CN102056339A - Mobile terminal and system data anti-cloning method thereof - Google Patents

Mobile terminal and system data anti-cloning method thereof Download PDF

Info

Publication number
CN102056339A
CN102056339A CN2009102096402A CN200910209640A CN102056339A CN 102056339 A CN102056339 A CN 102056339A CN 2009102096402 A CN2009102096402 A CN 2009102096402A CN 200910209640 A CN200910209640 A CN 200910209640A CN 102056339 A CN102056339 A CN 102056339A
Authority
CN
China
Prior art keywords
data
layer software
flashid
cpuid
encrypt data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2009102096402A
Other languages
Chinese (zh)
Other versions
CN102056339B (en
Inventor
石林峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANDONG YUHETANG PHARMACEUTICAL Co.,Ltd.
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN200910209640.2A priority Critical patent/CN102056339B/en
Priority to PCT/CN2010/076630 priority patent/WO2011050655A1/en
Publication of CN102056339A publication Critical patent/CN102056339A/en
Application granted granted Critical
Publication of CN102056339B publication Critical patent/CN102056339B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/126Anti-theft arrangements, e.g. protection against subscriber identity module [SIM] cloning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a system data anti-cloning method of a mobile terminal. The system data anti-cloning method comprises the following steps that: the mobile terminal is started from an in-chip memory which is positioned in a micro processor of the mobile terminal; and a public key stored in the in-chip memory is used for decrypting and loading the system data stored in a flash memory of the mobile terminal. The invention also provides a mobile terminal. The invention can effectively resist the conventional cracking way and greatly enhances the safety of the mobile terminal.

Description

Portable terminal and system data thereof are prevented cloning process
Technical field
The present invention relates to communication and correlative electronic fields, in particular to a kind of portable terminal and the anti-cloning process of system data thereof.
Background technology
Along with the development and the extensive use of embedded system, the new high-tech product of many use CPU (microprocessor) all is faced with a headachy problem such as portable terminal, Artificial Intelligence Instrument etc., and that is exactly that new product is firm once releasing by imitated and plagiarization.This phenomenon can make the product development merchant suffer very big loss, the enthusiasm of also greatly having dampened the developer simultaneously.Innovative development is the key of a company competitiveness, how to protect the fruit of labour of oneself, except that with the legal means, performs before product appears on the market that to encrypt be a requisite link.
Mobile terminal system generally all adopts the CPU+FLASH pattern.FLASH (flash memory) has extremely application prospects as the main flow memory device in the current embedded device, but the data that it is stored can be read out easily, and the encipherment protection function is seldom arranged, and becomes the fatal shortcoming of its application of restriction.Currently carry out method of encrypting at data among the FLASH and mainly contain two kinds, a kind of is the data of being stored among the FLASH to be carried out confusion encrypt, and another kind is that the unique identifier of device that FLASH provides is encrypted.
The inventor finds that there is following problem at least in prior art: existing two kinds of cipher modes all have fatal defective, and the use hardware bus intercepts method and static dis-assembling tracking can successfully crack.
Summary of the invention
The present invention aims to provide a kind of portable terminal and the anti-cloning process of system data thereof, to solve the problem that is cracked that prior art exists.
According to an aspect of the present invention, provide a kind of anti-cloning process of system data of portable terminal, comprising: portable terminal starts from on-chip memory, and on-chip memory is positioned at the microprocessor of portable terminal; Utilize the system data of storing in the flash memory of the PKI deciphering of on-chip memory stored and load and execution portable terminal.
Preferably, the system data of storing in the flash memory comprises boot data, the middle layer software data, application layer software data, the middle layer software data comprise operating system data and driver data, the boot storage in the boot zone, the middle layer software storage in the middle layer software zone, the application layer software storage is in the application layer software zone; Wherein, first encrypt data that uses first encrypted private key is also stored in the boot zone, encrypted data comprise the entry code in CPUID, FLASHID and boot zone, and CPUID is the identification marking of microprocessor, the identification marking that FLASHID is flash memory; Second encrypt data that uses second encrypted private key is also stored in the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and the middle layer software zone; The 3rd encrypt data that uses the 3rd encrypted private key is also stored in the application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and application layer software zone.
Preferably, the PKI of on-chip memory stored is first PKI that is used to decipher first encrypt data, utilize the system data of storing in the flash memory of the PKI deciphering of on-chip memory stored and load and execution portable terminal to comprise: to use first PKI to decipher first encrypt data, and obtain CPUID and FLASHID in first encrypt data; CPUID and the FLASHID that gets access to from first encrypt data carried out authentication; Authentication success, then the entry code load and execution boot data in the boot zone that gets access to according to deciphering first encrypt data; Use second PKI that is used to decipher second encrypt data of boot region memory storage to decipher second encrypt data, and obtain CPUID and FLASHID in second encrypt data; CPUID and the FLASHID that gets access to from second encrypt data carried out authentication; Authentication success, then the entry code load and execution the middle layer software data in the middle layer software zone that gets access to according to deciphering second encrypt data; Use the 3rd PKI that is used to decipher the 3rd encrypt data of the middle layer software region memory storage to decipher the 3rd encrypt data, and obtain CPUID and FLASHID in the 3rd encrypt data; CPUID and the FLASHID that gets access to from the 3rd encrypt data carried out authentication; Authentication success, then the entry code load and execution application layer software data in the application layer software zone that gets access to according to deciphering the 3rd encrypt data.
Preferably, in above-mentioned method, also comprise: if failed authentication then stops the system data in the load and execution flash memory, and turning-off mobile terminal.
Preferably, the CPUID that gets access to is comprised with the mode that FLASHID carries out authentication: judge whether CPUID that the CPUID get access to and circuit board from portable terminal read and the FLASHID that gets access to be identical with the FLASHID that reads from circuit board; If then judge the authentication success; Otherwise, judge failed authentication.
Preferably, also comprise before the system data of in the flash memory of PKI deciphering that utilizes the on-chip memory stored and load and execution portable terminal, storing: system data is downloaded and stored in the described flash memory; Wherein, when downloading, obtain the identification marking of the identification marking of microprocessor and flash memory and send to certificate server; Certificate server authenticates according to the identification marking of the microprocessor that receives and the identification marking of flash memory, and the return authentication result; If authentication result is an authentification failure, then stop to download.
Preferably, set in advance corresponding with portable terminal the counter that the download time that system data is downloaded to flash memory is counted of being used in the certificate server, certificate server authenticates according to the identification marking of the identification marking of the microprocessor that receives and flash memory and comprises: whether the value of counter of judging the portable terminal correspondence is less than the threshold value of the download time of presetting; If not, then judge authentification failure; If, then judge authentication success, counter adds 1.
According to another aspect of the present invention, a kind of portable terminal also is provided, comprise: microprocessor and flash memory, comprise on-chip memory in the microprocessor, and when starting, portable terminal begins to start from on-chip memory, wherein, the on-chip memory stored is used for deciphering and the PKI of the system data stored of load and execution flash memory.
Preferably, the system data of storing in the flash memory comprises boot data, the middle layer software data, application layer software data, the middle layer software data comprise operating system data and driver data, the boot storage in the boot zone, the middle layer software storage in the middle layer software zone, the application layer software storage is in the application layer software zone; Wherein, first encrypt data that uses first encrypted private key is also stored in the boot zone, encrypted data comprise the entry code in CPUID, FLASHID and boot zone, and CPUID is the identification marking of microprocessor, the identification marking that FLASHID is flash memory; Second encrypt data that uses second encrypted private key is also stored in the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and the middle layer software zone; The 3rd encrypt data that uses the 3rd encrypted private key is also stored in the application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and application layer software zone.
Preferably, the PKI of on-chip memory stored is first PKI that is used to decipher first encrypt data, and flash memory also comprises: acquisition module is used to use first PKI to decipher first encrypt data, and obtains CPUID and FLASHID in first encrypt data; Also be used to use second PKI that is used to decipher second encrypt data of boot region memory storage to decipher second encrypt data, and obtain CPUID and FLASHID in second encrypt data; Also be used to use the 3rd PKI that is used to decipher the 3rd encrypt data of the middle layer software region memory storage to decipher the 3rd encrypt data, and obtain CPUID and FLASHID in the 3rd encrypt data; Authentication module is used for the CPUID and the FLASHID that get access to from first encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from second encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from the 3rd encrypt data are carried out authentication; The load and execution module, when being used for authenticating result when authentication module and being the authentication success, the entry code load and execution boot data in the boot zone that gets access to according to deciphering first encrypt data; When also being used for authenticating result when authentication module and being the authentication success, the entry code load and execution the middle layer software data in the middle layer software zone that gets access to according to deciphering second encrypt data; The authenticating result that also is used for when authentication module is the authentication success, the entry code load and execution application layer software data in the application layer software zone that gets access to according to deciphering the 3rd encrypt data.
Preferably, the load and execution module also is used for stopping the system data in the load and execution flash memory when the authenticating result of authentication module is failed authentication, and turning-off mobile terminal.
Preferably, authentication module is used to also judge whether the CPUID that the CPUID that gets access to and circuit board from portable terminal read and the FLASHID that gets access to be identical with the FLASHID that reads from circuit board; If then judge the authentication success; Otherwise, judge failed authentication.
Because store in the on-chip memory of CPU by the PKI that will be used for deciphering the encrypt data that FLASH stores, when starting, portable terminal at first begins to start from on-chip memory, and use this PKI that the data of storing among the FLASH are decrypted and load and execution, solved the problem that is cracked that prior art exists, thereby can resist the existing means that crack effectively, strengthen the fail safe of portable terminal greatly.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 shows the flow chart according to the anti-cloning process of system data of the portable terminal of the embodiment of the invention;
Fig. 2 shows the schematic diagram of portable terminal according to the preferred embodiment of the invention;
Fig. 3 shows the detailed operation flow chart of the anti-cloning process of system data of portable terminal according to the preferred embodiment of the invention.
Embodiment
Below with reference to the accompanying drawings and in conjunction with the embodiments, describe the present invention in detail.
Fig. 1 shows the flow chart according to the anti-cloning process of system data of the portable terminal of the embodiment of the invention, may further comprise the steps:
Step S10, portable terminal starts from on-chip memory, and on-chip memory is positioned at the microprocessor of portable terminal;
Step S20 utilizes the system data of storing in the flash memory of the PKI deciphering of on-chip memory stored and load and execution portable terminal.
This embodiment is because store in the on-chip memory (BOOTROM) of CPU by the PKI that will be used for deciphering the encrypt data that FLASH stores, when starting, portable terminal at first begins to start from on-chip memory, and use this PKI that the data of storing among the FLASH are decrypted and load and execution, solved the problem that is cracked that prior art exists, thereby can resist the existing means that crack effectively, strengthen the fail safe of portable terminal greatly.
Wherein, on-chip memory can only be by programming once, and on-chip memory by programming after microprocessor can only start from on-chip memory.Like this, can guarantee when portable terminal starts, to begin to start from on-chip memory.
Preferably, the system data of storing in the flash memory comprises boot (BOOTLOADER) data, the middle layer software (MIDWARE) data, application layer software (APP) data, the middle layer software data comprise operating system (OS) data and driver (DRIVER) data, the boot storage in the boot zone, the middle layer software storage in the middle layer software zone, the application layer software storage is in the application layer software zone; Wherein, first encrypt data that uses first encrypted private key is also stored in the boot zone, encrypted data comprise the entry code in CPUID, FLASHID and boot zone, and CPUID is the identification marking of microprocessor, the identification marking that FLASHID is flash memory; Second encrypt data that uses second encrypted private key is also stored in the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and the middle layer software zone; The 3rd encrypt data that uses the 3rd encrypted private key is also stored in the application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and application layer software zone.
The PKI of on-chip memory stored is first PKI that is used to decipher first encrypt data, and step S20 comprises: use first PKI to decipher first encrypt data, and obtain CPUID and FLASHID in first encrypt data; CPUID and the FLASHID that gets access to from first encrypt data carried out authentication; Authentication success, then the entry code load and execution boot data in the boot zone that gets access to according to deciphering first encrypt data; Use second PKI that is used to decipher second encrypt data of boot region memory storage to decipher second encrypt data, and obtain CPUID and FLASHID in second encrypt data; CPUID and the FLASHID that gets access to from second encrypt data carried out authentication; Authentication success, then the entry code load and execution the middle layer software data in the middle layer software zone that gets access to according to deciphering second encrypt data; Use the 3rd PKI that is used to decipher the 3rd encrypt data of the middle layer software region memory storage to decipher the 3rd encrypt data, and obtain CPUID and FLASHID in the 3rd encrypt data; CPUID and the FLASHID that gets access to from the 3rd encrypt data carried out authentication; Authentication success, then the entry code load and execution application layer software data in the application layer software zone that gets access to according to deciphering the 3rd encrypt data.
Wherein, if failed authentication then stops the system data in the load and execution flash memory, and turning-off mobile terminal.Like this can power saving.
Wherein, the CPUID that gets access to is comprised with the mode that FLASHID carries out authentication: judge whether CPUID that the CPUID get access to and circuit board from portable terminal read and the FLASHID that gets access to be identical with the FLASHID that reads from circuit board; If then judge the authentication success; Otherwise, judge failed authentication.
Above preferred embodiment provides the specific embodiments of the data of storing in the flash memory of the PKI deciphering that utilizes the on-chip memory stored and load and execution portable terminal.Wherein entry code is meant the one piece of data of the original position of the data (can be program code, software code) in the corresponding region, and its length can be 64 or 128.
In above-mentioned preferred embodiment, be stored in PKI (i.e. first PKI) among the BOOTROM of CPU, be stored in second PKI in the boot zone and the 3rd PKI that is stored in the middle layer software zone is set in advance in the data, behind programming software, download in BOOTROM and the flash memory with the software data programming.
Preferably, before step S20, also comprise: system data is downloaded and stored in the described flash memory; Wherein, when downloading, obtain the identification marking of the identification marking of microprocessor and flash memory and send to certificate server; Certificate server authenticates according to the identification marking of the microprocessor that receives and the identification marking of flash memory, and the return authentication result; If authentication result is an authentification failure, then stop to download.Can utilize download software from PC (PC) system data is downloaded and stored into the flash memory, then, load and carry out the system data that is stored in the flash memory according to the method for above preferred embodiment.
Set in advance corresponding with portable terminal the counter that the download time that system data is downloaded to flash memory is counted of being used in the certificate server, certificate server authenticates according to the identification marking of the identification marking of the microprocessor that receives and flash memory and comprises: whether the value of counter of judging the portable terminal correspondence is less than the threshold value (this threshold value can set in advance in certificate server) of the download time of presetting; If not, then judge authentification failure; If, then judge authentication success, counter adds 1.
The preferred embodiment can authenticate by certificate server, then no longer allows to download when downloading number of times above some.
Above preferred embodiment provides a cover perfect encryption mechanism according to the characteristics of FLASH technology, proposes a systematized solution, can resist the existing means that crack effectively, thereby strengthen the fail safe of embedded system greatly.The method that the present invention proposes is independent of the portable terminal that need encrypt, it does not change the function and the structure of embedded software, does not change the organizational form of original program and data, and ciphertext is identical with the clear data amount, need not to increase and decrease former memory space, need not functional change hardware circuit.
Fig. 2 shows the schematic diagram of portable terminal according to the preferred embodiment of the invention, comprise: microprocessor 10 and flash memory 20, comprise on-chip memory 101 in the microprocessor 10, and when starting, portable terminal begins to start from on-chip memory 101, wherein, on-chip memory 101 stored are used for deciphering and the PKI of the system data stored of load and execution flash memory.
Preferably, the system data of storage comprises boot data, the middle layer software data, application layer software data in the flash memory 20, the middle layer software data comprise operating system data and driver data, the boot storage in the boot zone, the middle layer software storage in the middle layer software zone, the application layer software storage is in the application layer software zone; Wherein, first encrypt data that uses first encrypted private key is also stored in the boot zone, encrypted data comprise the entry code in CPUID, FLASHID and boot zone, and CPUID is the identification marking of microprocessor, the identification marking that FLASHID is flash memory; Second encrypt data that uses second encrypted private key is also stored in the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and the middle layer software zone; The 3rd encrypt data that uses the 3rd encrypted private key is also stored in the application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and application layer software zone.
The PKI of on-chip memory 101 stored is first PKIs that are used to decipher first encrypt data, and flash memory 20 also comprises: acquisition module 201 is used to use first PKI to decipher first encrypt data, and obtains CPUID and FLASHID in first encrypt data; Also be used to use second PKI that is used to decipher second encrypt data of boot region memory storage to decipher second encrypt data, and obtain CPUID and FLASHID in second encrypt data; Also be used to use the 3rd PKI that is used to decipher the 3rd encrypt data of the middle layer software region memory storage to decipher the 3rd encrypt data, and obtain CPUID and FLASHID in the 3rd encrypt data;
Authentication module 202 is used for the CPUID and the FLASHID that get access to from first encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from second encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from the 3rd encrypt data are carried out authentication;
Load and execution module 203, when being used for authenticating result when authentication module 202 and being the authentication success, the entry code load and execution boot data in the boot zone that gets access to according to deciphering first encrypt data; When also being used for authenticating result when authentication module 202 and being the authentication success, the entry code load and execution the middle layer software data in the middle layer software zone that gets access to according to deciphering second encrypt data; The authenticating result that also is used for when authentication module 202 is the authentication success, the entry code load and execution application layer software data in the application layer software zone that gets access to according to deciphering the 3rd encrypt data.
Load and execution module 203 also is used for stopping the system data in the load and execution flash memory when the authenticating result of authentication module 202 is failed authentication, and turning-off mobile terminal.
Wherein, authentication module 202 is used to also judge whether the CPUID that the CPUID that gets access to and circuit board from portable terminal read and the FLASHID that gets access to be identical with the FLASHID that reads from circuit board; If then judge the authentication success; Otherwise, judge failed authentication.
The fail safe of this programme will be based on following hypothesis:
1. there is the BOOTROM (on-chip memory) that deposits security code CPU inside, and this BOOTROM can only be by programming once after CPU dispatches from the factory;
2. different CPU and FLASH have unique correspondence, never identical ID:CPUID (CPU identification marking) and FLASHID (FLASH identification marking);
3. the BOOTROM of CPU inside will make CPU start from BOOTROM after by programming.
Software is divided into BOOTROM, BOOTLOADER (boot), (the middle layer software comprises OS (operating system) and DRIVER (driver) to MIDWARE, 4 parts of APP (application layer software).BOOTROM is present in CPU inside, can only be by programming once; BOOTLOADER, MIDWARE, APP deposits on the FLASH.
To BOOTLOADER, MIDWARE, APP use 3 different private keys (being respectively first private key, second private key and the 3rd private key) to encrypt respectively, and encrypted data are: the entry code (64 or 128) that CPUID+FLASHID+ should the zone.Deposit the PKI (i.e. first PKI) that deciphering BOOTLOADER uses among the BOOTROM, deposit the PKI (i.e. second PKI) that deciphering MIDWARE uses among the BOOTLOADER, then deposit the PKI (i.e. the 3rd PKI) that deciphering APP uses among the MIDWARE.
According to Fig. 3 the present invention is described in further detail below:
Step S302, mobile phone use the BOOTLOADER the BOOTROM after BOOTROM starts PKI (i.e. first PKI) is decrypted BOOTLOADER ciphertext partly, extracts CPUID and FLASHID from separate ciphertext;
Step S304 reads CPUID and FLASHID from the circuit board of portable terminal;
Step S306 compares CPUID and the FLASHID that reads on the CPUID that extracts and FLASHID and the circuit board, judge whether identical, if, then change step S308 over to, if not, then change step S330 over to;
Step S308 carries out the entry code of the BOOTLOADER that obtains after the deciphering and carries out BOOTLOADER;
Step S310, BOOTLOADER is finished, and reads the PKI (i.e. second PKI) in the MIDWARE zone that is stored in the BOOTLOADER zone;
Step S312 is decrypted with the ciphertext of this PKI to the MIDWARE part, extracts CPUID and FLASHID from separate ciphertext;
Step S314 reads CPUID and FLASHID from circuit board;
Step S316 compares CPUID and the FLASHID that reads on the CPUID that extracts and FLASHID and the circuit board, judge whether identical, if, then change step S318 over to, if not, then change step S330 over to;
Step S318 carries out the entry code of the MIDWARE that obtains after the deciphering and carries out MIDWARE;
Step S320, the MIDWARE loaded reads the PKI (i.e. the 3rd PKI) in the APP zone that is stored in the MIDWARE zone;
Step S322 is decrypted with the ciphertext of this PKI to the APP part, extracts CPUID and FLASHID from separate ciphertext;
Step S324 reads CPUID and FLASHID from circuit board;
Step S326 compares CPUID and the FLASHID that reads on the CPUID that extracts and FLASHID and the circuit board, judge whether identical, if, then change step S328 over to, if not, then change step S330 over to;
Step S328, the entry code load and execution APP of the APP that obtains after the execution deciphering.
Step S330 stops run time version, closes this portable terminal.
In addition,, can also count, the portable terminal that reaches certain download time is carried out necessary restriction the software download number of times in order further embedded software to be maintained secrecy.Specific practice is as follows:
Be authentication SERVER (server) with a computer that is placed on the INTERNET (the Internet).The programming software that factory uses (being used for mobile terminal software is downloaded to the FLASH of portable terminal) all can be communicated by letter with authentication SERVER by INTERNET in each portable terminal of programming, a verification process will be arranged between them, if authentication will not stop the programming mobile terminal software by programming software, every authentication success once, counter on the authentication SERVER adds once, so just know mobile terminal software by the number of times of programming, thereby strengthen the fail safe of embedded software effectively.
As can be seen from the above description, the present invention has realized following technique effect:
(1) can resist the existing means that crack effectively, strengthen the fail safe of portable terminal greatly;
(2), further guaranteed maintaining secrecy and fail safe of mobile terminal software by the restriction download time.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (12)

1. the anti-cloning process of the system data of a portable terminal is characterized in that, comprising:
Portable terminal starts from on-chip memory, and described on-chip memory is positioned at the microprocessor of described portable terminal;
Utilize the system data of storing in the flash memory of the PKI deciphering of described on-chip memory stored and the described portable terminal of load and execution.
2. method according to claim 1, it is characterized in that, the system data of storing in the described flash memory comprises boot data, the middle layer software data, application layer software data, described the middle layer software data comprise operating system data and driver data, described boot storage in the boot zone, described the middle layer software storage in the middle layer software zone, described application layer software storage is in the application layer software zone;
Wherein, first encrypt data that uses first encrypted private key is also stored in described boot zone, encrypted data comprise the entry code in CPUID, FLASHID and described boot zone, and described CPUID is that the identification marking of microprocessor, described FLASHID are the identification markings of flash memory;
Second encrypt data that uses second encrypted private key is also stored in described the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and described the middle layer software zone;
The 3rd encrypt data that uses the 3rd encrypted private key is also stored in described application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and described application layer software zone.
3. method according to claim 2, it is characterized in that, the PKI of described on-chip memory stored is first PKI that is used to decipher described first encrypt data, utilizes the system data of storing in the flash memory of the PKI deciphering of described on-chip memory stored and the described portable terminal of load and execution to comprise:
Use described first PKI to decipher described first encrypt data, and obtain CPUID and FLASHID in described first encrypt data;
CPUID and the FLASHID that gets access to from described first encrypt data carried out authentication;
Authentication success, the then described boot data of entry code load and execution in the boot zone that gets access to according to described first encrypt data of deciphering;
Use second PKI that is used to decipher described second encrypt data of described boot region memory storage to decipher described second encrypt data, and obtain CPUID and FLASHID in described second encrypt data;
CPUID and the FLASHID that gets access to from described second encrypt data carried out authentication;
Authentication success, the then described the middle layer software data of entry code load and execution in the middle layer software zone that gets access to according to described second encrypt data of deciphering;
Use the 3rd PKI that is used to decipher described the 3rd encrypt data of described the middle layer software region memory storage to decipher described the 3rd encrypt data, and obtain CPUID and FLASHID in described the 3rd encrypt data;
CPUID and the FLASHID that gets access to from described the 3rd encrypt data carried out authentication;
Authentication success, the then described application layer software data of entry code load and execution in the application layer software zone that gets access to according to described the 3rd encrypt data of deciphering.
4. method according to claim 3 is characterized in that, also comprises:
If failed authentication then stops the system data in the described flash memory of load and execution, and closes described portable terminal.
5. according to claim 3 or 4 described methods, it is characterized in that the mode that the CPUID that gets access to and FLASHID are carried out authentication comprises:
Judge whether CPUID and the described FLASHID that gets access to that described CPUID that gets access to and circuit board from described portable terminal read be identical with the FLASHID that reads from described circuit board;
If then judge the authentication success;
Otherwise, judge failed authentication.
6. method according to claim 1 is characterized in that, also comprises before the system data of storing in the flash memory of PKI deciphering that utilizes described on-chip memory stored and the described portable terminal of load and execution:
Described system data is downloaded and stored in the described flash memory;
Wherein, when downloading, obtain the identification marking of the identification marking of described microprocessor and described flash memory and send to certificate server;
Described certificate server authenticates according to the identification marking of the microprocessor that receives and the identification marking of flash memory, and the return authentication result;
If authentication result is an authentification failure, then stop to download.
7. method according to claim 6, it is characterized in that, set in advance corresponding with described portable terminal the counter that the download time that system data is downloaded to described flash memory is counted of being used in the described certificate server, described certificate server authenticates according to the identification marking of the identification marking of the microprocessor that receives and flash memory and comprises:
Whether the value of counter of judging described portable terminal correspondence is less than the threshold value of default download time;
If not, then judge authentification failure;
If, then judge authentication success, described counter adds 1.
8. a portable terminal is characterized in that, comprising: microprocessor and flash memory, and comprise on-chip memory in the described microprocessor, and when described portable terminal starts, begin to start from described on-chip memory, wherein,
Described on-chip memory stored is used for deciphering and the PKI of the system data that the described flash memory of load and execution is stored.
9. portable terminal according to claim 8, it is characterized in that, the system data of storing in the described flash memory comprises boot data, the middle layer software data, application layer software data, described the middle layer software data comprise operating system data and driver data, described boot storage in the boot zone, described the middle layer software storage in the middle layer software zone, described application layer software storage is in the application layer software zone;
Wherein, first encrypt data that uses first encrypted private key is also stored in described boot zone, encrypted data comprise the entry code in CPUID, FLASHID and described boot zone, and described CPUID is that the identification marking of microprocessor, described FLASHID are the identification markings of flash memory;
Second encrypt data that uses second encrypted private key is also stored in described the middle layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and described the middle layer software zone;
The 3rd encrypt data that uses the 3rd encrypted private key is also stored in described application layer software zone, and encrypted data comprise the entry code in CPUID, FLASHID and described application layer software zone.
10. portable terminal according to claim 9 is characterized in that, the PKI of described on-chip memory stored is first PKI that is used to decipher described first encrypt data, and described flash memory also comprises:
Acquisition module is used to use described first PKI to decipher described first encrypt data, and obtains CPUID and FLASHID in described first encrypt data; Also be used to use second PKI that is used to decipher described second encrypt data of described boot region memory storage to decipher described second encrypt data, and obtain CPUID and FLASHID in described second encrypt data; Also be used to use the 3rd PKI that is used to decipher described the 3rd encrypt data of described the middle layer software region memory storage to decipher described the 3rd encrypt data, and obtain CPUID and FLASHID in described the 3rd encrypt data;
Authentication module is used for the CPUID and the FLASHID that get access to from described first encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from described second encrypt data are carried out authentication; Also be used for the CPUID and the FLASHID that get access to from described the 3rd encrypt data are carried out authentication;
The load and execution module, when being used for authenticating result when described authentication module and being the authentication success, the described boot data of entry code load and execution in the boot zone that gets access to according to described first encrypt data of deciphering; When also being used for authenticating result when described authentication module and being the authentication success, the described the middle layer software data of entry code load and execution in the middle layer software zone that gets access to according to described second encrypt data of deciphering; The authenticating result that also is used for when described authentication module is the authentication success, the described application layer software data of entry code load and execution in the application layer software zone that gets access to according to described the 3rd encrypt data of deciphering.
11. portable terminal according to claim 10 is characterized in that, described load and execution module also is used for stopping the system data in the described flash memory of load and execution when the authenticating result of described authentication module is failed authentication, and closes described portable terminal.
12. according to claim 10 or 11 described portable terminals, it is characterized in that described authentication module is used to also to judge whether CPUID and the described FLASHID that gets access to that described CPUID that gets access to and circuit board from described portable terminal read be identical with the FLASHID that reads from described circuit board; If then judge the authentication success; Otherwise, judge failed authentication.
CN200910209640.2A 2009-11-02 2009-11-02 Mobile terminal and system data anti-cloning method thereof Active CN102056339B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910209640.2A CN102056339B (en) 2009-11-02 2009-11-02 Mobile terminal and system data anti-cloning method thereof
PCT/CN2010/076630 WO2011050655A1 (en) 2009-11-02 2010-09-03 Mobile terminal and method for system data anti-cloning thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910209640.2A CN102056339B (en) 2009-11-02 2009-11-02 Mobile terminal and system data anti-cloning method thereof

Publications (2)

Publication Number Publication Date
CN102056339A true CN102056339A (en) 2011-05-11
CN102056339B CN102056339B (en) 2015-06-03

Family

ID=43921304

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910209640.2A Active CN102056339B (en) 2009-11-02 2009-11-02 Mobile terminal and system data anti-cloning method thereof

Country Status (2)

Country Link
CN (1) CN102056339B (en)
WO (1) WO2011050655A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106201925A (en) * 2016-07-01 2016-12-07 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116595594A (en) * 2023-05-19 2023-08-15 无锡摩芯半导体有限公司 FLASH safety control method based on UCB

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002026902A (en) * 2000-07-10 2002-01-25 Matsushita Electric Ind Co Ltd Receiver terminal
FR2852777B1 (en) * 2003-03-21 2005-06-10 Gemplus Card Int METHOD FOR PROTECTING A MOBILE TELEPHONE TELECOMMUNICATION TERMINAL
DE602006020288D1 (en) * 2005-08-03 2011-04-07 St Ericsson Sa SAFE DEVICE, ROUTINE AND METHOD FOR PROTECTING A SECRET KEY
CN1936843B (en) * 2006-10-23 2011-02-16 北京飞天诚信科技有限公司 Smart key device of internal memory apparatus and using method
US8904552B2 (en) * 2007-04-17 2014-12-02 Samsung Electronics Co., Ltd. System and method for protecting data information stored in storage
US20090024784A1 (en) * 2007-07-20 2009-01-22 Wang Liang-Yun Method for writing data into storage on chip and system thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106201925A (en) * 2016-07-01 2016-12-07 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk
CN106201925B (en) * 2016-07-01 2019-03-22 四川效率源信息安全技术股份有限公司 A kind of decryption method of western number hard disk

Also Published As

Publication number Publication date
WO2011050655A1 (en) 2011-05-05
CN102056339B (en) 2015-06-03

Similar Documents

Publication Publication Date Title
US7299358B2 (en) Indirect data protection using random key encryption
US8225110B2 (en) Cryptographic protection of usage restrictions in electronic devices
CN100533332C (en) Method and system for promoting data safety
DE102006046456B4 (en) Circuit arrangement, method for starting up a circuit arrangement, method for operating a circuit arrangement and computer program products
CN1581118B (en) Secure device, information processing terminal, integrated circuit, application apparatus and method
EP3522580B1 (en) Credential provisioning
CN107004083B (en) Device key protection
US8281132B2 (en) Method and apparatus for security over multiple interfaces
US20040025027A1 (en) Secure protection method for access to protected resources in a processor
CN113014539B (en) Internet of things equipment safety protection system and method
US20140068246A1 (en) Circuit for secure provisioning in an untrusted environment
US20060129848A1 (en) Methods, apparatus, and systems for securing SIM (subscriber identity module) personalization and other data on a first processor and secure communication of the SIM data to a second processor
CN107508679B (en) Binding and authentication method for intelligent terminal main control chip and encryption chip
US20140064480A1 (en) Secure provisioning in an untrusted environment
CN106067205B (en) A kind of gate inhibition's method for authenticating and device
CN101996154A (en) General processor supporting reconfigurable safety design
CN112882750A (en) OTA upgrade package processing method and device and electronic equipment
CN104322003A (en) Cryptographic authentication and identification method using real-time encryption
CN107944234B (en) Machine refreshing control method for Android equipment
CN109460639A (en) A kind of license authentication control method, device, terminal and storage medium
CN109508529B (en) Method for realizing safety starting verification of payment terminal
CN102056339B (en) Mobile terminal and system data anti-cloning method thereof
CN115357948A (en) Hardware anti-copying encryption method and device based on TEE and encryption chip
CN107682147B (en) Security management method and system for smart card chip operating system file
CN112311752A (en) Internet of things smart meter safety system and implementation method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20201228

Address after: 274300 Shanxian economic and Technological Development Zone, Heze City, Shandong Province

Patentee after: SHANDONG YUHETANG PHARMACEUTICAL Co.,Ltd.

Address before: 518057 No. 55 South Science and technology road, Shenzhen, Guangdong, Nanshan District

Patentee before: ZTE Corp.

TR01 Transfer of patent right