717B (en) Data reading method and related device
US11316841B2 (en) Secure communication between an intermediary device and a network
CN113826071A (en) Over-the-air update acknowledgement
CN113748698A (en) Secure communication while accessing a network
CN113489589A (en) Data encryption and decryption method and device and electronic equipment
CN116668004B (en) Method and device for rapidly identifying abnormal information and storage medium thereof
JP5057270B2 (en) Information verification method, information verification apparatus, and information verification system
CN115037474B (en) USB PD protocol chip and identity authentication method
CN117255341B (en) MIFI-based data encryption transmission protection method and system
CN114826600B (en) Key instruction confirmation method, device, medium and electronic equipment
CN115277049B (en) Data transmission method, data receiving method and network equipment
US20230299957A1 (en) Protection of a secret key
CN116629871B (en) Order online payment system and payment method
RU2591181C1 (en) Method of authenticating transmitted command words
EP4352918A1 (en) Securely and reliably transmitting messages between network devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 300384 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 Industrial Incubation-3-8

Applicant after: Haiguang Information Technology Co., Ltd

Address before: 300384 Tianjin Binhai New Area Tianjin Huayuan Industrial Zone No. 18 Haitai West Road North 2-204 Industrial Incubation-3-8

Applicant before: HAIGUANG INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information