CN116633618A - Key encryption and decryption method, storage and application control system and electronic equipment - Google Patents
Key encryption and decryption method, storage and application control system and electronic equipment Download PDFInfo
- Publication number
- CN116633618A CN116633618A CN202310591353.2A CN202310591353A CN116633618A CN 116633618 A CN116633618 A CN 116633618A CN 202310591353 A CN202310591353 A CN 202310591353A CN 116633618 A CN116633618 A CN 116633618A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- module
- loading information
- secret
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims abstract description 104
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000004891 communication Methods 0.000 claims abstract description 58
- 230000004927 fusion Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 238000013475 authorization Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 6
- 238000012795 verification Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 239000007787 solid Substances 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 101150107565 TPM2 gene Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/302—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the integer factorization problem, e.g. RSA or quadratic sieve [QS] schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to the technical field of data security, and discloses a key encryption and decryption method, a storage and application control system and electronic equipment, wherein the key encryption method comprises the following steps: setting a communication handshake secret key; generating a key data stream according to the communication handshake key; creating key loading information; encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data; storing the key ciphertext data into a storage space of the key; the key decryption method comprises the following steps: reading key ciphertext data from a storage space of a key; acquiring a communication handshake secret key and secret key loading information during encryption; according to the communication handshake secret key and the secret key loading information, the secret key ciphertext data is decrypted to obtain secret key plaintext data.
Description
Technical Field
The embodiment of the application relates to the technical field of data security, in particular to a secret key encryption and decryption method, a storage and application control system and electronic equipment.
Background
With the continuous progress of network information security technologies, IPSec VPN technology is widely applied to network information security. IPsec VPN refers to a VPN technology for realizing remote access by adopting an IPSec protocol, the IPSec VPN technology provides security service at an IP layer in an Internet protocol stack, an operator can select a corresponding security protocol according to communication requirements to decide an algorithm used by service, and the IPSec VPN can provide a mutual identity authentication method to protect one or more paths among hosts, security gateway and security gateway, and data in transmission from being stolen and attacked. Because the IPSec VPN communication technology has high security, confidentiality and reliability, the IPSec VPN communication technology is widely applied to the field of robot control.
The IPSec VPN technology has higher safety in the aspect of communication, the mutual identities of the two communication parties are required to be identified through exchanging communication handshake secret keys before communication, the secret keys for communication handshake are often stored in a hard disk in the form of a database or a file, or the secret keys are stored in an external charged erasable programmable read-only memory (EEPROM) and a Flash memory (Flash) medium, and the storage mode of the secret keys has higher risks in the occasion of higher safety level requirements due to the strong readability of the hard disk and the Flash memory.
Disclosure of Invention
The embodiment of the application provides a secret key encryption and decryption method, a storage and application control system and electronic equipment, which can reduce the risk of violent cracking of a communication handshake secret key by encrypting the communication handshake secret key of network communication and storing the encrypted secret key ciphertext data, thereby improving the safety of the network communication.
The embodiment of the application provides the following technical scheme:
in a first aspect, an embodiment of the present application provides a key encryption method, including:
setting a communication handshake secret key;
generating a key data stream according to the communication handshake key;
creating key loading information;
encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data;
and storing the key ciphertext data into a storage space of the key.
In some embodiments, creating the key loading information includes:
starting an authorized session to create access rights;
creating a primary key object to generate a seed key according to the primary key object;
creating an RSA key according to the seed key to generate a public key and a private key;
and generating secret key loading information by fusion according to the public key and the private key.
In some embodiments, storing the key ciphertext data to the storage space of the key comprises:
creating access rights of the storage space;
setting an address and a storage space of key storage, and authorizing the storage space;
and writing the key ciphertext data into the storage space to store the key ciphertext data.
In some embodiments, the memory space of the key comprises non-volatile memory space.
In a second aspect, an embodiment of the present application provides a key decryption method, including:
reading key ciphertext data from a storage space of a key;
obtaining key loading information during encryption;
and decrypting the key ciphertext data according to the communication handshake key and the key loading information to obtain the key plaintext data.
In some embodiments, prior to reading the key ciphertext data from the storage space of the key, the method further comprises:
verifying the legitimacy of the key decryption identity;
if the key decryption identity is verified to be legal, obtaining key loading information during encryption;
if the verification key decryption identity is illegal, the key ciphertext data is not decrypted.
In a third aspect, an embodiment of the present application provides a key storage system, where the system includes a data reading module, an encryption module, a decryption module, and a storage module;
the encryption module is used for setting a communication handshake secret key; generating a key data stream according to the communication handshake key; creating key loading information; encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data;
the data reading module is used for reading the secret key ciphertext data from the storage space of the secret key; obtaining key loading information during encryption;
the decryption module is used for decrypting the secret key ciphertext data according to the communication handshake secret key and the secret key loading information to obtain secret key plaintext data;
the storage module is used for storing the secret key ciphertext data into a storage space of the secret key.
In some embodiments, the data reading module is further configured to verify the legitimacy of the key decryption identity; if the validity of the key decryption identity is verified successfully, the key loading information during encryption can be obtained; if the validity of the key decryption identity is verified, the key ciphertext data cannot be decrypted.
In a fourth aspect, an embodiment of the present application provides an application control system, applied to a chip, where the system includes:
a hardware encryption layer comprising: the system comprises an identity authentication module and a password algorithm module, wherein the identity authentication module is used for authenticating the starting of a basic input and output system and an operating system, the password algorithm module is used for encrypting data, and the identity authentication module and the password algorithm module are jointly used for guiding forced identity authentication and identification when the operating system is started;
the system layer comprises a device driver, wherein the device driver is used for driving the chip;
an application layer, the application layer comprising: the key storage system of the third aspect.
In a fifth aspect, an embodiment of the present application provides an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the key encryption method as in the first aspect and the key decryption method as in the second aspect.
In a sixth aspect, embodiments of the present application provide a non-volatile computer-readable storage medium storing computer-executable instructions for causing an electronic device to perform a key encryption method as in the first aspect and a key decryption method as in the second aspect.
The beneficial effects of the embodiment of the application are as follows: unlike the prior art, the embodiment of the application provides a key encryption method, which is applied to a key storage system, and comprises the following steps: setting a communication handshake secret key; generating a key data stream according to the communication handshake key; creating key loading information; encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data; the key ciphertext data is stored in the storage space of the key, and the communication handshake key of network communication is encrypted, and the encrypted key ciphertext data is stored, so that the risk of violent cracking of the communication key can be reduced, and the safety of network communication is improved.
Drawings
One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to scale, unless expressly stated otherwise.
FIG. 1 is a schematic diagram of an application control system according to an embodiment of the present application;
FIG. 2 is a flowchart of a key encryption method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a refinement flow of step S203 in fig. 2;
fig. 4 is a schematic diagram of a refinement flow of step S205 in fig. 2;
FIG. 5 is a flowchart of a key decryption method according to an embodiment of the present application;
FIG. 6 is a schematic diagram of verifying the validity of a key decryption identity according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Reference numerals illustrate:
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In addition, the technical features of the embodiments of the present application described below may be combined with each other as long as they do not collide with each other.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. The term "and/or" as used in this specification includes any and all combinations of one or more of the associated listed items.
The technical scheme of the application is specifically described below with reference to the accompanying drawings of the specification:
referring to fig. 1, fig. 1 is a schematic structural diagram of an application control system according to an embodiment of the present application;
as shown in fig. 1, the application control system 100 is applied to an electronic device (TCM device) that includes a domestic trusted computing platform module (TCM chip), and the domestic trusted computing platform module (TCM) is called "Trusted Cryptography Module" in english, and provides a cryptographic operation function for a trusted computing platform, and has a protected storage space, where the concept of the trusted computing platform (trusted computing platform) is proposed by the national cryptographic authority, and the trusted computing platform is built in a computing system for implementing a support system for the trusted computing function. The trusted computing password support platform (cryptographic support platform for trusted computing) is an important component of the trusted computing platform and comprises the contents of a password algorithm, a key management, a certificate management, a password protocol, a password service and the like, and provides password support for the integrity, identity credibility and data security of the trusted computing platform.
The application control system 100 includes a hardware encryption layer 110, a system layer 120, and an application layer 130.
The hardware encryption layer 110 is a TCM chip, and includes an identity authentication module 111 and a cryptographic algorithm module 112, where the identity authentication module 111 is used to perform legal authentication management on the start of BIOS/UEFI, where UEFI is all called Unified Extensible Firmware Interface, i.e. "unified extensible firmware interface", which is a standard describing a brand new type of interface in detail, is a standard firmware interface applicable to a computer, and UEFI aims to improve software interoperability and resolve limitations of BIOS; if the authentication fails, the BIOS stops starting the operating system. The identity authentication module 111 is further used for starting authentication management on a basic input output system (Basic Input Output System, BIOS), the cryptographic algorithm module 112 is located in the on-board TCM chip, and the cryptographic algorithm module is used for encrypting data, and the identity authentication module and the cryptographic algorithm module are jointly used for guiding forced identity authentication and identification when the operating system is started.
In the embodiment of the application, the specific working methods of the identity authentication module and the cryptographic algorithm module are as follows: after the operating system is started, the BIOS completes system self-checking and initialization after being powered on, the on-board TCM chip and the secure hard disk are respectively connected with the BIOS, the identity authentication module performs forced identity authentication on a starting operator, meanwhile, the basic input and output equipment (namely a keyboard and a mouse) authenticates the identity of the operator, after the basic input and output equipment passes the identity authentication of the operator, the operator finishes data input by using the basic input and output equipment, and the identity authentication module performs forced verification on the data input by the operator by using key data stored in the BIOS flash memory chip, so that the identity of the operator is authenticated; after the BIOS passes the authentication of the operator, an SM3 algorithm engine in the cryptographic algorithm module calculates the hash value of the BIOS, the hash value of the BIOS is stored in a data confidentiality storage module in the on-board TCM chip, an SM1 algorithm in the cryptographic algorithm module is called by an integrity measurement module in the on-board TCM chip to carry out encryption backup of the SM1 algorithm by taking the first 128 bits of the hash value of the BIOS as a backup key, the encrypted backup data is stored in the on-board TCM chip, the key data stored by the secure hard disk is used for identifying and checking the operator identity again, and the secure hard disk is initialized and checked after the operator passes the identity.
In addition, the hardware encryption layer also comprises a security authentication serial port terminal based on a national encryption algorithm, and a CPU of the security authentication serial port terminal comprises a SMl algorithm engine, an SM2 algorithm engine and an SM3 algorithm engine so as to complete the function of providing algorithm support for a chip and an operating system; the secret storage of the safety authentication serial port terminal is used for storing identity authentication information and a private key, and simultaneously provides a secret storage function of information interaction with the identity authentication module; the chip operating system of the security authentication serial port terminal is used for completing the digital signature function of outgoing data and the private key decryption processing function of received data by calling the national encryption algorithm engine of the CPU, and meanwhile, the serial port terminal can be accessed with a biological recognition technology, including but not limited to a fingerprint module and a face identification module.
The system layer 120 includes a device driver 121, where the device driver 121 is a TCM device driver and is used to drive a TCM chip, and the system layer 120 further includes a protocol stack layer, where an operator cannot directly operate a register inside the chip in a domestic trusted computing platform module (TCM), but implements interaction with the TCM through software such as a protocol stack, and the protocol stack layer (IPSEC protocol processing layer) of the TCM is a secure transmission protocol, so as to ensure security of a network transmission process, but actually, a secure source of the security is that data transmitted by the security source is data encrypted by the TCM. The protocol stack layer includes tpm2_tss, tpm2_tool, tpm2_abrmd. The TSS (TCG Software Stack ), also known as a trusted software stack, is the supporting software for the TPM on the trusted computing platform. The primary role of the TSS is to provide an interface for operating systems and applications to use the TPM. The structure of the TSS can be divided into a kernel layer, a system service layer, and an operator program layer. Tpm_tool is an application tool of TCM for accessing the Tpm2.0 non-volatile (NV) space (index value) on a compatible system, which provides the functionality to enumerate, create, delete, query and lock NV indexes and read and write data stored therein. Tpm2_abrmd is a TCM2 access agent and resource manager, a system daemon for implementing the Tpm2 access agent (TAB) and Resource Manager (RM) specifications of TCG. Tpm2_tss, tpm2_tool, tpm2_abrmd provide an interface for applications to access the TCM while managing the TCM.
The application layer 130 includes a key storage system 131, where the key storage system 131 includes a data reading module 1311, an encryption module 1312, a storage module 1313, and a decryption module 1314.
The data reading module 1311 is respectively connected to the storage module 1313 and the decryption module 1314 in a communication manner, where the data reading module 1311 is configured to send a request for reading key ciphertext data to the storage module, read the key ciphertext data from the storage space of the key, and send the key ciphertext data to the decryption module; and obtaining the key loading information during encryption.
The encryption module 1312 is communicatively coupled to the storage module 1313, the encryption module 1312 being configured to set a communication handshake key; generating a key data stream according to the communication handshake key; creating key loading information; and encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data, and transmitting the key ciphertext data to the storage module.
The storage module 1313 is communicatively connected to the encryption module 1312, where the storage module 1313 is configured to receive the key ciphertext data sent by the encryption module, and store the key ciphertext data in a storage space of the key.
The decryption module 1314 is communicatively connected to the data reading module 1311, and is configured to receive the key ciphertext data sent by the data reading module; acquiring a communication handshake secret key and secret key loading information during encryption; and decrypting the key ciphertext data according to the communication handshake key and the key loading information to obtain the key plaintext data.
In the embodiment of the present application, the encryption module 1312 is specifically configured to:
starting an authorized session to create access rights;
creating a primary key object to generate a seed key according to the primary key object;
creating an RSA key according to the seed key to generate a public key and a private key;
according to the public key and the private key, generating secret key loading information in a fusion way;
creating access rights of the storage space;
setting an address and a storage space of key storage, and authorizing the storage space;
and writing the key ciphertext data into the storage space to store the key ciphertext data.
Referring to fig. 2, fig. 2 is a flow chart of a key encryption method according to an embodiment of the application;
the key encryption method is applied to a key storage system, and specifically, an execution subject of the key encryption method is one or more processors of the electronic device.
As shown in fig. 2, the key encryption method includes:
in the embodiment of the application, before encrypting the communication handshake key, a computer control system is electrified and started, and an operating system reads a session authorization abstract through a TCM after starting and verifies the legitimacy of a Basic Input Output System (BIOS) and an Operating System (OS); if the checking fails, prompting the system to report errors, and not carrying out encryption operation on the communication handshake secret key; if the check passes, the authentication is successful, which can enter a normal system startup interface to prompt the system to start up normally, and then step S201 can be entered.
Step S201: setting a communication handshake secret key;
specifically, an operator sets a communication handshake secret key through a deployment tool, wherein the communication handshake secret key is a communication handshake secret key based on IPSec VPN, the deployment tool leaves a factory to default an initialization password with secret key setting, when the IPSec VPN handshake secret key is set for the first time, the default factory password needs to be modified, the legitimacy of the operator is verified before the secret key is set, if the verification is not passed, the deployment tool prompts to report errors, and login is not allowed to carry out secret key setting; if the user identity verification is passed, entering an interface of key setting.
Step S202: generating a key data stream according to the communication handshake key;
specifically, the key data stream is a string of data streams for encryption and decryption in combination with the plaintext data stream, and the key data stream is generated according to a communication handshake key, where the key data stream is generated by manufacturing a string of key data streams through a random or pseudo-random process.
Step S203: creating key loading information;
in an embodiment of the present application, the TPM (Trusted Platform Module ) refers to a TPM hardware security chip proposed by a trusted computing group (Trusted Computing Group, TCG), and a trusted computing architecture standard constructed therefrom, for example, the TPM2.0 specification. Authorization is a core concept in the TPM2.0 specification, all the specifications of the TPM are guaranteed to be authorized for accessing various resources, the authorization is used for controlling access to TPM entities, security assurance is provided for the TPM, session is a carrier and tool for the TPM to complete authorization, and various authorizations are completed by setting various attributes and states of the session. The trusted platform module TPM (Trusted Platform Module) is a chip that is embedded inside the computer to provide a trusted root for the computer. The specification of the chip is formulated by a trusted computing group (Trusted Computing Group). Corresponding to this in China is TCM (trusted cryptography module ) studied in China.
Referring to fig. 3 again, fig. 3 is a schematic diagram of a refinement flow of step S203 in fig. 2;
as shown in fig. 3, step S203: creating key loading information, comprising:
step S2031: starting an authorized session to create access rights;
specifically, commands to set TCM access rights credentials are generated using a non-volatile storage space (NV space) access tool in a Trusted Platform Module (TPM) for accessing a TPM2.0 non-volatile (NV) space (index value) on a compatible system, while dependencies on any TPM2.0 stack are zero, which provides the functionality to enumerate, create, delete, query and lock NV indexes and read and write data stored therein, including a tpm_tool, which is a tool applied to TCM devices. The command for setting the TCM access right authentication includes: tcm2_takeownership (O1, E1, L1), wherein ownership represents an owner of operation authority to the TPM, parameter O1 represents an lowerpass which means a password that needs to be used when an operator operates the TPM device, wherein the TPM device may be any device with a TPM chip, parameter E1 represents an endoepass which means a password that uses the TPM to endorse/sign, and parameter L1 represents a Lockpass which means to lock the TPM. And after the TCM access right authentication is successful, the access right can be obtained.
Step S2032: creating a primary key object to generate a seed key according to the primary key object;
specifically, the command tpm2_createprimary is generated by using a nonvolatile memory space (NV space) access tool in a Trusted Platform Module (TPM), a master key object is created, a seed key is generated by using the created master key object, the key is an RSA key and the hash function is SHA256, and the temporary storage of the seed key object in a file cache file, for example, the command for generating the seed key by the tpm_tool includes: tcm2_createprimary (He, K11, G0b, cpotx.ctx, L1), where parameter He represents an ENDORSEMENT key (tpm_rh_enderselement), parameter K11 represents an authentication key that is meant to operate the password of the master object, parameter G0b represents the type of algorithm that generates the master key, for example, using SHA256 algorithm, parameter cpotx.ctx represents a temporary file that holds the seed key object, and parameter L1 represents a locking operation for the TPM.
Step S2033: creating an RSA key according to the seed key to generate a public key and a private key;
specifically, creating an RSA key based on the generated seed key, i.e., generating a public key and a private key, for example, a command to create an RSA key using a tpm_tool includes: tcm2_create (cpotx.ctx, key.pub, key.priv), where both the public key and private key created are stored in the key storage system, key.pub, key.priv are two text files, key.pub is used to store the public key, key.priv is used to store the private key.
Step S2034: according to the public key and the private key, generating secret key loading information in a fusion way;
specifically, the public key and the private key generated in step S2033 are combined by using the tcm2_load command to generate key loading information, for example, the command for generating key loading information by using the tpm_tool is: tcm2_load (key.pub, key.priv, rsaobj.ctx), wherein key.pub represents a text file for storing a public key, key.priv represents a text file for storing a private key, rsaobj.ctx represents key loading information, and data after fusion of the public key and the private key is data in an rsaobj.ctx structure.
Step S204: encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data;
specifically, using the rsaencrypt command, encrypting plaintext data according to the key data stream and the key loading information, where the plaintext data refers to a communication handshake key, and obtaining key ciphertext data, for example, the command for encrypting the plaintext data is: encrydm1=rsaencrypt (rsaobj. Ctx, dm 1), where rsaobj. Ctx represents key loading information and dm1 represents a key data stream, and the encryption command uses the RSA encryption algorithm.
It can be appreciated that the principle of RSA public key cryptosystem is: according to the theory of numbers, it is simpler to find two large prime numbers, and it is more difficult to factorize their products, so the products can be disclosed as encryption keys; RSA encryption, ciphertext = plaintext EmodN, the encryption process being the process of dividing the plaintext by N to the power E and then taking the remainder. On the premise of knowing the public key, the rsaaencrypt command generated by using the tpm_tool tool encrypts plaintext data by using the public key.
Step S205: storing the key ciphertext data into a storage space of the key;
referring to fig. 4 again, fig. 4 is a schematic diagram of the refinement flow of step S205 in fig. 2;
as shown in fig. 4, step S205: storing the key ciphertext data to a storage space of the key, comprising:
step S2051: creating access rights of the storage space;
specifically, the access rights for the storage space are created using the command takeownership generated by the tcm_tool. For example, the command to create access rights for the storage space is tcm2_takelownership (lowerpass, ekpass), where ownerplass represents a password for an operator to operate the TPM device, ekpass represents a password for endorsing/signing the TPM, and Lockpass represents locking the TPM.
Step S2052: setting an address and a storage space of key storage, and authorizing the storage space;
specifically, an address and a space for storing a secret key are set, and meanwhile, the opened space is authorized, so that an operator can operate the area in the TCM chip, ownership of operating rights of the TPM is obtained through a command tcm2_takewnerership (Owner pass, ekpass) to authorize the storage space in the read-write chip, wherein ownerplass is a password for operating TPM equipment by the operator, ekpass is a password for endorsing/signing by using the TPM, and Lockpass is used for locking the TPM.
Step S2053: writing key ciphertext data into the storage space to store the key ciphertext data;
specifically, the address of the preset key storage is accessed, and key ciphertext data is written into a storage space corresponding to the address of the preset key storage by using a tcm2_nvwrite (NV. Data) command, so as to store the key ciphertext data, wherein the storage space refers to a nonvolatile storage space (NV space), and the nonvolatile storage space includes, but is not limited to, a Flash Memory (Flash Memory), a solid state disk (Solid State Drive, SSD), a storage class Memory (Storage Class Memory, SCM), a Flash Memory (NOR Flash Memory), a random access Memory (Random Access Memory, RAM) and a Magnetic Random Access Memory (MRAM), and the NV. Data represents data written into the NV space, and the ownerass represents a password for an operator to operate the TPM device. In addition to writing the key ciphertext data into the non-volatile memory space, an authorization session digest is also required to be stored in the non-volatile memory space inside the chip, where the authorization session digest is equivalent to a verification signature for guaranteeing the non-repudiation of the information.
Referring to fig. 5 again, fig. 5 is a flow chart of a key decryption method according to an embodiment of the application;
as shown in fig. 5, the key decryption method includes:
step S501: reading key ciphertext data from a storage space of a key;
specifically, reading key ciphertext data from a storage space of a key in the TCM chip is an inverse operation of writing the key ciphertext data, an address and a space of the key storage are obtained by using a tcm2_nvdefine (Length, ownerass) command, and authorization is performed at the same time so that an operator can operate the storage space in the TCM chip, wherein addstart represents a starting address of the key ciphertext data storage, length represents a Length of read data, ownerass represents a password of an operator operating the TPM device, and key ciphertext data is read from an address NV space stored by a preset key by using a tcm2_nvread (nv.data) command, wherein nv.data represents data read from the NV space, and ownerass represents a password of the operator operating the TPM device.
Step S502: obtaining key loading information during encryption;
specifically, the key loading information is created before encrypting the key data, and when decrypting the key ciphertext data, the key loading information during encryption can be obtained by adopting a direct calling mode.
Step S503: decrypting the key ciphertext data according to the key loading information to obtain key plaintext data;
specifically, according to the key loading information, the ciphertext data stream file is decrypted by using the tpm2_rsadecrypt command in combination with the key loading information, for example, the command for decrypting the ciphertext data stream file is tpm2_rsadecrypt (rsaobj. Ctx, encrydm1, dm 1), where rsaobj. Ctx represents the key loading information, encrydm1 represents the key ciphertext data, dm1 represents the plaintext data stream, the plaintext data stream file data. Decrypt is generated by the command, and the plaintext data stream dm1 is output to obtain the key plaintext data.
Referring to fig. 6 again, fig. 6 is a schematic diagram illustrating a verification of validity of a key decryption identity according to an embodiment of the present application;
as shown in fig. 6, verifying the legitimacy of the key decryption identity includes:
step S601: obtaining a key decryption identity;
specifically, before decrypting the key ciphertext data, the validity of the key decryption identity needs to be verified, and the key decryption identity is obtained, where the key decryption identity includes the private key for decryption and the public key for encryption generated in step S2033.
Step S602: judging whether the key decryption identity is legal or not;
specifically, whether the key decryption identity is legal or not is determined, that is, whether the private key for decryption and the public key for encryption are paired or not is determined, and if the key decryption identity is legal, step S603 is entered; if the key decryption identity is illegal, the process proceeds to step S604.
Step S603: obtaining key loading information during encryption;
specifically, if the key decryption identity is legal, which means that the validity of the key decryption identity is verified, the TCM reads the key loading information during encryption, decrypts the key loading information, and then decrypts the key ciphertext data by combining the key loading information to generate a key plaintext data stream.
Step S604: the key ciphertext data is not decrypted;
specifically, if the key decryption identity is illegal, which means that the validity of the key decryption identity is failed, the key ciphertext data is not decrypted.
In an embodiment of the present application, by providing a key encryption method and a key decryption method, the key encryption method includes: setting a communication handshake secret key; generating a key data stream according to the communication handshake key; creating key loading information; encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data; the key ciphertext data is stored in a storage space of a key, and the key decryption method comprises the following steps: reading key ciphertext data from a storage space of a key; acquiring a communication handshake secret key and secret key loading information during encryption; according to the communication handshake secret key and the secret key loading information, the secret key ciphertext data is decrypted to obtain secret key plaintext data.
Referring to fig. 7 again, fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
as shown in fig. 7, the electronic device 70 includes one or more processors 701 and memory 702. In fig. 7, a processor 701 is taken as an example. Preferably, the electronic device is a trusted cryptographic module device, i.e. a TCM device.
The processor 701 and the memory 702 may be connected by a bus or otherwise, for example in fig. 7.
A processor 701, configured to provide computing and control capabilities to control the electronic device 70 to perform corresponding tasks, for example, to control the electronic device 70 to perform a key encryption method and a key decryption method in any of the method embodiments described above, where the key encryption method includes: setting a communication handshake secret key; generating a key data stream according to the communication handshake key; creating key loading information; encrypting the plaintext data according to the key data stream and the key loading information to obtain key ciphertext data; and storing the key ciphertext data into a storage space of the key. The key decryption method comprises the following steps: reading key ciphertext data from a storage space of a key; acquiring a communication handshake secret key and secret key loading information during encryption; and decrypting the secret key ciphertext data according to the communication handshake secret key and the secret key loading information to obtain secret key plaintext data.
By encrypting the communication handshake key of network communication and storing the encrypted key ciphertext data, the risk of violent cracking of the communication key can be reduced, and the safety of network communication is improved.
The processor 701 may be a general-purpose processor including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), a hardware chip, or any combination thereof; it may also be a digital signal processor (Digital Signal Processing, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), or any combination thereof.
The memory 702 is used as a non-transitory computer readable storage medium for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the key encryption method and the key decryption method in the embodiments of the present application. The processor 701 may implement the key encryption method and the key decryption method in any of the method embodiments described below by running non-transitory software programs, instructions, and modules stored in the memory 702. In particular, the memory 702 may include Volatile Memory (VM), such as random access memory (random access memory, RAM); the memory 702 may also include non-volatile memory (NVM), such as read-only memory (ROM), flash memory (flash memory), hard disk (HDD) or Solid State Drive (SSD), or other non-transitory solid state storage devices; the memory 702 may also include a combination of the above types of memory.
The memory 702 may include high-speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 702 may optionally include memory located remotely from processor 701, such remote memory being connectable to processor 701 through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 702 that, when executed by the one or more processors 701, perform the key encryption method and the key decryption method in any of the method embodiments described above, e.g., perform the various steps shown in fig. 2 described above; the functions of the various modules or units of fig. 1 may also be implemented.
In the embodiment of the present application, the electronic device 70 may further have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.
The embodiment of the present application also provides a computer-readable storage medium, such as a memory including program code executable by a processor to perform the key encryption method and the key decryption method in the above embodiment. For example, the computer readable storage medium may be Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), compact disc Read-Only Memory (CDROM), magnetic tape, floppy disk, optical data storage device, etc.
Embodiments of the present application also provide a computer program product comprising one or more program codes stored in a computer-readable storage medium. The processor of the electronic device reads the program code from the computer-readable storage medium, and the processor executes the program code to perform the method steps of the key encryption method and the key decryption method provided in the above-described embodiments.
It will be appreciated by those of ordinary skill in the art that all or part of the steps of implementing the above embodiments may be implemented by hardware, or may be implemented by program code related hardware, where the program may be stored in a computer readable storage medium, where the storage medium may be a read only memory, a magnetic disk or optical disk, etc.
From the above description of embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus a general purpose hardware platform, or may be implemented by hardware. Those skilled in the art will appreciate that all or part of the processes implementing the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, and the program may be stored in a computer readable storage medium, and the program may include processes of the embodiments of the methods described above when executed. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), or the like.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; the technical features of the above embodiments or in the different embodiments may also be combined within the idea of the application, the steps may be implemented in any order, and there are many other variations of the different aspects of the application as described above, which are not provided in detail for the sake of brevity; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the application.
Claims (10)
1. A key encryption method applied to a key storage system, the method comprising:
setting a communication handshake secret key;
generating a secret key data stream according to the communication handshake secret key;
creating key loading information;
encrypting the plaintext data according to the secret key data stream and the secret key loading information to obtain secret key ciphertext data;
and storing the key ciphertext data into a storage space of the key.
2. The method of claim 1, wherein creating key loading information comprises:
starting an authorized session to create access rights;
creating a primary key object to generate a seed key according to the primary key object;
creating an RSA key according to the seed key to generate a public key and a private key;
and generating secret key loading information by fusion according to the public key and the private key.
3. The method of claim 1, wherein storing the key ciphertext data to a storage space of a key comprises:
creating access rights of the storage space;
setting an address and a storage space of key storage, and authorizing the storage space;
and writing the key ciphertext data into the storage space to store the key ciphertext data.
4. The method of claim 1, wherein the memory space of the key comprises a non-volatile memory space.
5. A key decryption method applied to a key storage system, the method comprising:
reading key ciphertext data from a storage space of a key;
obtaining key loading information during encryption;
and decrypting the key ciphertext data according to the key loading information to obtain key plaintext data.
6. The method of claim 5, wherein prior to reading the key ciphertext data from the memory space of the key, the method further comprises:
verifying the legitimacy of the key decryption identity;
if the key decryption identity is verified to be legal, obtaining key loading information during encryption;
and if the key decryption identity is verified to be illegal, not decrypting the key ciphertext data.
7. The key storage system is characterized by comprising a data reading module, an encryption module, a decryption module and a storage module;
the encryption module is used for setting a communication handshake secret key; generating a secret key data stream according to the communication handshake secret key; creating key loading information; encrypting the plaintext data according to the secret key data stream and the secret key loading information to obtain secret key ciphertext data;
the data reading module is used for reading the secret key ciphertext data from the storage space of the secret key; obtaining key loading information during encryption;
the decryption module is used for decrypting the secret key ciphertext data according to the secret key loading information to obtain secret key plaintext data;
the storage module is used for storing the secret key ciphertext data into a storage space of the secret key.
8. The system of claim 7, wherein the data reading module is further configured to verify the legitimacy of the key decryption identity; if the validity of the key decryption identity is verified successfully, the key loading information during encryption can be obtained; if the validity of the key decryption identity is verified, the key ciphertext data cannot be decrypted.
9. An application control system for use with a chip, the system comprising:
a hardware encryption layer comprising: the system comprises an identity authentication module and a cryptographic algorithm module, wherein the identity authentication module is used for authenticating the starting of a basic input and output system and an operating system, the cryptographic algorithm module is used for encrypting data, and the identity authentication module and the cryptographic algorithm module are jointly used for guiding forced identity authentication and identification when the operating system is started;
a system layer including a device driver for driving the chip;
an application layer, the application layer comprising: a key storage system as claimed in claim 7 or 8.
10. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the key encryption method of any one of claims 1-4 or the key decryption method of any one of claims 5-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310591353.2A CN116633618A (en) | 2023-05-23 | 2023-05-23 | Key encryption and decryption method, storage and application control system and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310591353.2A CN116633618A (en) | 2023-05-23 | 2023-05-23 | Key encryption and decryption method, storage and application control system and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116633618A true CN116633618A (en) | 2023-08-22 |
Family
ID=87641265
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310591353.2A Pending CN116633618A (en) | 2023-05-23 | 2023-05-23 | Key encryption and decryption method, storage and application control system and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116633618A (en) |
-
2023
- 2023-05-23 CN CN202310591353.2A patent/CN116633618A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109075976B (en) | Certificate issuance dependent on key authentication | |
| US11036869B2 (en) | Data security with a security module | |
| EP2965254B1 (en) | Systems and methods for maintaining integrity and secrecy in untrusted computing platforms | |
| EP2659373B1 (en) | System and method for secure software update | |
| England et al. | A trusted open platform | |
| US9697371B1 (en) | Remote authorization of usage of protected data in trusted execution environments | |
| KR101067399B1 (en) | Saving and retrieving data based on symmetric key encryption | |
| WO2021073170A1 (en) | Method and apparatus for data provision and fusion | |
| KR100996784B1 (en) | Saving and retrieving data based on public key encryption | |
| US8462955B2 (en) | Key protectors based on online keys | |
| CN102646077B (en) | A kind of method of the full disk encryption based on credible password module | |
| US7526649B2 (en) | Session key exchange | |
| US9064129B2 (en) | Managing data | |
| US10211977B1 (en) | Secure management of information using a security module | |
| US8019994B2 (en) | Authentication of a request to alter at least one of a BIOS and a setting associated with the BIOS | |
| CN113545006A (en) | Remote authorized access locked data storage device | |
| US8953805B2 (en) | Authentication information generating system, authentication information generating method, client apparatus, and authentication information generating program for implementing the method | |
| US9280687B2 (en) | Pre-boot authentication using a cryptographic processor | |
| CN116490868A (en) | System and method for secure and fast machine learning reasoning in trusted execution environments | |
| US11368291B2 (en) | Mutually authenticated adaptive management interfaces for interaction with sensitive infrastructure | |
| CN113557689A (en) | Initializing data storage devices with manager devices | |
| KR101639714B1 (en) | A method for authenticating a device of smart grid | |
| US20160335453A1 (en) | Managing Data | |
| WO2023246509A1 (en) | Gene data processing method and apparatus, device and medium | |
| US11743055B2 (en) | Storing data on target data processing devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |