TWI793215B - Data encryption and decryption method and device - Google Patents

Data encryption and decryption method and device Download PDF

Info

Publication number
TWI793215B
TWI793215B TW107141247A TW107141247A TWI793215B TW I793215 B TWI793215 B TW I793215B TW 107141247 A TW107141247 A TW 107141247A TW 107141247 A TW107141247 A TW 107141247A TW I793215 B TWI793215 B TW I793215B
Authority
TW
Taiwan
Prior art keywords
key
data
encrypted
hardware
root
Prior art date
Application number
TW107141247A
Other languages
Chinese (zh)
Other versions
TW201942784A (en
Inventor
尉魯飛
Original Assignee
香港商阿里巴巴集團服務有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 香港商阿里巴巴集團服務有限公司 filed Critical 香港商阿里巴巴集團服務有限公司
Publication of TW201942784A publication Critical patent/TW201942784A/en
Application granted granted Critical
Publication of TWI793215B publication Critical patent/TWI793215B/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本發明實施例提供了一種資料加密、解密方法及裝置。所述資料加密方法包括:採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰,根據所述第一金鑰加密資料。本發明能夠減少駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高資料和硬體設備的安全性,還能夠確保無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高產生第一金鑰的可靠性。The embodiment of the present invention provides a data encryption and decryption method and device. The data encryption method includes: using a software root of trust program to generate a first key uniquely corresponding to the hardware device, and encrypting data according to the first key. The present invention can reduce the possibility of hackers obtaining the first key directly from the code, and at the same time ensure that even if the key of a certain hardware device is cracked, the hardware of the same type as the hardware device or belonging to the same hardware manufacturer The key in the physical device is still safe, which effectively improves the security of data and hardware devices, and can also ensure that no matter whether the hardware device has hardware security capabilities, the first key can be generated, improving the generation of the first gold. key reliability.

Description

資料加密、解密方法及裝置Data encryption and decryption method and device

本發明有關電腦技術領域,特別是有關一種資料加密、解密方法及裝置。The invention relates to the field of computer technology, in particular to a data encryption and decryption method and device.

隨著物聯網和電腦技術的發展,大量硬體安全能力較差且資源受限的硬體設備開始投入使用,譬如作為物聯網終端節點的各種硬體設備,這些硬體設備通常價格低廉、沒有或者難以設置安全保護,沒有硬體安全能力,因此該硬體設備中的資料很容易被駭客等獲取得到,安全性較差。 現有技術中,可以將金鑰寫入硬體設備的代碼中,從而能夠透過該金鑰對硬體設備中的資料進行加密。但將金鑰寫入硬體設備的代碼中的方式,難以做到一機(硬體設備)一密,即同一類或同一個硬體廠商的硬體設備中的金鑰是相同的,因此,當一個硬體設備中的金鑰被破解時,同一類或同一個硬體廠商的其它硬體設備的金鑰便都會洩露,從而難以保證資料安全,導致資料和硬體設備的安全性較低。With the development of the Internet of Things and computer technology, a large number of hardware devices with poor hardware security capabilities and limited resources have been put into use, such as various hardware devices used as end nodes of the Internet of Things. These hardware devices are usually low in price, without or It is difficult to set up security protection, and there is no hardware security capability, so the data in the hardware device is easy to be obtained by hackers, etc., and the security is poor. In the prior art, the key can be written into the code of the hardware device, so that the data in the hardware device can be encrypted through the key. However, the way of writing the key into the code of the hardware device is difficult to achieve one key for one machine (hardware device), that is, the keys in the hardware devices of the same type or the same hardware manufacturer are the same, so , when the key in a hardware device is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer will be leaked, making it difficult to guarantee data security, resulting in relatively low security of data and hardware devices. Low.

鑒於上述問題,提出了本發明以便提供一種克服上述問題或者至少部分地解決上述問題的資料加密、解密方法及裝置。 本申請提供了一種資料加密方法,其特徵在於,包括: 採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰加密資料。 可選地,所述根據所述第一金鑰加密資料包括: 隨機產生第二金鑰; 採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 可選地,所述方法還包括: 採用所述第一金鑰加密所述第二金鑰。 可選地,在所述採用所述第一金鑰加密所述第二金鑰之後,所述方法還包括: 將已加密的第二金鑰與已加密的待加密資料對應保存。 可選地,所述方法還包括: 產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 可選地,所述產生用於驗證待加密資料的完整性的校驗資料包括: 確定所述待加密資料的雜湊值。 可選地,在根據所述第一金鑰加密資料之前,所述方法還包括: 提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料; 在所述根據所述第一金鑰加密資料之後,所述方法還包括: 透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 本發明還提供了一種資料解密方法,包括: 採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰解密已加密資料。 可選地,所述根據所述第一金鑰解密已加密資料包括: 產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存; 採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰; 採用所述第二金鑰解密所述已加密資料。 可選地,所述方法還包括: 獲取校驗資料,所述校驗資料與所述已加密資料對應保存; 採用所述校驗資料校驗解密結果的完整性。 可選地,所述校驗資料包括所述解密結果的第一雜湊值,所述採用所述校驗資料校驗解密結果的完整性包括: 產生所述解密結果的第二雜湊值; 比對所述第二雜湊值與所述第一雜湊值一致,則確認所述解密結果具有完整性。 可選地,所述方法還包括: 透過第二介面輸出解密結果。 本申請還提供了一種資料加密方法,其特徵在於,包括: 採用信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰加密資料。 可選地,所述採用信任根程式產生與硬體設備唯一對應的第一金鑰包括: 訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 可選地,所述硬體設備具有專用的硬體信任根程式,所述訪問所述硬體設備內置的硬體信任根程式包括: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 本發明還提供了一種資料解密方法,包括: 採用信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰解密已加密資料。 可選地,所述採用信任根程式產生與硬體設備唯一對應的第一金鑰包括: 訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 可選地,所述硬體設備具有專用的硬體信任根程式,所述訪問所述硬體設備內置的硬體信任根程式包括: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 本發明還提供了一種資料加密裝置,包括: 第一金鑰產生模組,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組,用於根據所述第一金鑰加密資料。 可選地,所述資料加密模組包括: 金鑰隨機產生子模組,用於隨機產生第二金鑰; 資料加密子模組,用於採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 可選地,所述裝置還包括: 第二金鑰加密模組,用於採用所述第一金鑰加密所述第二金鑰。 可選地,所述裝置還包括: 校驗資料產生模組,用於產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 可選地,所述裝置還包括: 待加密資料接收模組,用於提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料; 加密結果輸出模組,用於透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 本發明還提供了一種資料解密裝置,包括: 第一金鑰產生模組,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組,用於根據所述第一金鑰解密已加密資料。 可選地,所述資料解密模組包括: 金鑰獲取子模組,用於產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存; 第二金鑰解密子模組,用於採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰; 資料解密子模組,用於採用所述第二金鑰解密所述已加密資料。 可選地,所述裝置還包括: 校驗資料獲取模組,用於獲取校驗資料,所述校驗資料與所述已加密資料對應保存; 完整性驗證模組,用於採用所述校驗資料校驗解密結果的完整性。 可選地,所述裝置還包括: 解密結果輸出模組,用於透過第二介面輸出解密結果。 本發明還提供了一種資料加密裝置,包括: 第一金鑰產生模組,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組,用於根據所述第一金鑰加密資料。 可選地,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 本發明還提供了一種資料解密裝置,包括: 第一金鑰產生模組,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組,用於根據所述第一金鑰解密已加密資料。 可選地,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 本發明還提供了一種電腦設備,包括記憶體、處理器及儲存在記憶體上並可在處理器上運行的電腦程式,所述處理器執行所述電腦程式時實現如前述的一個或多個的方法。 本發明還提供了一種電腦可讀儲存媒體,其上儲存有電腦程式,所述電腦程式被處理器執行時實現如前述的一個或多個的方法。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 上述說明僅是本發明技術方案的概述,為了能夠更清楚瞭解本發明的技術手段,而可依照說明書的內容予以實施,並且為了讓本發明的上述和其它目的、特徵和優點能夠更明顯易懂,以下特舉本發明的具體實施方式。In view of the above problems, the present invention is proposed to provide a data encryption and decryption method and device that overcome the above problems or at least partially solve the above problems. The present application provides a data encryption method, which is characterized in that it includes: Use the software root of trust program to generate the first key that uniquely corresponds to the hardware device; Encrypting data according to the first key. Optionally, said encrypting data according to said first key includes: Randomly generate the second key; The second key is used to encrypt the data to be encrypted, and the first key is used to encrypt the second key. Optionally, the method also includes: Encrypting the second key with the first key. Optionally, after encrypting the second key with the first key, the method further includes: The encrypted second key is correspondingly stored with the encrypted data to be encrypted. Optionally, the method also includes: Generate verification data for verifying the integrity of the data to be encrypted, and store the verification data correspondingly to the encrypted data to be encrypted. Optionally, said generating verification data for verifying the integrity of the data to be encrypted includes: Determine the hash value of the data to be encrypted. Optionally, before encrypting data according to the first key, the method further includes: providing a second interface for receiving the data to be encrypted, and receiving the data to be encrypted through the second interface; After said encrypting data according to said first key, said method further includes: Outputting an encryption result to a data source of the data to be encrypted through the second interface. The present invention also provides a data decryption method, including: Use the software root of trust program to generate the first key that uniquely corresponds to the hardware device; The encrypted data is decrypted according to the first key. Optionally, the decrypting the encrypted data according to the first key includes: generating the first key, and obtaining an encrypted second key, and storing the encrypted second key corresponding to the encrypted data; Decrypting the encrypted second key by using the first key to obtain a second key; The encrypted data is decrypted using the second key. Optionally, the method also includes: Obtain verification data, and store the verification data corresponding to the encrypted data; The integrity of the decryption result is verified by using the verification data. Optionally, the verification data includes a first hash value of the decryption result, and using the verification data to verify the integrity of the decryption result includes: generating a second hash value of the decrypted result; If the second hash value is compared with the first hash value, it is confirmed that the decryption result has integrity. Optionally, the method also includes: Output the decryption result through the second interface. The present application also provides a data encryption method, which is characterized in that it includes: Use the root of trust program to generate the first key uniquely corresponding to the hardware device; Encrypting data according to the first key. Optionally, the generating the first key uniquely corresponding to the hardware device using the root of trust program includes: Accessing the built-in hardware root of trust program of the hardware device to generate the first key. Optionally, the hardware device has a dedicated hardware root-of-trust program, and the accessing the built-in hardware root-of-trust program of the hardware device includes: The hardware root-of-trust program is accessed through a first interface, and the interface type of the first interface is adapted to the program type of the hardware root-of-trust program. The present invention also provides a data decryption method, including: Use the root of trust program to generate the first key uniquely corresponding to the hardware device; The encrypted data is decrypted according to the first key. Optionally, the generating the first key uniquely corresponding to the hardware device using the root of trust program includes: Accessing the built-in hardware root of trust program of the hardware device to generate the first key. Optionally, the hardware device has a dedicated hardware root-of-trust program, and the accessing the built-in hardware root-of-trust program of the hardware device includes: The hardware root-of-trust program is accessed through a first interface, and the interface type of the first interface is adapted to the program type of the hardware root-of-trust program. The present invention also provides a data encryption device, comprising: The first key generation module is used to generate the first key uniquely corresponding to the hardware device by using the software root of trust program; A data encryption module, configured to encrypt data according to the first key. Optionally, the data encryption module includes: The key random generation sub-module is used to randomly generate the second key; The data encryption sub-module is used to encrypt the data to be encrypted by using the second key, and the first key is used to encrypt the second key. Optionally, the device also includes: The second key encryption module is used to encrypt the second key by using the first key. Optionally, the device also includes: The verification data generation module is used to generate verification data for verifying the integrity of the data to be encrypted, and the verification data is stored corresponding to the encrypted data to be encrypted. Optionally, the device also includes: The receiving module of the data to be encrypted is used to provide a second interface for receiving the data to be encrypted, and receive the data to be encrypted through the second interface; The encryption result output module is used to output the encryption result to the data source of the data to be encrypted through the second interface. The present invention also provides a data decryption device, comprising: The first key generation module is used to generate the first key uniquely corresponding to the hardware device by using the software root of trust program; The data decryption module is used for decrypting the encrypted data according to the first key. Optionally, the data decryption module includes: The key acquisition sub-module is used to generate the first key, and obtain an encrypted second key, and the encrypted second key is correspondingly stored with the encrypted data; The second key decryption submodule is used to decrypt the encrypted second key by using the first key to obtain a second key; The data decryption sub-module is used for decrypting the encrypted data by using the second key. Optionally, the device also includes: The verification data acquisition module is used to obtain the verification data, and the verification data and the encrypted data are stored correspondingly; The integrity verification module is used to verify the integrity of the decryption result by using the verification data. Optionally, the device also includes: The decryption result output module is used to output the decryption result through the second interface. The present invention also provides a data encryption device, comprising: The first key generation module is used to generate the first key uniquely corresponding to the hardware device by using the root of trust program; A data encryption module, configured to encrypt data according to the first key. Optionally, the first key generation module includes: The first key generating submodule is used to access the built-in hardware root-of-trust program of the hardware device to generate the first key. The present invention also provides a data decryption device, comprising: The first key generation module is used to generate the first key uniquely corresponding to the hardware device by using the root of trust program; The data decryption module is used for decrypting the encrypted data according to the first key. Optionally, the first key generation module includes: The first key generating submodule is used to access the built-in hardware root-of-trust program of the hardware device to generate the first key. The present invention also provides a computer device, including a memory, a processor, and a computer program stored in the memory and operable on the processor. When the processor executes the computer program, one or more of the aforementioned Methods. The present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, one or more of the aforementioned methods are implemented. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data is encrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective Improved data and hardware security. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

下面將參照圖式更詳細地描述本發明示例性實施例。雖然圖式中顯示本發明示例性實施例,然而應當理解,可以以各種形式實現本發明而不應被這裡闡述的實施例所限制。相反,提供這些實施例是為了能夠更透徹地理解本發明,並且能夠將本發明的範圍完整的傳達給本領域的技術人員。 為了便於本領域技術人員深入理解本發明實施例,以下將首先介紹本發明實施例中所涉及的專業術語的定義。 信任根程式,又稱信任根,指被硬體設備上運行的操作認為一直可信的功能集合,信任根單獨的為硬體設備提供可信任的加解密服務。該信任根程式可以包括硬體信任根程式和軟體信任根程式中的至少一種。其中,硬體信任根程式需要依賴相應的硬體,可以包括基於intel SGX (intel Software Guard Extensions,英特爾軟體防護擴展指令)或基於TEE(Trusted Execution Environment,可信執行環境)的硬體信任根程式,軟體信任根程式可以包括KM (key manager,金鑰管理模組)。當然,在實際應用中,信任根程式還可以包括其它的硬體信任根程式或軟體信任根程式,此處不再一一贅述。 第一金鑰由信任根程式根據硬體設備的設備唯一標識派生而成,從而與該硬體設備唯一對應,第一金鑰可以用於對該硬體設備中的資料進行加密。 其中,設備唯一標識用於唯一標識一個電子設備,譬如,該設備唯一標識可以包括IMEI(International Mobile Equipment Identity,國際移動設備識別碼)或MAC(Media Access Control,媒體存取控制)地址。 硬體設備可以各種物聯網終端或設備,譬如應用於氣象或環境監測的各種探測器、或者家庭中的智慧音箱等智慧家居設備,當然,也可以包括手機、智慧手錶、VR (Virtual Reality,虛擬實境)設備、平板電腦、電子書閱讀器、MP3(Moving Picture Experts Group Audio Layer III,動態影音壓縮標準音頻層面3)播放器、MP4(Moving Picture Experts Group Audio Layer IV,動態影音壓縮標準音頻層面4)播放器、膝上型可攜式電腦、車載電腦、桌上型電腦、機上盒、穿戴式設備等等。該硬體設備能夠與遠端伺服器進行互動,獲取客户端、外掛程式、資料加密或解密服務,且可以包括下圖10至14的任一裝置,實施圖1至9的任一方法,從而對資料進行加密或解密。 客户端可以包括至少一個應用程式。該客户端能夠運行在定位設備中,從而實現本發明實施例提供的資料加密或解密方法。 外掛程式可以包括在運行於定位設備的應用程式中,從而實現本發明實施例提供的資料加密或解密方法。 本發明實施例可以應用於物聯網設備等硬體設備中的資料加密或解密的情況,譬如邊緣閘道等。由於直接將金鑰寫在硬體設備的代碼中,會導致一個硬體設備中的金鑰被破解時,同一類或同一個硬體廠商的其它硬體設備的金鑰便都會洩露,從而難以保證資料安全,導致資料和硬體設備的安全性較低,因此,為確保一機一密,進而提高資料和硬體設備的安全性,本發明實施例提供了一種資料加密方法。在本發明實施例中,可以採用信任根程式產生與硬體設備唯一對應的第一金鑰,並根據第一金鑰對資料進行加密,由於不需要將金鑰直接寫在硬體設備的代碼中,一方面減少了駭客等獲取得到金鑰可能,另一方面即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,進而能夠透過安全的金鑰實現資料的安全儲存,能夠有效地提高資料和硬體設備的安全性。另外,由於某些硬體設備中可能並不具有硬體信任根程式所依賴的硬體,即不具備硬體安全能力,因此,為了確保無論有無硬體安全能力的硬體設備均能夠產生第一金鑰,提高第一金鑰的可靠性,進而確保資料和硬體設備的安全性,同時降低成本,可以調用軟體信任根程式,產生第一金鑰。也就是,透過軟體信任根程式提供安全性較好的金鑰管理功能。 本發明實施例可以實現為客户端或外掛程式,硬體設備可以從遠端伺服器獲取並安裝該客户端或外掛程式,從而透過該客户端或外掛程式來實施本發明實施例所提供的資料加密或解密方法。當然,本發明實施例也可以以軟體的形式部署在遠端伺服器上,定位設備可以透過訪問該遠端伺服器從而獲取資料加密或解密服務。 實施例一 參照圖1,顯示根據本發明一個實施例的一種資料加密方法流程圖,具體步驟包括: 步驟101,採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰。 為了避免直接將金鑰寫入硬體設備中的代碼而難以實現的一機一密的問題以及進一步導致的資料和硬體設備的安全性較低的問題,可以不將金鑰寫入硬體代碼,而是採用信任根程式產生第一金鑰,且產生的金鑰能夠與硬體設備唯一對應,一方面減少了駭客等直接從代碼中獲取得到第一金鑰的可能,另一方面確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,從而能夠有效地提高資料和硬體設備的安全性。另外,由於某些硬體設備中可能並不具有硬體信任根程式所依賴的硬體,即不具備硬體安全能力,因此,為了確保無論有無硬體安全能力的硬體設備均能夠產生第一金鑰,提高第一金鑰的可靠性,進而確保資料和硬體設備的安全性,同時降低成本,可以調用軟體信任根程式,產生第一金鑰。也就是,透過軟體信任根程式提供安全性較好的金鑰管理功能。 其中,軟體信任根程式可以包括KM。 可以獲取硬體設備的設備唯一標識,採用信任根程式,基於該設備唯一標識,派生得到第一金鑰。由於不同硬體設備到的設備唯一標識是不同的,因此,不同硬體設備所得到的第一金鑰也是不同的。 步驟102,根據所述第一金鑰加密資料。 由前述可知,第一金鑰是採用信任根程式產生且與硬體設備唯一對應的,能夠有效提高資料和硬體設備的安全性,因此可以根據第一金鑰對資料進行加密。 可以獲取硬體設備中的待加密資料,採用第一金鑰對該待加密資料進行加密,當然,在實際應用中,可以根據第一金鑰,採用更加複雜的加密方式,對待加密資料進行加密,譬如,為了進一步提高加密效果,增加對已加密資料進行破解的複雜程度,提高資料和硬體設備的安全性,可以產生更多的金鑰,採用包括第一金鑰在內的多個金鑰對待加密資料進行加密等等。 待加密資料可以包括硬體設備中對安全性要求較高的資料,譬如用戶密碼、用戶指紋特徵、用戶面部特徵、用戶虹膜特徵、硬體設備中應用程式的應用程式金鑰等中的至少一種資料,當然,在實際應用中,可以包括硬體設備中的其它資料,譬如用戶指定的資料。 已加密資料為根據第一金鑰對待加密資料進行加密之後的結果,該已加密資料能夠根據第一金鑰進行解密,從而再次得到待加密資料。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 實施例二 參照圖2,顯示根據本發明一個實施例的一種資料加密方法流程圖,具體步驟包括: 步驟201,採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰。 其中,採用信任根程式產生與硬體設備唯一對應地第一金鑰的方式,可以參見前述中的相關描述,此處不在一一贅述。 當然,在實際應用中,硬體設備中可以包括硬體信任根程式和軟體信任根程式中的至少一種。 另外,可以將產生的第一金鑰儲存在於信任根程式對應的儲存位置,譬如儲存在KM保護的儲存區域內。 步驟202,提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料。 由前述可知,硬體設備中可能包括硬體信任根程式和/或軟體信任根程式,甚至可能包括一個以上的硬體信任根程式,這可能導致具有多個針對硬體信任根程式的第一介面,進而導致硬體設備中的系統架構混亂,應用層中的應用程式需要進行複雜繁重的適配,不僅提高應用程式的開發成本,也可能會出現適配錯誤等問題,進而導致難以對資料加密或其它問題,降低了資料和硬體設備的安全性和可靠性。因此,可以為應用層中的應用程式提供統一的介面,即第二介面,接收待加密數,從而透過第二介面將信任根程式封裝在底層,使各應用程式能夠透過統一的介面使用信任根程式的各項功能,進而使硬體設備中的系統架構更加簡潔、降低應用程式的開發成本、提高應用程式和硬體設備的安全性和可靠性。 可以透過硬體或軟體的形式,提供面向應用層的第二介面,透過第二介面接收來自應用層的資料,並根據第一介面或軟體信任根程式,對接收到的資料進行轉換,使轉換後的資料符合第一介面或軟體信任根程式的資料類型或標準。 待加密資料為需要透過金鑰進行加密的資料,該待加密資料可以包括來源與任一應用程式的任意資料。 步驟203,隨機產生第二金鑰,採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 為了有效地提高資料被破解的複雜程度,進一步減少資料被破解的可能,可以在第一金鑰的基礎上,再產生第二金鑰,透過第二金鑰對待加密資料進行加密,並透過第一金鑰加密第二金鑰,也就是,透過分層金鑰管理,來提高資料和硬體設備的安全性。由於多個金鑰均被破解的可能性,比一個金鑰被破解的可能小,當然也就提高了資料和硬體設備的安全性。另外,由於第二金鑰是隨機產生的,因此,可以確保對各待加密資料所採用的金鑰均不同,即使硬體設備中某個加密的資料被破解,其它加密的資料依然是安全的,從而進一步提高了資料和硬體設備的安全性。 其中,可以透過前述中的信任根程式,透過金鑰產生演算法來產生第二金鑰。 分層金鑰管理,指透過不同的方式產生多個金鑰,各金鑰分別進行儲存和管理,透過多個金鑰對資料進行加密,或者,透過其中一部分金鑰對資料進行加密,並透過其中的其它金鑰對加密資料的金鑰進行加密,有效提高加密的複雜程度,使駭客等難以獲取到所有金鑰,進而也就難以對破解被加密的資訊,進而提高被加密的資訊的安全性。 當然,在實際應用中,還可以更多的金鑰,採用相似的方式,透過該多個金鑰對待加密資料進行加密,從而進一步提高資料和硬體設備的安全性。 步驟204,採用所述第一金鑰加密所述第二金鑰。 為了減少第二金鑰被破解的可能,進而減少加密的資料被加密的可能,提高資料和硬體設備安全性,可以用第一金鑰對第二金鑰進行加密。 其中,對於採用第一金鑰加密的第二金鑰,可以進行保存。 在本發明實施例中,可選地,為了卻確保後續該資料的合法用戶能夠正常獲取第二金鑰以對加密的待加密資料進行解密,提高資料加密的可靠性,可以將已加密的第二金鑰與已加密的待加密資料對應保存。 可以將加密的第二金鑰與加密的待加密資料儲存在同一儲存位置,或者,將加密的第二金鑰和加密的待加密資料分別儲存至不同的儲存位置,並儲存加密的第二金鑰所在的儲存位置與加密的待加密資料所在的儲存位置之間的對應關係。當然,在實際應用中,可以透過其它方式,將加密的第二金鑰與加密的待加密資料進行對應保存。 另外,在本發明實施例的另一可選實施例中,為了提高對資料進行加密的效率,也可以不再產生第二金鑰,而是直接採用第一金鑰對待加密資料進行加密,即第一金鑰即為用於對待加密資料進行加密的金鑰。或者,在本發明的另一可選實施例中,還可以在透過第一金鑰加密待加密資料的基礎上,透過第二金鑰對第一金鑰進行加密,並將已加密的第一金鑰與已加密的待加密資料對應保存。 其中,採用第一金鑰對待加密資料進行加密的方式,可以與採用第二金鑰對待加密資料進行加密的方式相同,此處不在一一贅述。 步驟205,產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 為了便於後續對加密的待加密資料進行解密後,驗證所得到的待加密資料是否完整,以進一步提高資料和硬體設備的安全性,可以產生待加密資料的校驗資料,並將校驗資料與已加密的待加密資料進行對應保存。 檢驗資料為用於對待加密資料進行驗證,包括完整性驗證。 其中,用於完整性驗證的校驗資料可以包括雜湊值。 雜湊值為根據檔資料(譬如待加密資料)進行運算得到的二進位值,用於對該檔資料進行完整性驗證。 在本發明實施例中,可選地,為了確保後續能夠透過待加密資料的雜湊值,對待加密資料進行完整性驗證,從而提高資料和硬體設備的安全性,可以確定所述待加密資料的雜湊值。 當然,在實際為應用中,為了確保後續能夠對待加密資料進行驗證,校驗資訊也可以包括其它資訊,譬如用於完整性驗證的校驗資訊還可以包括待加密資料的屬性資訊,相應地,可以確定待加密資料的屬性資訊,將確定的屬性資訊作為該校驗資料。 其中,屬性資訊為說明待加密資料所具有屬性的資訊,譬如,該屬性資訊可以包括待加密資料的大小和資料類型中的至少一個。 待加密資料的大小,用於說明待加密資料所包括的資料量的多少。 待加密資料的類型用於說明待加密資料的格式或類別。 另外,將校驗資料與已加密的待加密資料對應保存的方式,可以與將已加密的第二金鑰與已加密的待加密資料對應保存的方式相同,此處不再一一贅述。 另外,在實際應用中,為了提高加密效率,也可以不產生待加密資料的校驗資料,即步驟205為可選的步驟。 步驟206,透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 為了便於應用程式對加密的待加密資料進行儲存或者其它操作,可以向作為資料來源的應用程式輸出加密結果,且為了使硬體設備中的系統架構更加簡潔、降低應用程式的開發成本、提高應用程式和硬體設備的安全性和可靠性,可以透過統一介面,即第二介面,向資料來源輸出加密結果。 資料來源為待加密資料的來源,可以包括前述中的應用程式。 加密結果為對待加密資料進行加密並輸出的結果,可以包括加密的待加密資料,當然,在實際應用中,若加密的待加密資料採用第二金鑰進行加密,且第二金鑰採用第一金鑰進行加密,加密結果還可以包括經第一金鑰加密的第二金鑰;若前述中還產生了待加密資料的校驗資料,則該加密結果中還可以包括該校驗資料。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 另外,能夠提供統一的第二介面,並透過第二介面接收加密資料或輸出加密結果,確保了使各應用程式能夠透過統一的介面使用信任根程式的各項功能,進而使硬體設備中的系統架構更加簡潔,也降低了應用程式的開發成本,也減少了應用程式對硬體信任根程式的第一介面適配錯誤而導致的難以對資料加密的問題,提高了對資料進行加密的可靠性,進而也提高了資料和硬體設備的安全性和可靠性。 另外,能夠隨機產生第二金鑰,採用第二金鑰對待加密資料進行加密,並採用第一金鑰對第二金鑰進行加密,由於多個金鑰均被破解的可能性較小,且隨機產生的第二金鑰也能夠確保能夠針對各待加密資料均使用不同的金鑰進行加密,因此有效地提高了資料被破解的複雜程度,從而進一步提高了資料和硬體設備的安全性。 實施例三 參照圖3,顯示根據本發明一個實施例的一種資料加密方法流程圖,具體步驟包括: 步驟301,採用信任根程式產生與硬體設備唯一對應的第一金鑰。 為了減少直接從代碼中獲取金鑰的可能,減少一個硬體設備的金鑰別破解,其它與該硬體設備同一類或屬於同一個硬體廠商的硬體設備的金鑰均被破解的問題,實現一機一密,有效提高資料和硬體設備的安全性,可以採用信任根程式,產生與硬體設備唯一對應的金鑰。 其中,採用信任根程式產生與硬體設備唯一對應地第一金鑰的方式,可以參見前述中的相關描述,此處不在一一贅述。 在本發明實施例中,可選的,硬體設備具有專用的硬體信任根程式,為了提高產生第一金鑰的可靠性,確保能夠實現一機一密,進而提高資料和硬體設備的安全性,可以訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 其中,硬體信任根程式可以包括TEE。 在本發明實施例中,可選的,為了確保能夠訪問硬體信任根程式,提高產生金鑰以及後續對待加密資料進行加密的可靠性,可以透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 例如,若硬體信任根程式為intel SGX,則第一介面可以包括linux SGX驅動程式中的介面;若硬體新信任根程式為TEE,則第一介面可以包括GP Client API,其中,GP Client API為與TEE適配的介面名稱。 當然,在實際應用中,硬體設備可以包括硬體信任根程式和軟體信任根程式中的至少一種,從而確保無論硬體設備是否具備硬體安全能力,均能夠產生第一金鑰,確保產生第一金鑰的可靠性。 步驟302,根據所述第一金鑰加密資料。 其中,根據第一金鑰加密資料的方式,可以參見前述中的相關描述,此處不再一一贅述。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。 其次,對於具有硬體安全能力的硬體設備,能夠訪問該硬體設備內置的硬體信任根程式,產生第一金鑰,提高了產生第一金鑰的可靠性。 實施例四 參照圖4,顯示根據本發明一個實施例的一種資料解密方法流程圖,具體步驟包括: 步驟401,採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰。 為了避免直接將金鑰寫入硬體設備中的代碼而難以實現的一機一密的問題以及進一步導致的資料和硬體設備的安全性較低的問題,可以不將金鑰寫入硬體代碼,而是採用信任根程式產生第一金鑰,且產生的金鑰能夠與硬體設備唯一對應,一方面減少了駭客等直接從代碼中獲取得到第一金鑰的可能,另一方面確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,從而能夠有效地提高資料和硬體設備的安全性。另外,由於某些硬體設備中可能並不具有硬體信任根程式所依賴的硬體,因此,為了確保無論有無硬體安全能力的硬體設備均能夠產生第一金鑰,提高第一金鑰的可靠性,進而確保資料和硬體設備的安全性,同時降低成本,可以調用軟體信任根程式,產生第一金鑰。 其中,採用信任根程式產生與硬體設備唯一對應的第一金鑰的方式,可以參見前述中的相關描述,此處不再一一贅述。 步驟402,根據所述第一金鑰解密已加密資料。 為了確保已加密資料的合法用戶能夠正常得到被加密的資料,可以根據第一金鑰對已加密資料進行解密。 其中,已加密資料即可以為前述中加密的待加密資料。 可以根據前述中根據第一金鑰對資料進行加密的方式,根據第一金鑰對已加密資料進行解密,譬如,若採用第一金鑰對該待加密資料進行加密,則可以採用第一金鑰對已加密資料進行解密;若採用包括第一金鑰在內的多個金鑰對待加密資料進行加密,則可以產生該多個金鑰中除第一金鑰之外的其它金鑰,採用包括第一金鑰在內的該多個金鑰,對已加密資料進行解密。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行解密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 實施例五 參照圖5,顯示根據本發明一個實施例的一種資料解密方法流程圖,具體步驟包括: 步驟501,採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰。 其中,採用信任根程式產生與硬體設備唯一對應的第一金鑰的方式,可以參見前述中的相關描述,此處不再一一贅述。 步驟502,透過第二介面獲取已加密資料。 為了硬體設備中的系統架構更加簡潔、降低應用程式的開發成本、提高應用程式和硬體設備的安全性和可靠性,可以透過統一的介面,即第二介面,獲取各資料來源的已加密資料。 當然,在實際應用中,還可以透過第二介面獲取與已加密資料對應保存的加密的第二金鑰和/或校驗資料。 其中,第二加密金鑰可以為針對被加密的資料隨機產生的金鑰。 若第二金鑰和/或校驗資料,與已加密資料在同一儲存位置,則可以從該儲存位置獲取第二金鑰和/或校驗資料;若第二金鑰和/或校驗資料的儲存位置,與已加密資料的儲存位置之間存在對應關係,則可以根據已加密資料的儲存位置,確定第二金鑰和/或校驗資料的儲存位置,進而獲取得到第二金鑰和/或校驗資料。 另外,在本發明實施例的另一可選實施例中,也可以不在步驟中獲取第二金鑰和/或校驗資料,而是在後續需要使用第二金鑰和/或校驗資料時,再獲取第二金鑰和/或校驗資料。 步驟503,根據所述第一金鑰解密已加密資料。 其中,根據第一金鑰解密已加密資料的方式,可以參見前述中的相關描述,此處不再一一贅述。 在本發明實施例中,可選地,由前述可知,由於多個金鑰均被破解的可能性,比一個金鑰被破解的可能小,所以為了提高資料和硬體設備的安全性,可以產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存,採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰,採用所述第二金鑰解密所述已加密資料。也即是,透過分層金鑰管理,來提高資料和硬體設備的安全性。 其中,產生第一金鑰的方式、以及獲取第二金鑰的方式,可以參見前述中的相關描述,此處不再一一贅述。 步驟504,獲取校驗資料,所述校驗資料與所述已加密資料對應保存,採用所述校驗資料校驗解密結果的完整性。 為了便於已加密資料進行解密後,驗證所得到的解密結果是否完整,以進一步提高資料和硬體設備的安全性,可以獲取校驗資料,以對該解密結果進行校驗。 解密結果為對已加密資料進行解密的結果,該解密結果即可以為前述中的待加密資料。 可以根據解密結果產生校驗資料,將產生的校驗資料與獲取到的校驗資料進行比較,若一致,則確定解密結果具有完整性,否則確定解密結果不具有完整性。 在本發明實施例中,可選地,為了確保解密結果與加密前的待加密資料一致,即確保對解密結果的完整性進行驗證,進一步提高資料和硬體設備的安全性,所述校驗資料包括所述解密結果的第一雜湊值,相應的,可以產生所述解密結果的第二雜湊值,比對所述第二雜湊值與所述第一雜湊值一致,則確認所述解密結果具有完整性。若第二雜湊值與第一雜湊值不一致,則確認解密結果不具有完整性。 其中,第一雜湊值即為前述中對待加密資料進行加密的過程中所確定的該待加密資料的雜湊值;第二雜湊值即為根據解密資料產生的雜湊值。若待加密資料與解密結果一致,即解密結果具有完整性,則第一雜湊值與第二雜湊值也應當一致。 可以獲取包括第一雜湊值的校驗資料,產生解密結果的第二雜湊值,將第一雜湊值與第二雜湊值進行比較,以確定第一雜湊值與第二雜湊值是否一致。 其中,獲取校驗資料的方式可以參見前述中的相關描述,此處不再一一贅述。 另外,在本發明實施的另一可選實施例中,為了確保解密結果與加密前的待加密資料一致,即確保對解密結果的完整性進行驗證,進一步提高資料和硬體設備的安全性,校驗資料中包括待加密資料的第一屬性資訊,相應的,還可以獲取解密結果的第二屬性資訊,將第一屬性資訊與第二屬性資訊進行比較,若一致,則確定解密結果具有完整性,否則確定解密結果不具有完整性。 其中,第一屬性資訊為根據待加密資料產生的屬性資訊,第二屬性資訊為根據解密結果產生的屬性資訊,若待加密資料與解密結果一致,即解密結果具有完整性,則第一屬性資訊與第二屬性資訊也應當一致。 另外,在實際應用中,為了提高解密效率,也可以不對解密結果進行完整性驗證,即步驟504為可選的步驟。 步驟505,透過第二介面輸出解密結果。 為了便於應用程式對加密的待加密資料進行儲存或者其它操作,可以向作為資料來源的應用程式輸出加密結果,且為了使硬體設備中的系統架構更加簡潔、降低應用程式的開發成本、提高應用程式和硬體設備的安全性和可靠性,可以透過統一介面,即第二介面,輸出解密結果。 其中,可以透過第二介面,向已加密資料的資料來源輸出解密結果。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行解密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 其次,能夠透過硬體信任根程式或軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 另外,能夠提供統一的第二介面,並透過第二介面獲取已加密資料或輸出解密結果,確保了使各應用程式能夠透過統一的介面使用信任根程式的各項功能,進而使硬體設備中的系統架構更加簡潔,也降低了應用程式的開發成本,也減少了應用程式對硬體信任根程式的第一介面適配錯誤而導致的難以對資料解密的問題,提高了對資料進行解密的可靠性,進而也提高了資料和硬體設備的安全性和可靠性。 另外,能夠採用第一金鑰對已加密的第二金鑰進行解密,並採用第二金鑰對已加密資料進行解密,由於多個金鑰均被破解的可能性較小,因此有效地提高了資料被破解的複雜程度,從而進一步提高了資料和硬體設備的安全性。 實施例六 參照圖6,顯示根據本發明一個實施例的一種資料解密方法流程圖,具體步驟包括: 步驟601,採用信任根程式產生與硬體設備唯一對應的第一金鑰。 為了減少直接從代碼中獲取金鑰的可能,減少一個硬體設備的金鑰別破解,其它與該硬體設備同一類或屬於同一個硬體廠商的硬體設備的金鑰均被破解的問題,實現一機一密,有效提高資料和硬體設備的安全性,可以採用信任根程式,產生與硬體設備唯一對應的金鑰。 其中,採用信任根程式產生與硬體設備唯一對應的第一金鑰的方式,可以參見前述中的相關描述,此處不再一一贅述。 在本發明實施例中,可選的,硬體設備具有專用的硬體信任根程式,為了提高產生第一金鑰的可靠性,確保能夠實現一機一密,進而提高資料和硬體設備的安全性,訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 在本發明實施例中,可選的,為了確保能夠訪問硬體信任根程式,提高產生金鑰以及後續對加密的待加密資料進行解密的可靠性,可以透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 步驟602,根據所述第一金鑰解密已加密資料。 其中,根據第一金鑰解密已加密資料的方式,可以參見前述中的相關描述,此處不再一一贅述。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行解密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。 其次,對於具有硬體安全能力的硬體設備,能夠訪問該硬體設備內置的硬體信任根程式,產生第一金鑰,提高了產生第一金鑰的可靠性。 本領域的技術人員應可理解,上述實施例中的方法步驟並非每一個都必不可少,在具體狀況下,可以省略其中的一個或多個步驟,只要能夠實現對資料進行加密或解密的技術目的。本發明並不限定的實施例中步驟的數量及其順序,本發明的保護範圍當以申請專利範圍的限定為準。 為了便於本領域技術人員更好地理解本發明,以下透過一個具體的示例對本發明實施例的一種資料處理、加密和解密方法進行說明,具體包括如下步驟: 參照圖7,顯示本發明實施例的一種資料處理方法流程圖。具體步驟包括: 步驟701,硬體信任根程式或軟體信任根程式產生根金鑰。 其中,根金鑰可以包括前述中第一金鑰。 若硬體設備中設置有硬體信任根程式所依賴的硬體(即具有硬體安全能力)時,可以透過硬體信任根產生根金鑰;若硬體設備中未設置有硬體信任根程式所依賴的硬體時,可以透過軟體信任根產生根金鑰。 步驟702,透過硬體信任根程式或軟體信任根程式保存用於安全儲存的根金鑰。 步驟703,透過硬體信任根程式或軟體信任根程式,使用根金鑰對檔金鑰進行加密。 其中,檔金鑰為對前述中的待加密資料進行加密的金鑰,譬如,可以包括前述中的第二金鑰。 步驟704,透過檔金鑰加密待加密資料,並儲存透過根金鑰加密後的檔金鑰。 由上述可知,根金鑰不直接用於對待加密資料進行加密,而是用於對待加密資料進行加密的檔金鑰進行加密,相應地,根金鑰也不直接用於對已加密資料進行解密,而是用於對已加密資料進行解密的檔金鑰進行解密,可以確保針對不同的硬體設備以及不同的資料,均能夠提供不同的金鑰進行加密或解密,減少了資料被破解的可能,提高了資料和硬體設備的安全性。 步驟705,透過統一的介面,向應用層提供安全儲存功能。 可以透過統一的介面接收應用程式提交的待加密資料(譬如應用程式的敏感性資料),並向該應用程度輸出加密結果;或者,接收應用程式提交的已加密資料,並向該應用程式輸出解密結果。 其中,統一的介面可以包括前述中的第二介面。 參照圖8,顯示本發明一個實施例的一種資料加密方法的流程圖。具體步驟包括: 步驟801,信任根程式產生第一金鑰,並將第一金鑰保存在信任根程式對應的儲存位置; 步驟802,信任根程式透過第一金鑰加密第二金鑰; 步驟803,透過第二金鑰對待加密資料進行加密; 步驟804,產生待加密資料的雜湊值; 步驟805,將被加密的待加密資料、待加密資料的雜湊值和經第一金鑰加密的第二金鑰組合成一個檔進行儲存。 參照圖9,顯示本發明一個實施例的一種資料解密方法的流程圖。具體步驟包括: 步驟901,信任根程式讀取已加密資料; 步驟902,信任根程式透過第一金鑰解密第二金鑰; 步驟903,透過第二金鑰解密已加密資料; 步驟904,產生解密結果的雜湊值; 步驟905,確定所產生的雜湊值與原先保存的待加密資料的雜湊值一致; 步驟906,輸出解密結果。 實施例七 參照圖10,顯示根據本發明一個實施例的一種資料加密裝置的結構方塊圖,該裝置包括: 第一金鑰產生模組1001,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組1002,用於根據所述第一金鑰加密資料。 可選的,所述資料加密模組包括: 金鑰隨機產生子模組,用於隨機產生第二金鑰; 資料加密子模組,用於採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 可選的,所述裝置還包括: 第二金鑰加密模組,用於採用所述第一金鑰加密所述第二金鑰。 可選地,所述裝置還包括: 第二金鑰儲存模組,用於將已加密的第二金鑰與已加密的待加密資料對應保存。 可選地,所述裝置還包括: 校驗資料產生模組,用於產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 可選地,所述校驗資料產生模組包括: 雜湊值確定子模組,用於確定所述待加密資料的雜湊值。 可選地,所述裝置還包括: 待加密資料接收模組,用於提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料; 加密結果輸出模組,用於透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 實施例八 參照圖11,顯示根據本發明一個實施例的一種資料加密裝置的結構方塊圖,該裝置包括: 第一金鑰產生模組1101,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組1102,用於根據所述第一金鑰加密資料。 可選地,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 可選地,所述硬體設備具有專用的硬體信任根程式,所述第一金鑰產生子模組還用於: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 在本發明實施例中,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行加密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。 實施例九 參照圖12,顯示根據本發明一個實施例的一種資料解密裝置的結構方塊圖,該裝置包括: 第一金鑰產生模組1201,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組1202,用於根據所述第一金鑰解密已加密資料。 可選地,所述資料解密模組包括: 金鑰獲取子模組,用於產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存; 第二金鑰解密子模組,用於採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰; 資料解密子模組,用於採用所述第二金鑰解密所述已加密資料。 可選地,所述裝置還包括: 校驗資料獲取模組,用於獲取校驗資料,所述校驗資料與所述已加密資料對應保存; 完整性驗證模組,用於採用所述校驗資料校驗解密結果的完整性。 可選地,所述校驗資料包括所述解密結果的第一雜湊值,所述完整性驗證模組包括: 第二雜湊值產生子模組,用於產生所述解密結果的第二雜湊值; 完整性驗證確認子模組,用於比對所述第二雜湊值與所述第一雜湊值一致,則確認所述解密結果具有完整性。 可選地,所述裝置還包括: 解密結果輸出模組,用於透過第二介面輸出解密結果。 在本發明實施例中,首先,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行解密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一個硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。其次,能夠透過軟體信任根程式產生第一金鑰,確保了無論硬體設備是否具有硬體安全能力,都能夠產生第一金鑰,提高了產生第一金鑰的可靠性。 實施例十 參照圖13,顯示根據本發明一個實施例的一種資料解密裝置的結構方塊圖,該裝置包括: 第一金鑰產生模組1301,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組1302,用於根據所述第一金鑰解密已加密資料。 可選地,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 可選地,所述硬體設備具有專用的硬體信任根程式,所述第一金鑰產生子模組還用於: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 在本發明實施例中,能夠採用信任根程式產生與硬體設備唯一對應的第一金鑰,進而根據第一金鑰對資料進行解密,減少了駭客等直接從代碼中獲取得到第一金鑰的可能,同時也確保了即使某個硬體設備的金鑰被破解,與該硬體設備同一類或屬於同一硬體廠商的硬體設備中的金鑰依然是安全的,有效地提高了資料和硬體設備的安全性。 對於裝置實施例而言,由於其與方法實施例基本相似,所以描述的比較簡單,相關之處參見方法實施例的部分說明即可。 本發明實施例可被實現為使用任意適當的硬體,韌體,軟體,或及其任意組合進行想要的配置的系統。圖14示意性地顯示可被用於實現本發明中所述的各個實施例的示例性系統(或裝置)1400。 對於一個實施例,圖14顯示示例性系統1400,該系統具有一個或多個處理器1402、被耦合到(一個或多個)處理器1402中的至少一個的系統控制模組(晶片組)1404、被耦合到系統控制模組1404的系統記憶體1406、被耦合到系統控制模組1404的非易失性記憶體(NVM)/儲存設備1408、被耦合到系統控制模組1404的一個或多個輸入/輸出設備1410,以及被耦合到系統控制模組1406的網路介面1412。 處理器1402可包括一個或多個單核或多核處理器,處理器1402可包括通用處理器或專用處理器(例如圖形處理器、應用處理器、基頻處理器等)的任意組合。在一些實施例中,系統1400能夠作為本發明實施例中所述的硬體設備。 在一些實施例中,系統1400可包括具有指令的一個或多個電腦可讀媒體(例如,系統記憶體1406或NVM/儲存設備1408)以及與該一個或多個電腦可讀媒體相合併被配置為執行指令以實現模組從而執行本發明中所述的動作的一個或多個處理器1402。 對於一個實施例,系統控制模組1404可包括任意適當的介面控制器,以向(一個或多個)處理器1402中的至少一個和/或與系統控制模組1404通信的任意適當的設備或元件提供任意適當的介面。 系統控制模組1404可包括記憶體控制器模組,以向系統記憶體1406提供介面。記憶體控制器模組可以是硬體模組、軟體模組和/或韌體模組。 系統記憶體1406可被用於例如為系統1400載入和儲存資料和/或指令。對於一個實施例,系統記憶體1406可包括任意適當的易失性記憶體,例如,適當的DRAM。在一些實施例中,系統記憶體1406可包括雙倍數據速率類型四同步動態隨機存取記憶體(DDR4SDRAM)。 對於一個實施例,系統控制模組1404可包括一個或多個輸入/輸出控制器,以向NVM/儲存設備1408及(一個或多個)輸入/輸出設備1410提供介面。 例如,NVM/儲存設備1408可被用於儲存資料和/或指令。NVM/儲存設備1408可包括任意適當的非易失性記憶體(例如,快閃記憶體)和/或可包括任意適當的(一個或多個)非易失性儲存設備(例如,一個或多個硬碟驅動器(HDD)、一個或多個光碟(CD)驅動器和/或一個或多個數位多用途光碟(DVD)驅動器)。 NVM/儲存設備1408可包括在物理上作為系統1400被安裝在其上的設備的一部分的儲存資源,或者其可被該設備訪問而不必作為該設備的一部分。例如,NVM/儲存設備1408可透過網路經由(一個或多個)輸入/輸出設備1410進行訪問。 (一個或多個)輸入/輸出設備1410可為系統1400提供介面以與任意其他適當的設備通信,輸入/輸出設備1410可以包括通信元件、音訊元件、感測器元件等。網路介面1412可為系統1400提供介面以透過一個或多個網路通信,系統1400可根據一個或多個無線網路標準和/或協議中的任意標準和/或協定來與無線網路的一個或多個元件進行無線通訊,例如接入基於通信標準的無線網路,如WiFi,2G或3G,或它們的組合進行無線通訊。 對於一個實施例,(一個或多個)處理器1402中的至少一個可與系統控制模組1404的一個或多個控制器(例如,記憶體控制器模組)的邏輯封裝在一起。對於一個實施例,(一個或多個)處理器1402中的至少一個可與系統控制模組1404的一個或多個控制器的邏輯封裝在一起以形成系統級封裝(SiP)。對於一個實施例,(一個或多個)處理器1402中的至少一個可與系統控制模組1404的一個或多個控制器的邏輯整合在同一晶片上。對於一個實施例,(一個或多個)處理器1402中的至少一個可與系統控制模組1404的一個或多個控制器的邏輯整合在同一晶片上以形成系統單晶片(SoC)。 在各個實施例中,系統1400可以但不限於是:工作站、桌上型電腦設備或行動電腦裝置(例如,膝上型電腦設備、手持電腦設備、平板電腦、小筆電等)。在各個實施例中,系統1400可具有更多或更少的元件和/或不同的架構。例如,在一些實施例中,系統1400包括一個或多個攝像機、鍵盤、液晶顯示器(LCD)螢幕(包括觸控螢幕顯示器)、非易失性記憶體埠、多個天線、繪圖晶片、特定應用積體電路(ASIC)和揚聲器。 其中,如果顯示器包括觸摸面板,顯示幕可以被實現為觸控螢幕顯示器,以接收來自用戶的輸入信號。觸摸面板包括一個或多個觸摸感測器以感測觸摸、滑動和觸摸面板上的手勢。所述觸摸感測器可以不僅感測觸摸或滑動動作的邊界,而且還檢測與所述觸摸或滑動操作相關的持續時間和壓力。 本發明實施例還提供了一種非易失性可讀儲存媒體,該儲存媒體中儲存有一個或多個程式(programs),該一個或多個程式被應用在終端設備時,可以使得該終端設備執行本發明實施例中各方法步驟的指令(instructions)。 在一個示例中提供了一種裝置,包括:一個或多個處理器;和,其上儲存的有指令的一個或多個機器可讀媒體,當由所述一個或多個處理器執行時,使得所述裝置執行如本發明實施例中硬體設備執行的方法。 在一個示例中還提供了一個或多個機器可讀媒體,其上儲存有指令,當由一個或多個處理器執行時,使得裝置執行如本發明實施例中硬體設備執行的方法。 本發明實施例揭示了一種資料加密、解密方法和裝置。 示例1、一種資料加密方法,包括: 採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰加密資料。 示例2可包括示例1所述的方法,所述根據所述第一金鑰加密資料包括: 隨機產生第二金鑰; 採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 示例3可包括示例2所述的方法,所述方法還包括: 採用所述第一金鑰加密所述第二金鑰。 示例4可包括示例3所述的方法,在所述採用所述第一金鑰加密所述第二金鑰之後,所述方法還包括: 將已加密的第二金鑰與已加密的待加密資料對應保存。 示例5可包括示例1所述的方法,所述方法還包括: 產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 示例6可包括示例5所述的方法,所述產生用於驗證待加密資料的完整性的校驗資料包括: 確定所述待加密資料的雜湊值。 示例7可包括示例1所述的方法,在根據所述第一金鑰加密資料之前,所述方法還包括: 提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料; 在所述根據所述第一金鑰加密資料之後,所述方法還包括: 透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 示例8、一種資料解密方法,包括: 採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰解密已加密資料。 示例9可包括示例8所述的方法,所述根據所述第一金鑰解密已加密資料包括: 產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存; 採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰; 採用所述第二金鑰解密所述已加密資料。 示例10可包括示例8所述的方法,所述方法還包括: 獲取校驗資料,所述校驗資料與所述已加密資料對應保存; 採用所述校驗資料校驗解密結果的完整性。 示例11可包括示例10所述的方法,所述校驗資料包括所述解密結果的第一雜湊值,所述採用所述校驗資料校驗解密結果的完整性包括: 產生所述解密結果的第二雜湊值; 比對所述第二雜湊值與所述第一雜湊值一致,則確認所述解密結果具有完整性。 示例12可包括示例8所述的方法,所述方法還包括: 透過第二介面輸出解密結果。 示例13、一種資料加密方法,包括: 採用信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰加密資料。 示例14可包括示例13所述的方法,所述採用信任根程式產生與硬體設備唯一對應的第一金鑰包括: 訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 示例15可包括示例14所述的方法,所述硬體設備具有專用的硬體信任根程式,所述訪問所述硬體設備內置的硬體信任根程式包括: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 示例16、一種資料解密方法,包括: 採用信任根程式產生與硬體設備唯一對應的第一金鑰; 根據所述第一金鑰解密已加密資料。 示例17可包括示例16所述的方法,所述採用信任根程式產生與硬體設備唯一對應的第一金鑰包括: 訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 示例18可包括示例17所述的方法,所述硬體設備具有專用的硬體信任根程式,所述訪問所述硬體設備內置的硬體信任根程式包括: 透過第一介面訪問所述硬體信任根程式,所述第一介面的介面類別型與所述硬體信任根程式的程式類型適配。 示例19、一種資料加密裝置,包括: 第一金鑰產生模組,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組,用於根據所述第一金鑰加密資料。 示例20可包括示例19所述的裝置,所述資料加密模組包括: 金鑰隨機產生子模組,用於隨機產生第二金鑰; 資料加密子模組,用於採用所述第二金鑰加密待加密資料,所述第一金鑰用於加密所述第二金鑰。 示例21可包括示例20所述的裝置,所述裝置還包括: 第二金鑰加密模組,用於採用所述第一金鑰加密所述第二金鑰。 示例22可包括示例19所述的裝置,所述裝置還包括: 校驗資料產生模組,用於產生用於驗證待加密資料的完整性的校驗資料,所述校驗資料與已加密的待加密資料對應保存。 示例23可包括示例19所述的裝置,所述裝置還包括: 待加密資料接收模組,用於提供接收待加密資料的第二介面,並透過所述第二介面接收所述待加密資料; 加密結果輸出模組,用於透過所述第二介面向所述待加密資料的資料來源輸出加密結果。 示例24、一種資料解密裝置,包括: 第一金鑰產生模組,用於採用軟體信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組,用於根據所述第一金鑰解密已加密資料。 示例25可包括示例24所述的裝置,所述資料解密模組包括: 金鑰獲取子模組,用於產生所述第一金鑰,以及,獲取已加密的第二金鑰,所述已加密的第二金鑰與所述已加密資料對應保存; 第二金鑰解密子模組,用於採用所述第一金鑰解密所述已加密的第二金鑰,獲得第二金鑰; 資料解密子模組,用於採用所述第二金鑰解密所述已加密資料。 示例26可包括示例24所述的裝置,所述裝置還包括: 校驗資料獲取模組,用於獲取校驗資料,所述校驗資料與所述已加密資料對應保存; 完整性驗證模組,用於採用所述校驗資料校驗解密結果的完整性。 示例27可包括示例24所述的裝置,所述裝置還包括: 解密結果輸出模組,用於透過第二介面輸出解密結果。 示例28、一種資料加密裝置,包括: 第一金鑰產生模組,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料加密模組,用於根據所述第一金鑰加密資料。 示例29可包括示例28所述的裝置,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 示例30、一種資料解密裝置,包括: 第一金鑰產生模組,用於採用信任根程式產生與硬體設備唯一對應的第一金鑰; 資料解密模組,用於根據所述第一金鑰解密已加密資料。 示例31可包括示例30所述的裝置,所述第一金鑰產生模組包括: 第一金鑰產生子模組,用於訪問所述硬體設備內置的硬體信任根程式,產生所述第一金鑰。 示例32、一種裝置,包括:一個或多個處理器;和其上儲存的有指令的一個或多個機器可讀媒體,當由所述一個或多個處理器執行時,使得所述裝置執行如示例1至示例18的一個或多個的方法。 示例33、一個或多個機器可讀媒體,其上儲存有指令,當由一個或多個處理器執行時,使得裝置執行如示例1至示例18的一個或多個的方法。 雖然某些實施例是以說明和描述為目的的,各種各樣的替代、和/或、等效的實施方案、或計算來達到同樣的目的實施例示出和描述的實現,不脫離本發明的實施範圍。本發明旨在覆蓋本文討論的實施例的任何修改或變化。因此,顯然本文描述的實施例僅由申請專利範圍和它們的等同物來限定。 Exemplary embodiments of the present invention will be described in more detail below with reference to the drawings. Although exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present invention and to fully convey the scope of the present invention to those skilled in the art. In order to facilitate those skilled in the art to deeply understand the embodiments of the present invention, definitions of technical terms involved in the embodiments of the present invention will first be introduced below. The root of trust program, also known as the root of trust, refers to a set of functions that are considered to be trusted by the operations running on the hardware device. The root of trust alone provides trusted encryption and decryption services for the hardware device. The root-of-trust program may include at least one of a hardware root-of-trust program and a software root-of-trust program. Among them, the hardware root of trust program needs to rely on the corresponding hardware, which can include the hardware root of trust program based on intel SGX (intel Software Guard Extensions, Intel Software Guard Extensions) or TEE (Trusted Execution Environment, trusted execution environment) , the software root of trust program may include KM (key manager, key management module). Of course, in practical applications, the root-of-trust program may also include other hardware root-of-trust programs or software root-of-trust programs, which will not be repeated here. The first key is derived from the root of trust program according to the unique identifier of the hardware device, so as to uniquely correspond to the hardware device, and the first key can be used to encrypt data in the hardware device. Wherein, the unique equipment identifier is used to uniquely identify an electronic device, for example, the unique equipment identifier may include an IMEI (International Mobile Equipment Identity, International Mobile Equipment Identity) or a MAC (Media Access Control, media access control) address. Hardware devices can be various IoT terminals or devices, such as various detectors used in meteorological or environmental monitoring, or smart home devices such as smart speakers in the home. Of course, it can also include mobile phones, smart watches, VR (Virtual Reality, virtual Reality) devices, tablets, e-book readers, MP3 (Moving Picture Experts Group Audio Layer III, dynamic video compression standard audio layer 3) players, MP4 (Moving Picture Experts Group Audio Layer IV, dynamic video compression standard audio layer 4) Players, laptop portable computers, vehicle-mounted computers, desktop computers, set-top boxes, wearable devices, etc. The hardware device can interact with the remote server to obtain the client, plug-in program, data encryption or decryption service, and can include any of the devices in Figures 10 to 14 below, and implement any of the methods in Figures 1 to 9, so that Encrypt or decrypt data. A client can include at least one application. The client can run in the positioning device, so as to realize the data encryption or decryption method provided by the embodiment of the present invention. The plug-in program can be included in the application program running on the positioning device, so as to realize the data encryption or decryption method provided by the embodiment of the present invention. The embodiment of the present invention can be applied to data encryption or decryption in hardware devices such as Internet of Things devices, such as edge gateways. Since the key is directly written in the code of the hardware device, when the key in a hardware device is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer will be leaked, making it difficult to Ensuring data security leads to low security of data and hardware equipment. Therefore, in order to ensure one secret, one secret, and further improve the security of data and hardware equipment, an embodiment of the present invention provides a data encryption method. In the embodiment of the present invention, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and the data is encrypted according to the first key, since it is not necessary to directly write the key in the code of the hardware device On the one hand, it reduces the possibility of hackers obtaining the key. On the other hand, even if the key of a certain hardware device is cracked, the keys in the hardware device of the same type as the hardware device or belong to the same hardware manufacturer The key is still safe, and the safe storage of data can be realized through the safe key, which can effectively improve the security of data and hardware equipment. In addition, because some hardware devices may not have the hardware that the hardware root of trust program depends on, that is, they do not have hardware security capabilities. Therefore, in order to ensure that hardware devices with or without hardware security capabilities can generate the first One key improves the reliability of the first key, thereby ensuring the security of data and hardware equipment, and at the same time reduces costs. It can call the software root of trust program to generate the first key. That is, a software root of trust program provides a more secure key management function. The embodiment of the present invention can be implemented as a client or a plug-in, and the hardware device can obtain and install the client or the plug-in from the remote server, so as to implement the data provided by the embodiment of the present invention through the client or the plug-in Encryption or decryption method. Of course, the embodiment of the present invention can also be deployed on a remote server in the form of software, and the positioning device can obtain data encryption or decryption services by accessing the remote server. Embodiment 1 Referring to FIG. 1 , it shows a flow chart of a data encryption method according to an embodiment of the present invention. The specific steps include: Step 101 , using a software root of trust program to generate a first key uniquely corresponding to a hardware device. In order to avoid the one-machine-one-secret problem that is difficult to achieve by directly writing the key into the code in the hardware device, and further lead to the problem of low security of data and hardware devices, it is not necessary to write the key into the hardware Instead, the root of trust program is used to generate the first key, and the generated key can uniquely correspond to the hardware device. On the one hand, it reduces the possibility of hackers directly obtaining the first key from the code. On the other hand, It ensures that even if the key of a hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe, thereby effectively improving data and hardware security. Device Security. In addition, because some hardware devices may not have the hardware that the hardware root of trust program depends on, that is, they do not have hardware security capabilities. Therefore, in order to ensure that hardware devices with or without hardware security capabilities can generate the first One key improves the reliability of the first key, thereby ensuring the security of data and hardware equipment, and at the same time reduces costs. It can call the software root of trust program to generate the first key. That is, a software root of trust program provides a more secure key management function. Wherein, the software root of trust program may include KM. The unique device identifier of the hardware device can be obtained, and the root of trust program can be used to derive the first key based on the unique device identifier. Since the unique device identifiers obtained by different hardware devices are different, the first keys obtained by different hardware devices are also different. Step 102, encrypt data according to the first key. It can be seen from the above that the first key is generated by using the root of trust program and uniquely corresponds to the hardware device, which can effectively improve the security of data and hardware devices, so the data can be encrypted according to the first key. The data to be encrypted in the hardware device can be obtained, and the data to be encrypted can be encrypted with the first key. Of course, in practical applications, the data to be encrypted can be encrypted with a more complex encryption method according to the first key. For example, in order to further improve the encryption effect, increase the complexity of decrypting encrypted data, and improve the security of data and hardware equipment, more keys can be generated, and multiple gold keys including the first key can be used. The key is used to encrypt the data to be encrypted and so on. The data to be encrypted may include data with high security requirements in the hardware device, such as at least one of user passwords, user fingerprint features, user facial features, user iris features, application program keys in hardware devices, etc. The data, of course, in practical applications, may include other data in the hardware device, such as user-specified data. The encrypted data is the result of encrypting the data to be encrypted according to the first key, and the encrypted data can be decrypted according to the first key, so as to obtain the data to be encrypted again. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data is encrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. Embodiment 2 Referring to FIG. 2 , it shows a flowchart of a data encryption method according to an embodiment of the present invention. The specific steps include: Step 201 , using a software root of trust program to generate a first key uniquely corresponding to a hardware device. Wherein, the way of using the root of trust program to generate the first key uniquely corresponding to the hardware device can refer to the related description in the foregoing, and details will not be repeated here. Certainly, in practical applications, at least one of a hardware root-of-trust program and a software root-of-trust program may be included in the hardware device. In addition, the generated first key may be stored in a storage location corresponding to the root of trust program, such as in a storage area protected by the KM. Step 202, providing a second interface for receiving the data to be encrypted, and receiving the data to be encrypted through the second interface. As can be seen from the foregoing, the hardware device may include a hardware root-of-trust program and/or a software root-of-trust program, and may even include more than one hardware root-of-trust program, which may result in multiple first hardware root-of-trust programs. interface, which leads to confusion in the system structure of the hardware device, and complex and heavy adaptation of the application program in the application layer, which not only increases the development cost of the application program, but also may cause problems such as adaptation errors, which makes it difficult to process data Encryption or other problems that reduce the security and reliability of data and hardware devices. Therefore, a unified interface can be provided for the applications in the application layer, that is, the second interface, which receives the number to be encrypted, so that the root of trust program can be encapsulated in the bottom layer through the second interface, so that each application can use the root of trust through a unified interface Various functions of the program, thereby making the system architecture in the hardware device more concise, reducing the development cost of the application program, and improving the security and reliability of the application program and the hardware device. The second interface facing the application layer can be provided in the form of hardware or software, and the data from the application layer can be received through the second interface, and the received data can be converted according to the first interface or software trust root program, so that the conversion The subsequent data conforms to the data type or standard of the first interface or software root of trust program. The data to be encrypted is data that needs to be encrypted by a key, and the data to be encrypted may include any data from any application program. Step 203, randomly generate a second key, use the second key to encrypt the data to be encrypted, and use the first key to encrypt the second key. In order to effectively increase the complexity of data being cracked and further reduce the possibility of data being cracked, the second key can be generated on the basis of the first key, and the encrypted data can be encrypted through the second key, and the encrypted data can be encrypted through the second key. One key encrypts the second key, that is, through hierarchical key management, to improve the security of data and hardware devices. Since the possibility of multiple keys being cracked is smaller than that of one key being cracked, of course the security of data and hardware equipment is also improved. In addition, since the second key is randomly generated, it can be ensured that the keys used for each data to be encrypted are different, even if a certain encrypted data in the hardware device is cracked, other encrypted data is still safe , thus further improving the security of data and hardware equipment. Wherein, the second key can be generated through the aforementioned root-of-trust program and the key generation algorithm. Hierarchical key management refers to generating multiple keys in different ways, storing and managing each key separately, encrypting data through multiple keys, or encrypting data through some of the keys, and encrypting data through The other keys among them encrypt the key of the encrypted data, which effectively increases the complexity of the encryption, making it difficult for hackers to obtain all the keys, and then it is difficult to crack the encrypted information, thereby increasing the security of the encrypted information. safety. Of course, in practical applications, more keys can be used to encrypt data to be encrypted in a similar manner, thereby further improving the security of data and hardware devices. Step 204, using the first key to encrypt the second key. In order to reduce the possibility of the second key being cracked, thereby reducing the possibility of encrypted data being encrypted, and improving the security of data and hardware equipment, the second key can be encrypted with the first key. Wherein, the second key encrypted with the first key can be saved. In the embodiment of the present invention, optionally, in order to ensure that the legitimate user of the data can normally obtain the second key to decrypt the encrypted data to be encrypted and improve the reliability of data encryption, the encrypted first The second key is correspondingly stored with the encrypted data to be encrypted. The encrypted second key and the encrypted data to be encrypted can be stored in the same storage location, or the encrypted second key and the encrypted data to be encrypted can be stored in different storage locations, and the encrypted second key The corresponding relationship between the storage location where the key is located and the storage location where the encrypted data to be encrypted is located. Of course, in practical applications, the encrypted second key and the encrypted data to be encrypted can be correspondingly stored in other ways. In addition, in another optional embodiment of the embodiment of the present invention, in order to improve the efficiency of encrypting data, it is also possible not to generate the second key, but to directly use the first key to encrypt the data to be encrypted, that is, The first key is the key used to encrypt the data to be encrypted. Or, in another optional embodiment of the present invention, on the basis of encrypting the data to be encrypted with the first key, the first key can be encrypted with the second key, and the encrypted first The key is stored corresponding to the encrypted data to be encrypted. Wherein, the method of encrypting the data to be encrypted by using the first key may be the same as the method of encrypting the data to be encrypted by using the second key, which will not be repeated here. Step 205, generating verification data for verifying the integrity of the data to be encrypted, and storing the verification data corresponding to the encrypted data to be encrypted. In order to facilitate the subsequent decryption of the encrypted data to be encrypted, verify whether the obtained data to be encrypted is complete, and further improve the security of the data and hardware equipment, the verification data of the data to be encrypted can be generated, and the verification data Corresponding storage is carried out with the encrypted data to be encrypted. The verification data is used to verify the data to be encrypted, including integrity verification. Wherein, the verification data used for integrity verification may include a hash value. The hash value is a binary value obtained through calculation based on file data (such as data to be encrypted), and is used to verify the integrity of the file data. In the embodiment of the present invention, optionally, in order to ensure the integrity verification of the data to be encrypted through the hash value of the data to be encrypted later, so as to improve the security of data and hardware equipment, the hash value. Of course, in actual applications, in order to ensure that the data to be encrypted can be verified later, the verification information can also include other information, for example, the verification information used for integrity verification can also include attribute information of the data to be encrypted. Correspondingly, The attribute information of the data to be encrypted can be determined, and the determined attribute information can be used as the verification data. Wherein, the attribute information is information describing attributes of the data to be encrypted, for example, the attribute information may include at least one of the size and data type of the data to be encrypted. The size of the data to be encrypted is used to indicate the amount of data included in the data to be encrypted. The type of data to be encrypted is used to describe the format or type of data to be encrypted. In addition, the manner of correspondingly storing the verification data and the encrypted data to be encrypted may be the same as the method of correspondingly storing the encrypted second key and the encrypted data to be encrypted, which will not be repeated here. In addition, in practical applications, in order to improve the encryption efficiency, the verification data of the data to be encrypted may not be generated, that is, step 205 is an optional step. Step 206, output an encryption result to a data source of the data to be encrypted through the second interface. In order to facilitate the application program to store or perform other operations on the encrypted data to be encrypted, the encryption result can be output to the application program as the source of the data, and in order to make the system structure in the hardware device more concise, reduce the development cost of the application program, and improve the application The security and reliability of programs and hardware devices can output encrypted results to data sources through a unified interface, that is, the second interface. The data source is the source of the data to be encrypted, which may include the aforementioned application programs. The encryption result is the result of encrypting and outputting the data to be encrypted, which may include the encrypted data to be encrypted. Of course, in practical applications, if the encrypted data to be encrypted is encrypted with the second key, and the second key is encrypted with the first The encryption result can also include the second key encrypted by the first key; if the verification data of the data to be encrypted is also generated in the foregoing, the encryption result can also include the verification data. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data is encrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. In addition, it can provide a unified second interface, and receive encrypted data or output encrypted results through the second interface, ensuring that each application program can use various functions of the root of trust program through a unified interface, and then make the hardware device The system architecture is more concise, which also reduces the development cost of the application program, and also reduces the problem of difficulty in encrypting data caused by the first interface adaptation error of the application program to the hardware root of trust program, and improves the reliability of data encryption This improves the security and reliability of data and hardware equipment. In addition, the second key can be randomly generated, the data to be encrypted can be encrypted with the second key, and the second key can be encrypted with the first key, since it is less likely that multiple keys will be cracked, and The randomly generated second key can also ensure that each data to be encrypted can be encrypted with a different key, thus effectively increasing the complexity of data being deciphered, thereby further improving the security of data and hardware equipment. Embodiment 3 Referring to FIG. 3 , it shows a flowchart of a data encryption method according to an embodiment of the present invention. The specific steps include: Step 301 , using a root of trust program to generate a first key uniquely corresponding to a hardware device. In order to reduce the possibility of directly obtaining the key from the code, the key of one hardware device is cracked, and the keys of other hardware devices of the same type as the hardware device or belonging to the same hardware manufacturer are cracked. , realize one machine, one secret, and effectively improve the security of data and hardware equipment. The root of trust program can be used to generate a unique key corresponding to the hardware equipment. Wherein, the way of using the root of trust program to generate the first key uniquely corresponding to the hardware device can refer to the related description in the foregoing, and details will not be repeated here. In the embodiment of the present invention, optionally, the hardware device has a dedicated hardware root of trust program. In order to improve the reliability of generating the first key, it can ensure that one machine can be encrypted, thereby improving the security of data and hardware devices. For security, the built-in hardware trust root program of the hardware device can be accessed to generate the first key. Wherein, the hardware root of trust program may include TEE. In the embodiment of the present invention, optionally, in order to ensure access to the hardware root-of-trust program and improve the reliability of key generation and subsequent encryption of data to be encrypted, the hardware root-of-trust program can be accessed through the first interface, The interface type of the first interface is adapted to the program type of the hardware root of trust program. For example, if the hardware root of trust program is intel SGX, then the first interface can include the interface in the linux SGX driver program; if the new hardware root of trust program is TEE, then the first interface can include GP Client API, wherein, GP Client API is the name of the interface adapted to TEE. Of course, in practical applications, the hardware device may include at least one of the hardware root of trust program and the software root of trust program, so as to ensure that the first key can be generated regardless of whether the hardware device has hardware security capabilities, ensuring the generation of The reliability of the first key. Step 302, encrypt data according to the first key. Wherein, for the way of encrypting data according to the first key, reference may be made to relevant descriptions in the foregoing, and details will not be repeated here. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data is encrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, for a hardware device with hardware security capabilities, it is possible to access the built-in hardware trust root program of the hardware device to generate the first key, which improves the reliability of generating the first key. Embodiment 4 Referring to FIG. 4 , it shows a flow chart of a data decryption method according to an embodiment of the present invention. The specific steps include: Step 401 , using a software root of trust program to generate a first key uniquely corresponding to a hardware device. In order to avoid the one-machine-one-secret problem that is difficult to achieve by directly writing the key into the code in the hardware device, and further lead to the problem of low security of data and hardware devices, it is not necessary to write the key into the hardware Instead, the root of trust program is used to generate the first key, and the generated key can uniquely correspond to the hardware device. On the one hand, it reduces the possibility of hackers directly obtaining the first key from the code. On the other hand, It ensures that even if the key of a hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe, thereby effectively improving data and hardware security. Device Security. In addition, because some hardware devices may not have the hardware on which the hardware root of trust program depends, therefore, in order to ensure that hardware devices with or without hardware security capabilities can generate the first key, the first key is increased. The reliability of the key, thereby ensuring the security of data and hardware equipment, while reducing costs, can call the software trust root program to generate the first key. Wherein, the root-of-trust program is used to generate the first key uniquely corresponding to the hardware device, which can be referred to the related description above, and will not be repeated here. Step 402, decrypt the encrypted data according to the first key. In order to ensure that legitimate users of the encrypted data can normally obtain the encrypted data, the encrypted data can be decrypted according to the first key. Wherein, the encrypted data can be the encrypted data to be encrypted in the foregoing. The encrypted data can be decrypted according to the first key according to the aforementioned method of encrypting data with the first key. For example, if the data to be encrypted is encrypted with the first key, the first key to decrypt the encrypted data; if multiple keys including the first key are used to encrypt the data to be encrypted, other keys except the first key among the multiple keys can be generated. The plurality of keys including the first key decrypt the encrypted data. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data can be decrypted according to the first key, which reduces the need for hackers to directly obtain the second key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective Improved data and hardware security. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. Embodiment 5 Referring to FIG. 5 , it shows a flow chart of a data decryption method according to an embodiment of the present invention. The specific steps include: Step 501 , using a software root of trust program to generate a first key uniquely corresponding to a hardware device. Wherein, the root-of-trust program is used to generate the first key uniquely corresponding to the hardware device, which can be referred to the related description above, and will not be repeated here. Step 502, obtain encrypted data through the second interface. In order to simplify the system architecture in the hardware device, reduce the development cost of the application program, and improve the security and reliability of the application program and the hardware device, it is possible to obtain the encrypted information of each data source through a unified interface, that is, the second interface. material. Of course, in practical applications, the encrypted second key and/or verification data stored corresponding to the encrypted data can also be obtained through the second interface. Wherein, the second encryption key may be a key randomly generated for the encrypted data. If the second key and/or verification data are in the same storage location as the encrypted data, the second key and/or verification data can be obtained from the storage location; if the second key and/or verification data There is a corresponding relationship between the storage location of the encrypted data and the storage location of the encrypted data, then the storage location of the second key and/or verification data can be determined according to the storage location of the encrypted data, and then the second key and/or verification data can be obtained. /or verify data. In addition, in another optional embodiment of the embodiment of the present invention, it is also possible not to obtain the second key and/or verification material in the step, but to use the second key and/or verification material later , and then obtain the second key and/or verification data. Step 503, decrypt the encrypted data according to the first key. Wherein, the way of decrypting the encrypted data according to the first key can refer to the relevant description in the foregoing, and details will not be repeated here. In the embodiment of the present invention, optionally, it can be seen from the foregoing that since the possibility of multiple keys being cracked is smaller than the possibility of one key being cracked, in order to improve the security of data and hardware devices, you can generating the first key, and obtaining an encrypted second key, storing the encrypted second key corresponding to the encrypted data, and using the first key to decrypt the encrypted A second key, obtaining a second key, and using the second key to decrypt the encrypted data. That is, through hierarchical key management, the security of data and hardware devices is improved. Wherein, the method of generating the first key and the method of obtaining the second key can refer to the relevant description in the foregoing, and will not be repeated here. Step 504, obtaining verification data, the verification data and the encrypted data are stored correspondingly, and using the verification data to verify the integrity of the decryption result. In order to verify the integrity of the decrypted result after the encrypted data is decrypted, and to further improve the security of the data and hardware equipment, verification data can be obtained to verify the decrypted result. The decryption result is the result of decrypting the encrypted data, and the decryption result can be the aforementioned data to be encrypted. The verification data can be generated according to the decryption result, and the generated verification data is compared with the obtained verification data. If they are consistent, it is determined that the decryption result has integrity; otherwise, it is determined that the decryption result has no integrity. In the embodiment of the present invention, optionally, in order to ensure that the decryption result is consistent with the data to be encrypted before encryption, that is, to ensure the integrity of the decryption result is verified, and to further improve the security of data and hardware devices, the verification The data includes the first hash value of the decryption result, correspondingly, a second hash value of the decryption result can be generated, and the second hash value is compared with the first hash value, and the decryption result is confirmed have integrity. If the second hash value is inconsistent with the first hash value, it is confirmed that the decryption result does not have integrity. Wherein, the first hash value is the hash value of the data to be encrypted determined during the process of encrypting the data to be encrypted; the second hash value is the hash value generated according to the decrypted data. If the data to be encrypted is consistent with the decryption result, that is, the decryption result has integrity, then the first hash value and the second hash value should also be consistent. The verification data including the first hash value may be obtained, a second hash value of the decryption result is generated, and the first hash value is compared with the second hash value to determine whether the first hash value is consistent with the second hash value. Wherein, the way of obtaining the verification data can refer to the relevant description in the foregoing, and details will not be repeated here. In addition, in another optional embodiment of the present invention, in order to ensure that the decryption result is consistent with the data to be encrypted before encryption, that is, to ensure the integrity of the decryption result is verified, and to further improve the security of data and hardware equipment, The verification data includes the first attribute information of the data to be encrypted. Correspondingly, the second attribute information of the decrypted result can also be obtained, and the first attribute information is compared with the second attribute information. If they are consistent, it is determined that the decrypted result is complete. Otherwise, it is determined that the decryption result does not have integrity. Among them, the first attribute information is the attribute information generated according to the data to be encrypted, and the second attribute information is the attribute information generated according to the decryption result. If the data to be encrypted is consistent with the decryption result, that is, the decryption result has integrity, then the first attribute information It should also be consistent with the second attribute information. In addition, in practical applications, in order to improve decryption efficiency, the integrity verification of the decryption result may not be performed, that is, step 504 is an optional step. Step 505, output the decryption result through the second interface. In order to facilitate the application program to store or perform other operations on the encrypted data to be encrypted, the encryption result can be output to the application program as the source of the data, and in order to make the system structure in the hardware device more concise, reduce the development cost of the application program, and improve the application The security and reliability of programs and hardware devices can output decryption results through a unified interface, that is, the second interface. Wherein, the decryption result can be output to the data source of the encrypted data through the second interface. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data can be decrypted according to the first key, which reduces the need for hackers to directly obtain the second key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. Secondly, the first key can be generated through the hardware root of trust program or software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. sex. In addition, it can provide a unified second interface, and obtain encrypted data or output decryption results through the second interface, ensuring that each application program can use various functions of the root of trust program through a unified interface, so that the hardware device The system architecture of the system is more concise, which also reduces the development cost of the application program, and also reduces the problem of difficulty in decrypting the data caused by the wrong adaptation of the application program to the first interface of the hardware root of trust program, and improves the data decryption efficiency. Reliability, which in turn improves the security and reliability of data and hardware equipment. In addition, the first key can be used to decrypt the encrypted second key, and the second key can be used to decrypt the encrypted data. Since it is less likely that multiple keys will be cracked, it is effectively improved. It reduces the complexity of data being cracked, thereby further improving the security of data and hardware equipment. Embodiment 6 Referring to FIG. 6 , it shows a flowchart of a data decryption method according to an embodiment of the present invention. The specific steps include: Step 601 , using a root of trust program to generate a first key uniquely corresponding to a hardware device. In order to reduce the possibility of directly obtaining the key from the code, the key of one hardware device is cracked, and the keys of other hardware devices of the same type as the hardware device or belonging to the same hardware manufacturer are cracked. , realize one machine, one secret, and effectively improve the security of data and hardware equipment. The root of trust program can be used to generate a unique key corresponding to the hardware equipment. Wherein, the root-of-trust program is used to generate the first key uniquely corresponding to the hardware device, which can be referred to the related description above, and will not be repeated here. In the embodiment of the present invention, optionally, the hardware device has a dedicated hardware root of trust program. In order to improve the reliability of generating the first key, it can ensure that one machine can be encrypted, thereby improving the security of data and hardware devices. Security, accessing the built-in hardware trust root program of the hardware device to generate the first key. In the embodiment of the present invention, optionally, in order to ensure access to the hardware trust root program and improve the reliability of generating the key and subsequently decrypting the encrypted data to be encrypted, the hardware trust program can be accessed through the first interface. Root program, the interface type of the first interface is adapted to the program type of the hardware trust root program. Step 602, decrypt the encrypted data according to the first key. Wherein, the way of decrypting the encrypted data according to the first key can refer to the relevant description in the foregoing, and details will not be repeated here. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data can be decrypted according to the first key, which reduces the need for hackers to directly obtain the second key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, for a hardware device with hardware security capabilities, it is possible to access the built-in hardware trust root program of the hardware device to generate the first key, which improves the reliability of generating the first key. Those skilled in the art should understand that not every method step in the above-mentioned embodiments is essential, and one or more steps can be omitted under specific circumstances, as long as the technology for encrypting or decrypting data can be realized Purpose. The number and sequence of the steps in the embodiments are not limited by the present invention, and the protection scope of the present invention should be defined by the scope of the patent application. In order to facilitate those skilled in the art to better understand the present invention, a data processing, encryption and decryption method in the embodiment of the present invention will be described below through a specific example, which specifically includes the following steps: Referring to FIG. A flowchart of a data processing method. The specific steps include: Step 701, the hardware root-of-trust program or the software root-of-trust program generates a root key. Wherein, the root key may include the aforementioned first key. If the hardware on which the hardware root of trust program depends is installed in the hardware device (that is, has hardware security capabilities), the root key can be generated through the hardware root of trust; if the hardware root of trust is not set in the hardware device When the program depends on the hardware, the root key can be generated through the software root of trust. Step 702, save the root key for safe storage through the hardware root-of-trust program or the software root-of-trust program. Step 703, use the root key to encrypt the file key through the hardware root of trust program or the software root of trust program. Wherein, the file key is a key for encrypting the aforementioned data to be encrypted, for example, may include the aforementioned second key. Step 704, encrypt the data to be encrypted by the file key, and store the file key encrypted by the root key. It can be seen from the above that the root key is not directly used to encrypt the data to be encrypted, but is used to encrypt the file key to encrypt the data to be encrypted, and accordingly, the root key is not directly used to decrypt the encrypted data , but to decrypt the file key used to decrypt the encrypted data, which can ensure that different hardware devices and different data can be provided with different keys for encryption or decryption, reducing the possibility of data being cracked , Improve the security of data and hardware equipment. Step 705, providing a secure storage function to the application layer through a unified interface. Can receive the data to be encrypted (such as the sensitive data of the application) submitted by the application through a unified interface, and output the encryption result to the application; or receive the encrypted data submitted by the application, and output the decryption to the application result. Wherein, the unified interface may include the aforementioned second interface. Referring to FIG. 8 , it shows a flowchart of a data encryption method according to an embodiment of the present invention. The specific steps include: Step 801, the root of trust program generates the first key, and saves the first key in the storage location corresponding to the root of trust program; Step 802, the root of trust program encrypts the second key through the first key; Step 803, encrypt the data to be encrypted by the second key; Step 804, generate the hash value of the data to be encrypted; Step 805, encrypt the data to be encrypted, the hash value of the data to be encrypted, and the first key encrypted The two keys are combined into one file for storage. Referring to FIG. 9 , it shows a flowchart of a data decryption method according to an embodiment of the present invention. The specific steps include: Step 901, the root-of-trust program reads the encrypted data; Step 902, the root-of-trust program decrypts the second key through the first key; Step 903, decrypts the encrypted data through the second key; Step 904, generates The hash value of the decryption result; Step 905, determine that the generated hash value is consistent with the previously saved hash value of the data to be encrypted; Step 906, output the decryption result. Embodiment 7 Referring to FIG. 10 , it shows a structural block diagram of a data encryption device according to an embodiment of the present invention. The device includes: a first key generation module 1001, which is used to generate a software root of trust program that is unique to a hardware device. Corresponding first key; data encryption module 1002, configured to encrypt data according to the first key. Optionally, the data encryption module includes: a random key generation sub-module for randomly generating a second key; a data encryption sub-module for encrypting data to be encrypted using the second key, so The first key is used to encrypt the second key. Optionally, the device further includes: a second key encryption module, configured to encrypt the second key with the first key. Optionally, the device further includes: a second key storage module, configured to store the encrypted second key corresponding to the encrypted data to be encrypted. Optionally, the device further includes: a verification data generation module, configured to generate verification data for verifying the integrity of the data to be encrypted, and the verification data is saved correspondingly to the encrypted data to be encrypted. Optionally, the verification data generation module includes: a hash value determination sub-module, configured to determine the hash value of the data to be encrypted. Optionally, the device further includes: a receiving module for data to be encrypted, configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface; an encryption result output module for Outputting an encryption result to the data source of the data to be encrypted through the second interface. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data is encrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. Embodiment 8 Referring to FIG. 11 , it shows a structural block diagram of a data encryption device according to an embodiment of the present invention, the device includes: a first key generation module 1101, which is used to generate a unique correspondence with a hardware device using a root of trust program the first key; and a data encryption module 1102, configured to encrypt data according to the first key. Optionally, the first key generation module includes: a first key generation sub-module, configured to access a built-in hardware root-of-trust program of the hardware device to generate the first key. Optionally, the hardware device has a dedicated hardware root-of-trust program, and the first key generation submodule is also used for: accessing the hardware root-of-trust program through a first interface, the first interface The interface class type of is adapted to the program type of the hardware root of trust program. In the embodiment of the present invention, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then encrypt the data according to the first key, reducing the need for hackers to directly obtain the first key from the code. At the same time, it also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe, effectively improving the The security of data and hardware equipment is ensured. Embodiment 9 Referring to FIG. 12 , it shows a structural block diagram of a data decryption device according to an embodiment of the present invention. The device includes: a first key generation module 1201, which is used to generate a software root of trust program that is unique to a hardware device. Corresponding first key; data decryption module 1202, configured to decrypt encrypted data according to the first key. Optionally, the data decryption module includes: a key acquisition sub-module, configured to generate the first key, and acquire an encrypted second key, the encrypted second key and The encrypted data is stored correspondingly; the second key decryption sub-module is used to decrypt the encrypted second key by using the first key to obtain a second key; the data decryption sub-module is used to and decrypting the encrypted data by using the second key. Optionally, the device further includes: a verification data acquisition module, used to obtain verification data, and the verification data is stored corresponding to the encrypted data; an integrity verification module, used to adopt the verification data Verify the integrity of the decrypted result by verifying the data. Optionally, the verification data includes a first hash value of the decryption result, and the integrity verification module includes: a second hash value generation sub-module for generating a second hash value of the decryption result ; Integrity verification and confirmation sub-module, used for comparing the second hash value with the first hash value, then confirming that the decryption result has integrity. Optionally, the device further includes: a decryption result output module, configured to output the decryption result through the second interface. In the embodiment of the present invention, firstly, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data can be decrypted according to the first key, which reduces the need for hackers to directly obtain the second key from the code. The possibility of a key also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe and effective. Greatly improve the security of data and hardware equipment. Secondly, the first key can be generated through the software root of trust program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capabilities, and improves the reliability of generating the first key. Embodiment 10 Referring to FIG. 13 , it shows a structural block diagram of a data decryption device according to an embodiment of the present invention, the device includes: a first key generation module 1301, which is used to generate a unique correspondence with a hardware device using a root of trust program the first key; and a data decryption module 1302, configured to decrypt encrypted data according to the first key. Optionally, the first key generation module includes: a first key generation sub-module, configured to access a built-in hardware root-of-trust program of the hardware device to generate the first key. Optionally, the hardware device has a dedicated hardware root-of-trust program, and the first key generation submodule is also used for: accessing the hardware root-of-trust program through a first interface, the first interface The interface class type of is adapted to the program type of the hardware root of trust program. In the embodiment of the present invention, the root of trust program can be used to generate the first key uniquely corresponding to the hardware device, and then the data can be decrypted according to the first key, which reduces the need for hackers to directly obtain the first key from the code. At the same time, it also ensures that even if the key of a certain hardware device is cracked, the key in the hardware device of the same type as the hardware device or belonging to the same hardware manufacturer is still safe, effectively improving the Data and hardware security. As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment. Embodiments of the invention may be implemented as a system in a desired configuration using any suitable hardware, firmware, software, or any combination thereof. Figure 14 schematically shows an exemplary system (or apparatus) 1400 that may be used to implement various embodiments described herein. For one embodiment, FIG. 14 shows an exemplary system 1400 having one or more processors 1402, a system control module (chipset) 1404 coupled to at least one of the processor(s) 1402 , a system memory 1406 coupled to the system control module 1404, a non-volatile memory (NVM)/storage device 1408 coupled to the system control module 1404, one or more An input/output device 1410, and a network interface 1412 coupled to the system control module 1406. The processor 1402 may include one or more single-core or multi-core processors, and the processor 1402 may include any combination of general-purpose processors or special-purpose processors (such as graphics processors, application processors, baseband processors, etc.). In some embodiments, the system 1400 can serve as the hardware device described in the embodiments of the present invention. In some embodiments, system 1400 may include one or more computer-readable media (e.g., system memory 1406 or NVM/storage device 1408 ) having instructions and configured in conjunction with the one or more computer-readable media One or more processors 1402 that execute instructions to implement modules to perform the actions described herein. For one embodiment, system control module 1404 may include any suitable interface controller to communicate with at least one of processor(s) 1402 and/or any suitable device or device in communication with system control module 1404. A component provides any suitable interface. The system control module 1404 may include a memory controller module to provide an interface to the system memory 1406 . The memory controller module can be a hardware module, a software module and/or a firmware module. System memory 1406 may be used, for example, to load and store data and/or instructions for system 1400 . For one embodiment, system memory 1406 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, the system memory 1406 may include Double Data Rate Type Quad Synchronous Dynamic Random Access Memory (DDR4 SDRAM). For one embodiment, system control module 1404 may include one or more input/output controllers to provide an interface to NVM/storage device(s) 1408 and input/output device(s) 1410 . For example, NVM/storage 1408 may be used to store data and/or instructions. NVM/storage 1408 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more hard disk drive (HDD), one or more compact disk (CD) drives, and/or one or more digital versatile disk (DVD) drives). NVM/storage 1408 may include storage resources that are physically part of the device on which system 1400 is installed, or may be accessible by the device without necessarily being part of the device. For example, NVM/storage 1408 may be accessed over a network via input/output device(s) 1410 . Input/output device(s) 1410 may provide an interface for system 1400 to communicate with any other suitable device, and input/output device(s) 1410 may include communication elements, audio elements, sensor elements, and the like. Network interface 1412 may provide an interface for system 1400 to communicate over one or more networks. System 1400 may communicate with wireless networks according to any of one or more wireless network standards and/or protocols. One or more components perform wireless communication, such as accessing a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof for wireless communication. For one embodiment, at least one of the processor(s) 1402 may be packaged with the logic of one or more controllers of the system control module 1404 (eg, a memory controller module). For one embodiment, at least one of the processor(s) 1402 may be packaged with the logic of one or more controllers of the system control module 1404 to form a system-in-package (SiP). For one embodiment, at least one of the processor(s) 1402 may be integrated on the same die as the logic of one or more controllers of the system control module 1404 . For one embodiment, at least one of the processor(s) 1402 may be integrated on the same die as the logic of the one or more controllers of the system control module 1404 to form a system-on-chip (SoC). In various embodiments, the system 1400 may be, but is not limited to, a workstation, a desktop computer device, or a mobile computer device (eg, a laptop computer device, a handheld computer device, a tablet computer, a small notebook, etc.). In various embodiments, system 1400 may have more or fewer elements and/or a different architecture. For example, in some embodiments, system 1400 includes one or more cameras, a keyboard, liquid crystal display (LCD) screens (including touch screen displays), non-volatile memory ports, multiple antennas, graphics chips, application-specific Integrated circuit (ASIC) and loudspeaker. Wherein, if the display includes a touch panel, the display screen may be implemented as a touch screen display to receive input signals from a user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensor may not only sense a boundary of a touch or slide action, but also detect a duration and pressure associated with the touch or slide operation. The embodiment of the present invention also provides a non-volatile readable storage medium. One or more programs are stored in the storage medium. When the one or more programs are applied to the terminal device, the terminal device can Instructions for executing each method step in the embodiment of the present invention. In one example, an apparatus is provided that includes: one or more processors; and one or more machine-readable media having stored thereon instructions that, when executed by the one or more processors, cause The apparatus executes the method as executed by the hardware device in the embodiment of the present invention. In one example, one or more machine-readable media are provided, on which are stored instructions, which, when executed by one or more processors, cause the apparatus to perform the method as performed by the hardware device in the embodiment of the present invention. The embodiment of the invention discloses a data encryption and decryption method and device. Example 1. A data encryption method, comprising: using a software root of trust program to generate a first key uniquely corresponding to a hardware device; encrypting data according to the first key. Example 2 may include the method described in Example 1, wherein encrypting data according to the first key includes: randomly generating a second key; using the second key to encrypt the data to be encrypted, and using the first key to for encrypting the second key. Example 3 may include the method of Example 2, the method further comprising: encrypting the second key with the first key. Example 4 may include the method described in Example 3, after encrypting the second key with the first key, the method further includes: combining the encrypted second key with the encrypted to-be-encrypted The data is stored accordingly. Example 5 may include the method described in Example 1, and the method further includes: generating verification data for verifying the integrity of the data to be encrypted, and storing the verification data corresponding to the encrypted data to be encrypted. Example 6 may include the method described in Example 5, wherein the generating verification material for verifying the integrity of the material to be encrypted includes: determining a hash value of the material to be encrypted. Example 7 may include the method described in Example 1. Before encrypting the data according to the first key, the method further includes: providing a second interface for receiving the data to be encrypted, and receiving the data to be encrypted through the second interface. encrypting data; after encrypting data according to the first key, the method further includes: outputting an encryption result to a data source of the data to be encrypted through the second interface. Example 8. A data decryption method, comprising: using a software root of trust program to generate a first key uniquely corresponding to a hardware device; and decrypting encrypted data according to the first key. Example 9 may include the method described in Example 8, wherein decrypting the encrypted data according to the first key includes: generating the first key, and obtaining an encrypted second key, the encrypted The second key is stored corresponding to the encrypted data; using the first key to decrypt the encrypted second key to obtain a second key; using the second key to decrypt the encrypted data . Example 10 may include the method described in Example 8, the method further comprising: obtaining verification data, the verification data is stored correspondingly to the encrypted data; using the verification data to verify the integrity of the decryption result. Example 11 may include the method described in Example 10, wherein the verification data includes a first hash value of the decryption result, and using the verification data to verify the integrity of the decryption result includes: generating the decryption result A second hash value; comparing the second hash value with the first hash value, confirming that the decryption result has integrity. Example 12 may include the method of Example 8, the method further comprising: outputting the decryption result through the second interface. Example 13. A data encryption method, comprising: using a root of trust program to generate a first key uniquely corresponding to a hardware device; encrypting data according to the first key. Example 14 may include the method described in Example 13, the generating the first key uniquely corresponding to the hardware device using the root of trust program includes: accessing the built-in hardware root of trust program of the hardware device, generating the first key key. Example 15 may include the method described in Example 14, the hardware device has a dedicated hardware root-of-trust program, and the accessing the built-in hardware root-of-trust program of the hardware device includes: accessing the hardware device through a first interface A body root of trust program, the interface type of the first interface is adapted to the program type of the hardware root of trust program. Example 16. A data decryption method, comprising: using a root of trust program to generate a first key uniquely corresponding to a hardware device; and decrypting encrypted data according to the first key. Example 17 may include the method described in Example 16, wherein the generation of the first key uniquely corresponding to the hardware device using the root of trust program includes: accessing the built-in hardware root of trust program of the hardware device, and generating the first key key. Example 18 may include the method described in Example 17, the hardware device has a dedicated hardware root-of-trust program, and the accessing the built-in hardware root-of-trust program of the hardware device includes: accessing the hardware device through a first interface A body root of trust program, the interface type of the first interface is adapted to the program type of the hardware root of trust program. Example 19. A data encryption device, comprising: a first key generation module, configured to use a software root of trust program to generate a first key uniquely corresponding to a hardware device; a data encryption module, configured to generate a first key according to the first The key encrypts the data. Example 20 may include the device described in Example 19, wherein the data encryption module includes: a key random generation submodule for randomly generating a second key; a data encryption submodule for using the second key The key encrypts the data to be encrypted, and the first key is used to encrypt the second key. Example 21 may include the apparatus of Example 20, further comprising: a second key encryption module for encrypting the second key with the first key. Example 22 may include the device described in Example 19, the device further comprising: a verification data generation module, configured to generate verification data for verifying the integrity of the data to be encrypted, the verification data and the encrypted The data to be encrypted is stored accordingly. Example 23 may include the device described in Example 19, the device further comprising: a receiving module for data to be encrypted, configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface; The encryption result output module is used to output the encryption result to the data source of the data to be encrypted through the second interface. Example 24. A data decryption device, comprising: a first key generation module, configured to use a software root of trust program to generate a first key uniquely corresponding to a hardware device; a data decryption module, configured to generate a first key according to the first The key decrypts encrypted data. Example 25 may include the device described in Example 24, the data decryption module includes: a key acquisition submodule, configured to generate the first key, and acquire an encrypted second key, the encrypted second key The encrypted second key is stored corresponding to the encrypted data; the second key decryption submodule is used to decrypt the encrypted second key by using the first key to obtain a second key; The data decryption sub-module is used for decrypting the encrypted data by using the second key. Example 26 may include the device described in Example 24, the device further comprising: a verification data acquisition module, configured to obtain verification data, and the verification data is stored corresponding to the encrypted data; an integrity verification module , used to verify the integrity of the decryption result by using the verification data. Example 27 may include the device of Example 24, further comprising: a decryption result output module, configured to output a decryption result through a second interface. Example 28. A data encryption device, comprising: a first key generation module, configured to use a root of trust program to generate a first key uniquely corresponding to a hardware device; a data encryption module, configured to generate a first key based on the first key key to encrypt data. Example 29 may include the device described in Example 28, the first key generation module includes: a first key generation submodule, configured to access the built-in hardware root of trust program of the hardware device, and generate the first key. Example 30. A data decryption device, comprising: a first key generation module, configured to use a root of trust program to generate a first key uniquely corresponding to a hardware device; a data decryption module, configured to key to decrypt encrypted data. Example 31 may include the device described in Example 30, the first key generation module includes: a first key generation submodule, configured to access the built-in hardware root of trust program of the hardware device, and generate the first key. Example 32. An apparatus comprising: one or more processors; and one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform The method of one or more of Examples 1 to 18. Example 33. One or more machine-readable media having stored thereon instructions that, when executed by one or more processors, cause an apparatus to perform one or more methods of Examples 1 to 18. While certain examples are for purposes of illustration and description, various alternatives, and/or, equivalent embodiments, or calculations to achieve the same purpose can be implemented without departing from the scope of the invention. Implementation scope. This invention is intended to cover any adaptations or variations of the embodiments discussed herein. Therefore, it is apparent that the embodiments described herein are limited only by the claims and their equivalents.

101‧‧‧方法步驟 102‧‧‧方法步驟 201‧‧‧方法步驟 202‧‧‧方法步驟 203‧‧‧方法步驟 204‧‧‧方法步驟 205‧‧‧方法步驟 206‧‧‧方法步驟 301‧‧‧方法步驟 302‧‧‧方法步驟 401‧‧‧方法步驟 402‧‧‧方法步驟 501‧‧‧方法步驟 502‧‧‧方法步驟 503‧‧‧方法步驟 504‧‧‧方法步驟 505‧‧‧方法步驟 601‧‧‧方法步驟 602‧‧‧方法步驟 701‧‧‧方法步驟 702‧‧‧方法步驟 703‧‧‧方法步驟 704‧‧‧方法步驟 705‧‧‧方法步驟 801‧‧‧方法步驟 802‧‧‧方法步驟 803‧‧‧方法步驟 804‧‧‧方法步驟 805‧‧‧方法步驟 901‧‧‧方法步驟 902‧‧‧方法步驟 903‧‧‧方法步驟 904‧‧‧方法步驟 905‧‧‧方法步驟 906‧‧‧方法步驟 1001‧‧‧第一金鑰產生模組 1002‧‧‧資料加密模組 1101‧‧‧第一金鑰產生模組 1102‧‧‧資料加密模組 1201‧‧‧第一金鑰產生模組 1202‧‧‧資料解密模組 1301‧‧‧第一金鑰產生模組 1302‧‧‧資料解密模組 1400‧‧‧系統 1402‧‧‧處理器 1404‧‧‧系統控制模組 1406‧‧‧系統記憶體 1408‧‧‧NVM/儲存設備 1410‧‧‧輸入/輸出設備 1412‧‧‧網路介面101‧‧‧method steps 102‧‧‧method steps 201‧‧‧method steps 202‧‧‧method steps 203‧‧‧method steps 204‧‧‧method steps 205‧‧‧method steps 206‧‧‧method steps 301‧‧‧method steps 302‧‧‧method steps 401‧‧‧method steps 402‧‧‧method steps 501‧‧‧method steps 502‧‧‧method steps 503‧‧‧method steps 504‧‧‧method steps 505‧‧‧method steps 601‧‧‧method steps 602‧‧‧method steps 701‧‧‧method steps 702‧‧‧method steps 703‧‧‧method steps 704‧‧‧method steps 705‧‧‧method steps 801‧‧‧method steps 802‧‧‧method steps 803‧‧‧method steps 804‧‧‧method steps 805‧‧‧method steps 901‧‧‧method steps 902‧‧‧method steps 903‧‧‧method steps 904‧‧‧method steps 905‧‧‧method steps 906‧‧‧method steps 1001‧‧‧First key generation module 1002‧‧‧data encryption module 1101‧‧‧The first key generation module 1102‧‧‧data encryption module 1201‧‧‧The first key generation module 1202‧‧‧Data decryption module 1301‧‧‧First key generation module 1302‧‧‧Data decryption module 1400‧‧‧system 1402‧‧‧Processor 1404‧‧‧System Control Module 1406‧‧‧system memory 1408‧‧‧NVM/storage device 1410‧‧‧Input/Output Equipment 1412‧‧‧Interface

透過閱讀下文較佳實施方式的詳細描述,各種其它的優點和益處對於本領域普通技術人員將變得清楚明瞭。圖式僅用於示出較佳實施方式的目的,而並不認為是對本發明的限制。而且在整個圖式中,用相同的參考符號表示相同的部件。在圖式中: 圖1顯示根據本發明一個實施例一的一種資料加密方法流程圖; 圖2顯示根據本發明一個實施例二的另一種資料加密方法流程圖; 圖3顯示根據本發明一個實施例三的另一種資料加密方法流程圖; 圖4顯示根據本發明一個實施例四的一種資料解密方法流程圖; 圖5顯示根據本發明一個實施例五的另一種資料解密方法流程圖; 圖6顯示根據本發明一個實施例六的另一種資料解密方法流程圖; 圖7顯示根據本發明一個實施例的一種資料處理方法流程圖 圖8顯示根據本發明一個實施例的一種資料加密方法流程圖; 圖9顯示根據本發明一個實施例的一種資料解密方法流程圖; 圖10顯示根據本發明一個實施例七的一種資料加密裝置的結構方塊圖; 圖11顯示根據本發明一個實施例八的另一種資料加密裝置的結構方塊圖; 圖12顯示根據本發明一個實施例九的一種資料解密裝置的結構方塊圖; 圖13顯示根據本發明一個實施例十的另一種資料解密裝置的結構方塊圖; 圖14顯示根據本發明一個實施例的一種示例性系統的結構方塊圖。Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same components are denoted by the same reference symbols. In the schema: FIG. 1 shows a flowchart of a data encryption method according to Embodiment 1 of the present invention; FIG. 2 shows a flow chart of another data encryption method according to Embodiment 2 of the present invention; FIG. 3 shows a flowchart of another data encryption method according to Embodiment 3 of the present invention; FIG. 4 shows a flow chart of a data decryption method according to Embodiment 4 of the present invention; FIG. 5 shows a flowchart of another data decryption method according to Embodiment 5 of the present invention; FIG. 6 shows a flow chart of another data decryption method according to Embodiment 6 of the present invention; Figure 7 shows a flow chart of a data processing method according to an embodiment of the present invention Fig. 8 shows a flow chart of a data encryption method according to an embodiment of the present invention; FIG. 9 shows a flowchart of a data decryption method according to an embodiment of the present invention; FIG. 10 shows a structural block diagram of a data encryption device according to Embodiment 7 of the present invention; FIG. 11 shows a structural block diagram of another data encryption device according to an eighth embodiment of the present invention; Fig. 12 shows a structural block diagram of a data decryption device according to Embodiment 9 of the present invention; Fig. 13 shows a structural block diagram of another data decryption device according to an embodiment 10 of the present invention; FIG. 14 shows a structural block diagram of an exemplary system according to an embodiment of the present invention.

Claims (15)

一種資料加密方法,其特徵在於,該方法包括:採用軟體信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及根據該第一金鑰加密資料。 A data encryption method, characterized in that the method includes: using a software root of trust program to generate a first key uniquely corresponding to a hardware device according to the unique identifier of the device, and the hardware device includes an Internet of Things terminal or device; and according to the first A key encrypts data. 根據申請專利範圍第1項所述的方法,其中,該根據該第一金鑰加密資料包括:隨機產生第二金鑰;以及採用該第二金鑰加密待加密資料,該第一金鑰用於加密該第二金鑰。 According to the method described in item 1 of the scope of the patent application, wherein the encryption of data according to the first key includes: randomly generating a second key; and encrypting the data to be encrypted with the second key, the first key is used to encrypt the second key. 一種資料解密方法,其特徵在於,該方法包括:採用軟體信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及根據該第一金鑰解密已加密資料。 A data decryption method, characterized in that the method includes: using a software root of trust program to generate a first key uniquely corresponding to a hardware device according to the unique identifier of the device, and the hardware device includes an Internet of Things terminal or device; and according to the first A key decrypts encrypted data. 根據申請專利範圍第3項所述的方法,其中,該根據該第一金鑰解密已加密資料包括:產生該第一金鑰,以及,獲取已加密的第二金鑰,該已加密的第二金鑰與該已加密資料對應保存; 採用該第一金鑰解密該已加密的第二金鑰,獲得第二金鑰;以及採用該第二金鑰解密該已加密資料。 According to the method described in item 3 of the scope of patent application, wherein, the decryption of the encrypted data according to the first key includes: generating the first key, and obtaining an encrypted second key, the encrypted first key The second key is stored corresponding to the encrypted data; using the first key to decrypt the encrypted second key to obtain a second key; and using the second key to decrypt the encrypted data. 一種資料加密方法,其特徵在於,該方法包括:採用信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及根據該第一金鑰加密資料。 A data encryption method, characterized in that the method includes: using a root of trust program to generate a first key uniquely corresponding to a hardware device according to the unique identifier of the device, and the hardware device includes an Internet of Things terminal or device; and according to the first The key encrypts the data. 根據申請專利範圍第5項所述的方法,其中,該採用信任根程式產生與硬體設備唯一對應的第一金鑰包括:訪問該硬體設備內置的硬體信任根程式,產生該第一金鑰。 According to the method described in item 5 of the scope of patent application, wherein, using the root of trust program to generate the first key uniquely corresponding to the hardware device includes: accessing the built-in hardware root of trust program of the hardware device to generate the first key key. 一種資料解密方法,其特徵在於,該方法包括:採用信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及根據該第一金鑰解密已加密資料。 A data decryption method, characterized in that the method includes: using a root of trust program to generate a first key uniquely corresponding to a hardware device according to the unique identifier of the device, and the hardware device includes an Internet of Things terminal or device; and according to the first The key decrypts encrypted data. 根據申請專利範圍第7項所述的方法,其中,該採用信任根程式產生與硬體設備唯一對應的第一金鑰包括:訪問該硬體設備內置的硬體信任根程式,產生該第一 金鑰。 According to the method described in item 7 of the scope of patent application, wherein, using the root of trust program to generate the first key uniquely corresponding to the hardware device includes: accessing the built-in hardware root of trust program of the hardware device to generate the first key key. 一種資料加密裝置,其特徵在於,該裝置包括:第一金鑰產生模組,用於採用軟體信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及資料加密模組,用於根據該第一金鑰加密資料。 A data encryption device, characterized in that the device includes: a first key generation module, used to use a software root of trust program to generate a first key uniquely corresponding to a hardware device according to a device unique identifier, and the hardware device includes IoT terminals or devices; and a data encryption module, used to encrypt data according to the first key. 一種資料解密裝置,其特徵在於,該裝置包括:第一金鑰產生模組,用於採用軟體信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及資料解密模組,用於根據該第一金鑰解密已加密資料。 A data decryption device, characterized in that the device includes: a first key generation module, used to use a software root of trust program to generate a first key uniquely corresponding to a hardware device according to a device unique identifier, and the hardware device includes IoT terminals or devices; and a data decryption module, used to decrypt encrypted data according to the first key. 根據申請專利範圍第10項所述的裝置,其中,該資料解密模組包括:金鑰獲取子模組,用於產生該第一金鑰,以及,獲取已加密的第二金鑰,該已加密的第二金鑰與該已加密資料對應保存;第二金鑰解密子模組,用於採用該第一金鑰解密該已加密的第二金鑰,獲得第二金鑰;以及資料解密子模組,用於採用該第二金鑰解密該已加密資料。 According to the device described in item 10 of the scope of patent application, wherein the data decryption module includes: a key acquisition sub-module, used to generate the first key, and obtain an encrypted second key, the encrypted The encrypted second key is stored corresponding to the encrypted data; the second key decryption submodule is used to decrypt the encrypted second key by using the first key to obtain a second key; and the data decryption The sub-module is used for decrypting the encrypted data by using the second key. 一種資料加密裝置,其特徵在於,該裝置包括:第一金鑰產生模組,用於採用信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及資料加密模組,用於根據該第一金鑰加密資料。 A data encryption device, characterized in that the device includes: a first key generation module, used to use a root of trust program to generate a first key uniquely corresponding to a hardware device according to a device unique identifier, and the hardware device includes A networked terminal or device; and a data encryption module, used to encrypt data according to the first key. 根據申請專利範圍第12項所述的裝置,其中,該第一金鑰產生模組包括:第一金鑰產生子模組,用於訪問該硬體設備內置的硬體信任根程式,產生該第一金鑰。 According to the device described in item 12 of the scope of patent application, wherein the first key generation module includes: a first key generation sub-module, used to access the built-in hardware root of trust program of the hardware device, and generate the first key. 一種資料解密裝置,其特徵在於,該裝置包括:第一金鑰產生模組,用於採用信任根程式根據設備唯一標識產生與硬體設備唯一對應的第一金鑰,該硬體設備包括物聯網終端或設備;以及資料解密模組,用於根據該第一金鑰解密已加密資料。 A data decryption device, characterized in that the device includes: a first key generation module, used to use a root of trust program to generate a first key uniquely corresponding to a hardware device according to a device unique identifier, and the hardware device includes A networked terminal or device; and a data decryption module, used for decrypting encrypted data according to the first key. 根據申請專利範圍第14項所述的裝置,其中,該第一金鑰產生模組包括:第一金鑰產生子模組,用於訪問該硬體設備內置的硬體信任根程式,產生該第一金鑰。 According to the device described in item 14 of the scope of patent application, wherein the first key generation module includes: a first key generation submodule, used to access the built-in hardware root of trust program of the hardware device, and generate the first key.
TW107141247A 2018-03-29 2018-11-20 Data encryption and decryption method and device TWI793215B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
??201810274311.5 2018-03-29
CN201810274311.5 2018-03-29
CN201810274311.5A CN110324138B (en) 2018-03-29 2018-03-29 Data encryption and decryption method and device

Publications (2)

Publication Number Publication Date
TW201942784A TW201942784A (en) 2019-11-01
TWI793215B true TWI793215B (en) 2023-02-21

Family

ID=68060948

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107141247A TWI793215B (en) 2018-03-29 2018-11-20 Data encryption and decryption method and device

Country Status (3)

Country Link
CN (1) CN110324138B (en)
TW (1) TWI793215B (en)
WO (1) WO2019184740A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598482A (en) * 2020-11-20 2022-06-07 福州数据技术研究院有限公司 Encryption communication method and system for server and intelligent edge gateway
CN112699393B (en) * 2020-12-31 2022-12-23 南方电网科学研究院有限责任公司 Parallel bus data transmission method and device
CN113364760A (en) * 2021-06-01 2021-09-07 平安科技(深圳)有限公司 Data encryption processing method and device, computer equipment and storage medium
EP4145762B1 (en) * 2021-09-06 2023-10-25 Axis AB Method and system for enabling secure processing of data using a processing application
CN113973123B (en) * 2021-10-27 2023-08-29 广东卓维网络有限公司 Multi-access mode encryption Internet of things communication method and system
CN114936365B (en) * 2022-01-27 2023-03-24 华为技术有限公司 System, method and device for protecting secret data
CN114828007A (en) * 2022-04-30 2022-07-29 佛山技研智联科技有限公司 Data processing method, device and system based on edge gateway and edge gateway
CN115828289B (en) * 2023-02-16 2023-05-30 中信天津金融科技服务有限公司 Encryption method and system for digitized file

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201121281A (en) * 2009-10-28 2011-06-16 Microsoft Corp Key certification in one round trip
CN102595213A (en) * 2012-02-22 2012-07-18 深圳创维-Rgb电子有限公司 Security certificate method and system of credible TV terminal
US20180157849A1 (en) * 2012-10-25 2018-06-07 Intel Corporation Anti-theft in firmware

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008013525A1 (en) * 2006-07-25 2008-01-31 Northrop Grumman Corporation Common access card heterogeneous (cachet) system and method
JP5070005B2 (en) * 2007-11-01 2012-11-07 株式会社日立製作所 Arithmetic apparatus, arithmetic method and computer system
CN201181472Y (en) * 2008-02-29 2009-01-14 北京华大恒泰科技有限责任公司 Hardware key device and movable memory system
US8397306B1 (en) * 2009-09-23 2013-03-12 Parallels IP Holdings GmbH Security domain in virtual environment
US8874916B2 (en) * 2012-09-28 2014-10-28 Intel Corporation Introduction of discrete roots of trust
CN103455756B (en) * 2013-08-02 2016-12-28 国家电网公司 A kind of course control method based on trust computing
RU2601862C2 (en) * 2013-09-30 2016-11-10 Хуавэй Текнолоджиз Ко., Лтд. Method, unit and device for processing encryption and decryption
US10686612B2 (en) * 2015-07-30 2020-06-16 Hewlett Packard Enterprise Development Lp Cryptographic data
CN106656915A (en) * 2015-10-30 2017-05-10 深圳市中电智慧信息安全技术有限公司 Cloud security server based on trusted computing
CN105681032B (en) * 2016-01-08 2017-09-12 腾讯科技(深圳)有限公司 Method for storing cipher key, key management method and device
US10268844B2 (en) * 2016-08-08 2019-04-23 Data I/O Corporation Embedding foundational root of trust using security algorithms
CN106533663B (en) * 2016-11-01 2019-06-25 广东浪潮大数据研究有限公司 Data ciphering method, encryption method, apparatus and data decryption method, decryption method, apparatus
CN106980794B (en) * 2017-04-01 2020-03-17 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN107273738A (en) * 2017-06-22 2017-10-20 努比亚技术有限公司 A kind of method of controlling security, terminal and computer-readable recording medium
CN107454590A (en) * 2017-07-26 2017-12-08 上海斐讯数据通信技术有限公司 A kind of data ciphering method, decryption method and wireless router
CN107465504A (en) * 2017-08-15 2017-12-12 上海与德科技有限公司 A kind of method and device for improving key safety

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201121281A (en) * 2009-10-28 2011-06-16 Microsoft Corp Key certification in one round trip
CN102595213A (en) * 2012-02-22 2012-07-18 深圳创维-Rgb电子有限公司 Security certificate method and system of credible TV terminal
US20180157849A1 (en) * 2012-10-25 2018-06-07 Intel Corporation Anti-theft in firmware

Also Published As

Publication number Publication date
CN110324138B (en) 2022-05-24
CN110324138A (en) 2019-10-11
TW201942784A (en) 2019-11-01
WO2019184740A1 (en) 2019-10-03

Similar Documents

Publication Publication Date Title
TWI793215B (en) Data encryption and decryption method and device
US11347857B2 (en) Key and certificate distribution method, identity information processing method, device, and medium
US10078599B2 (en) Application access control method and electronic apparatus implementing the same
EP2877955B1 (en) Providing access to encrypted data
US10846696B2 (en) Apparatus and method for trusted execution environment based secure payment transactions
US8997230B1 (en) Hierarchical data security measures for a mobile device
US9635014B2 (en) Method and apparatus for authenticating client credentials
US20220006617A1 (en) Method and apparatus for data storage and verification
WO2016058487A1 (en) Information processing method and apparatus
US10073985B2 (en) Apparatus and method for trusted execution environment file protection
US10878096B2 (en) BIOS startup method and data processing method
CN109862560B (en) Bluetooth authentication method, device, equipment and medium
TW201939337A (en) Behavior recognition, data processing method and apparatus
CN114629639A (en) Key management method and device based on trusted execution environment and electronic equipment
KR102180529B1 (en) Application access control method and electronic device implementing the same
US9819493B2 (en) Enhanced security for media encryption
US11934539B2 (en) Method and apparatus for storing and processing application program information
US11520859B2 (en) Display of protected content using trusted execution environment
US9825764B2 (en) Enhanced security for media decryption
US9336696B2 (en) Enhanced security setup for media decryption
US9519757B2 (en) AES-GCM based enhanced security setup for media encryption
CN111901095B (en) Safe starting method and system based on hardware encryption
CN114244565B (en) Key distribution method, device, equipment and storage medium
US9317703B2 (en) Enhanced security setup for media encryption