CN104035890B - Programmable gate array based on an encryption method and system for chip static random access memory - Google Patents

Programmable gate array based on an encryption method and system for chip static random access memory Download PDF

Info

Publication number
CN104035890B
CN104035890B CN 201410258908 CN201410258908A CN104035890B CN 104035890 B CN104035890 B CN 104035890B CN 201410258908 CN201410258908 CN 201410258908 CN 201410258908 A CN201410258908 A CN 201410258908A CN 104035890 B CN104035890 B CN 104035890B
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
circuit
authorization
service
information
corresponding
Prior art date
Application number
CN 201410258908
Other languages
Chinese (zh)
Other versions
CN104035890A (en )
Inventor
罗彬�
伏德雨
薛飞
汪顺长
陈东
Original Assignee
丽水博远科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

本发明公开了一种基于静态随机存储器的可编程门阵列芯片加密方法及系统,在原有加密方式的基础上,对配置的业务功能电路设置对应的授权电路,在需要具体的业务功能电路进行工作时,根据该业务功能电路的功能,由其对应的授权电路向协处理器发出服务请求,协处理器生成密钥种子,微处理器和授权电路根据密钥种子完成临时加密数据通道连接,授权电路授权其对应的业务功能电路工作,并以微处理器要求的数据格式、长度、加密方式将业务功能电路的处理结果发送至微处理器,由此实现了在业务处理过程中的动态加密保护,增加了系统的可靠性和被破解的难度。 The present invention discloses a programmable gate array chip based on an encryption method and system of static random access memory, on the basis of the original encryption, the circuit configuration of the service function corresponding to the setting authorization circuit operates at the circuit require specific business functions when, according to the function of the functional circuit service, authorized by the corresponding circuit to send a service request to the coprocessor, the coprocessor generates a seed key, and the microprocessor circuitry to complete the authorized data channel connection according to the temporary encryption key seed authorizing circuit corresponding authorized business function circuit, and the data format, the length, the microprocessor required encryption processing result transmission circuit business function to the microprocessor, thereby achieving dynamic encryption protection in the business process , increased reliability and more difficult to crack the system.

Description

基于静态随机存储器的可编程门阵列芯片加密方法及系统 Programmable gate array based on an encryption method and system for chip static random access memory

技术领域 FIELD

[0001]本发明涉及基于静态随机存储器(SRAM)的可编程门阵列(FPGA)设计领域,特别涉及一种基于静态随机存储器的可编程门阵列芯片加密方法及系统。 [0001] The present invention relates to (FPGA) design field programmable gate array based static random access memory (SRAM), and more particularly to a programmable gate array chip based on an encryption method and system of static random access memory.

背景技术 Background technique

[0002] 现场可编程门阵列(Field-Programmable Gate Array,FPGA)以其自身速度快、密度高、价格低、和灵活的在线可升级优势正广泛被使用。 [0002] FPGA (Field-Programmable Gate Array, FPGA) its own speed, high density, low cost, flexible and scalable online advantage is widely used. 将FPGA设计程序送入FPGA芯片的过程或操作一般称为对FPGA芯片的配置,经过配置的FPGA,即具有用户所需的功能。 FPGA design process or program into the FPGA chip operation is generally referred to as configuration of the FPGA chip, through the FPGA configuration, i.e., the user has the required function. FPGA芯片在正常工作状态下,其配置数据存储在FPGA的编程元件SRAM(静态随机存储器)中,由于SRAM的易失性,掉电以后FPGA芯片中的配置信息将丢失,所以每次系统上电时,均需要对FPGA芯片进行重配置,这就使得可以通过监视FPGA芯片的配置数据流,进行克隆设计。 FPGA chip in the normal working state, its configuration data stored in the programming of the FPGA elements SRAM (static random access memory), since the volatile SRAM, FPGA chip after power-down configuration information will be lost, so every time the system power when, we need to be reconfigured FPGA chip, which makes it possible, by monitoring the cloned FPGA chip design configuration data stream.

[0003]通常采用的克隆手段是利用一定的电路对配置FPGA的数据引脚进行采样,利用记录下来的配置数据可以对另一块FPGA芯片进行配置,这就实现了对FPGA内部配置电路的克隆。 [0003] Cloning means generally employed is the configuration of the FPGA data pin is sampled using a certain circuit, the other can be configured with the configuration data of FPGA chip recorded, thus achieving cloning configuration of the circuit inside the FPGA.

[0004]为了应对上述的克隆设计,现有技术中常采用以下两种方式: [0004] To meet the above cloning design, often used in the prior art in two ways:

[0005] —、内置加密芯片方式:在FPGA芯片内部设置解密模块,具有内部解密模块的FPGA芯片在上电时,接收加密的配置数据,由解密模块对加密的配置数据进行解密后,对FPGA芯片中的电路进行业务功能配置;在利用前述克隆技术时,虽然通过一定电路对配置数据流采样后,可以得到加密的配置数据流,但利用加密的配置数据流不能完成对其他FPGA芯片进行业务功能配置,从而对FPGA芯片起到了良好的保护作用。 [0005] -, built-in encryption chip: After setting the decryption module within the FPGA chip having FPGA chip internal decryption module at power, receiving encrypted configuration data, to decrypt the encrypted configuration data by the decryption module, the FPGA chip circuit service functional configuration; when using the aforementioned cloning techniques after although by a certain circuit stream of samples of the configuration data can be encrypted configuration data flow, but using the encrypted configuration data stream can not be completed for service to the other FPGA chip functional configuration, so the FPGA chip played a good protection. 但是采用此种方式简单、实用,但加密成本高,使得大部分FPGA,特别是中、低档FPGA都不具备此类加密功能。 However, use of such a simple manner, practical, but the high cost of encryption, so that most of the FPGA, in particular, do not have such low-grade encryption FPGA.

[0006] 二、外部加密芯片方式:在FPGA芯片外部设置加密芯片,如图1所示,首先,上电后,FPGA芯片接收配置数据,并利用配置数据对电路进行配置形成业务功能电路,并使业务功能电路处于等待状态,并不工作;FPGA内部与外设加密芯片中均设置有密钥模块,且置入相同的加密算法,FPGA芯片中的随机数产生模块在FPGA芯片接收到配置数据流后生成随机数,并将随机数发送至加密芯片中的接收模块,FPGA芯片中的第一序列加密器根据密钥模块提供的密钥和随机数进行运算,生成第一校验码发送至FPGA芯片的比较器,同时加密芯片中与第一序列加密器相同的第二序列加密器根据加密芯片中的密钥模块提供的密钥和接收到的随机数进行运算,生成第二校验码,并通过加密芯片中的输出电路发送至FPGA芯片的比较器,由比较器比较第一、第二校验码,若二者一致,则 [0006] Second, an external-chip encryption: encryption FPGA chip provided outside the chip, as shown in FIG. 1, first, after power, FPGA chip to receive configuration data and configuration data to configure the circuit formed business function circuit, and business functionality circuit in a wait state, does not work; FPGA internal and peripheral chip is provided with the encrypted key module, into the same encryption algorithm and random number generation FPGA chip configuration data of FPGA chip module receiving after generating a random number stream, and transmitting the random number to the receiving module in the encryption chip, FPGA chip calculates a first scrambler sequence and the random number key from the key module to generate a first check code transmitted to comparator FPGA chip, while the second encryption chip sequence with the same first encryption unit scrambler sequence provided by the encryption chip key module key and the received random number calculation, generating a second check code , and sent through the encryption chip to the output circuit of the comparator FPGA chip, by a comparator comparing the first and second check code, if they coincide, the 用FPGA芯片中被配置的电路,若不一致则不启用FPGA芯片中被配置的电路。 With FPGA chip circuitry is configured to, if not inconsistent FPGA chip enable circuitry is configured. 采用此种方式,即便利用现有的克隆技术获得了配置数据,由于不能收到启动信号,克隆得到的FPGA芯片配置电路不能正常工作,如此使FPGA芯片得到保护。 Used in this way, even using conventional cloning techniques to obtain the configuration data, since the start signal is not received, FPGA chip cloned configuration circuit does not work properly, so that the FPGA chip protection.

[0007] 虽然上述两种方式均能在一定程度上起到对FPGA芯片的保护作用,但是上述两种方式中,密钥只工作一次,容易被破解,因此还需进一步提高FPGA芯片的保护效果。 [0007] Although the above two methods can play a protective effect on the FPGA chip to a certain extent, the above two methods, the keys only work once, easy to crack, and therefore should be improved protective effect of the FPGA chip .

发明内容 SUMMARY

[0008]有鉴于此,本发明的主要目的在于提供一种基于静态随机存储器的可编程门阵列芯片加密方法及系统,以提高FPGA芯片的加密可靠性。 [0008] In view of this, the main object of the present invention is to provide a programmable gate array chip based on an encryption method and system of static random access memory, in order to improve the reliability of the FPGA chip encryption.

[0009]为实现上述目的,本发明提供了一种基于静态随机存储器的可编程门阵列芯片加密方法,包括: [0009] To achieve the above object, the present invention provides an encryption method based on programmable gate array chip static random access memory, comprising:

[0010]初始化配置步骤: [0010] Configuration Initialization Step:

[0011]外置存储器向FPGA芯片发送配置数据,所述配置数据包括用于配置业务功能电路的第一配置信息和用于配置与业务功能电路对应的授权电路的第二配置信息; [0011] External memory chip transmits data to the FPGA configuration, the configuration data includes configuration information for a first service and a second functional circuit configuration information and the service authorization circuit configuration corresponding to the functional circuit;

[0012]所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态; [0012] The FPGA chip circuit configuration according to the configuration data, to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit is put into an operational state ;

[0013] 业务处理步骤: [0013] Business process steps:

[0014]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路向协处理器发起服务请求; [0014] When the required service function circuit operates, the coprocessor initiates a service request to the service function and authorization circuit corresponding to the circuit;

[0015]所述协处理器根据所述服务请求生成密钥种子,并将密钥种子发送至所述微处理器和授权电路,将服务请求发送至所述微处理器; [0015] The coprocessor generated a request according to the service key seed, and a seed key and the authorization is transmitted to the microprocessor circuit, transmits a service request to said microprocessor;

[0016]所述微处理器根据所述服务请求生成授权信息,并利用密钥种子加密所述授权信息得到授权信息密文,将所述授权信息密文发送至所述授权电路; [0016] The microprocessor generates an authorization request information according to the service, and the seed of the encryption key using the authorization information obtained authorization information ciphertext, the ciphertext sending the authorization information to the authorization circuit;

[0017]所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态。 After [0017] The authorization circuit decrypt the seed with the key the authorization information of the plaintext to obtain the ciphertext authorization information, authorized business function corresponding circuit into operation.

[0018]进一步,所述第一配置信息包括其配置的业务功能电路的功能等级信息,所述第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息。 [0018] Further, the first functional circuit configuration information includes a service function of its configuration level information, the second configuration information comprises Different levels of service corresponding to the functional circuit authorization circuit, the same level of the same business function corresponding to the circuit the authorization information corresponding to the circuit.

[0019] 进一步,业务处理步骤中,所述服务请求包括授权电路对应的业务功能电路的功能等级信息; [0019] Further, the service processing step, the service request includes a service function level functional circuit information corresponding to the authorization circuit;

[0020]所述协处理器根据所述服务请求中的功能等级信息生成对应的唯一密钥种子。 [0020] The coprocessor generates a unique key seed information corresponding to a functional level of the service request.

[0021]进一步,所述微处理器根据所述服务信息生成授权信息,并利用密钥种子加密所述授权信息得到授权信息密文,将所述授权信息密文发送至所述授权电路包括: [0021] Further, the microprocessor generates authorization information according to the service information, and the seed of the encryption key using the authorization information obtained ciphertext authorization information, the authorization information is transmitted to the ciphertext authorization circuit comprising:

[0022] 微处理器验证密钥种子与上次接收的密钥种子是否重复,若重复,则不处理此次服务请求,若不重复,则根据服务信息生成授权信息,利用密钥种子对所述授权信息进行加密,将所述授权信息密文发送至所述授权电路;所述授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式。 [0022] Microprocessor authentication key seed and key seed whether to repeat the last received, if repeated, does not process the service request, if repeated, authorization information is generated according to the service information, using the key seed pair said authorization information is encrypted, the encrypted authorization information is transmitted to the authorization circuit; said entitlement information includes a data format, length, encryption circuit provides the processing result of authorization.

[0023]进一步,所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态包括: After [0023] Further, the authorization circuit decrypt the seed with the key the authorization information of the plaintext to obtain the ciphertext authorization information, authorized business function corresponding circuit into operation comprising:

[0024]所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态; After [0024] The authorization circuit decrypt the seed with the key the authorization information of the plaintext to obtain the ciphertext authorization information, authorized business function corresponding circuit into operation;

[0025]所述业务功能电路开始工作,并将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器。 The [0025] circuit operates business function, and the service function processing result is transmitted to the microprocessor circuit according to the data format, the length, the microprocessor encryption requirements.

[0026]进一步,所述授权电路将处理结果按照所述微处理器要求的数据格式、长度、加密方式发送至微处理器后,发送业务完成信息至所述微处理器,所述微处理器收到业务完成信息后,清空缓存数据。 After [0026] Further, the authorization circuit transmits the processing result to the microprocessor according to the data format, the length, the microprocessor required encryption, transmission completion information service to the microprocessor, the microprocessor Upon receipt of the completion of business information, empty the cache data.

[0027]进一步,所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态包括: [0027] Further, the circuit of the FPGA chip configuration according to the configuration data, to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit in work status include:

[0028]所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路和授权电路处于等待状态; [0028] The FPGA chip circuit configuration according to the configuration data, to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the authorization service circuits, and the circuit is in a wait state;

[0029]所述FPGA芯片生成随机数,根据内置的第一密钥和所述随机数生成第一校验码,并将随机数发送至外设加密芯片;所述外设加密芯片接收所述随机数,根据内置的第二密钥和所述随机数生成第二校验码,并将第二校验码发送至所述FPGA芯片; [0029] The FPGA chip generates a random number, generate a first check code according to a built-in key and the first random number and the encrypted random number is transmitted to the peripheral chip; encryption chip to receive the said peripheral random number to generate a second check code in accordance with a built-in key and the second random number, and transmits the second check code to the FPGA chip;

[0030]所述FPGA芯片比较第一校验码和第二校验码,当二者一致时,将所述授权电路置于工作状态。 [0030] The FPGA chip check code comparing a first and a second check code, when they coincide, the authorization circuit is put into an operational state.

[0031]进一步,所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态包括: [0031] Further, the circuit of the FPGA chip configuration according to the configuration data, to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit in work status include:

[0032]所述配置数据为加密配置数据,所述FPGA芯片解密所述加密配置数据,并对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态。 [0032] The configuration data is encrypted configuration data, the FPGA chip decrypting the encrypted configuration data, and the circuit is configured to form functional circuits and a service circuit corresponding to the authorized business function circuit, and a service function circuit is in a wait state, the authorization circuit is put into an operational state.

[0033]本发明还提供了一种基于静态随机存储器的可编程门阵列芯片加密系统,包括外置存储器、FPGA芯片、协处理器和微处理器; [0033] The present invention further provides a programmable gate array chip encryption system based on a static random access memory, including external memory, FPGA chip, a microprocessor and a coprocessor;

[0034]所述外置存储器用于向FPGA芯片发送配置数据,所述配置数据包括用于配置业务功能电路的第一配置信息和用于配置与功能电路对应的授权电路的第二配置信息; [0034] The external memory for sending configuration data to the FPGA chip, the configuration data includes configuration information for a first service and a second functional circuit configuration information for authorization circuit configuration corresponding to the functional circuit;

[0035]所述FPGA芯片包括配置模块,所述配置模块用于根据所述配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态; [0035] The FPGA chip comprising a configuration module, the configuration module is used to configure the circuit according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the circuit is in service function wait state, the authorization circuit is put into an operational state;

[0036]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路用于向所述协处理器发起服务请求,以及接收密钥种子和授权信息密文,并在利用密钥种子解密授权信息获得授权信息明文后,授权其对应的业务功能电路进入工作状态; [0036] When required service work function circuit, the circuit with the service authorization function corresponding to a circuit for initiating a service request, and receives a key seed and authorization information to said coprocessor ciphertext, and using the key seed authorization information decrypted plaintext obtained authorization information, authorized business function corresponding circuit into operation;

[0037]所述协处理器用于根据服务请求生成密钥种子,并将密钥种子发送至微处理器和所述授权电路,将服务请求发送至所述微处理器; [0037] The co-processor according to the service request generation key seed, the seed and transmits the key to the microprocessor circuit and the authorization, sending a service request to said microprocessor;

[0038]所述微处理器用于根据服务请求生成授权信息,并利用密钥种子加密所述授权信息得到授权信息密文,将授权信息密文发送至授权电路。 [0038] The microprocessor generates a request for authorization information according to service, and the seed of the encryption key using the authorization information obtained ciphertext authorization information, the authorization information is transmitted to the ciphertext authorization circuit.

[0039]进一步,所述第一配置信息包括其配置的业务功能电路的功能等级信息,所述第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息。 [0039] Further, the first functional circuit configuration information includes a service function of its configuration level information, the second configuration information comprises Different levels of service corresponding to the functional circuit authorization circuit, the same level of the same business function corresponding to the circuit the authorization information corresponding to the circuit.

[0040]进一步,所述服务请求包括授权电路对应的业务功能电路的功能等级信息; [0040] Further, the service request includes a service function level functional circuit information corresponding to the authorization circuit;

[0041]所述协处理器用于根据所述服务请求中的功能等级信息生成对应的唯一密钥种子。 [0041] The coprocessor is used to generate a unique key seed information corresponding to a functional level of the service request.

[0042]进一步,所述微处理器用于验证密钥种子与上次接收的密钥种子是否重复,若重复,则根据服务信息生成授权信息,利用密钥种子对所述授权信息进行加密,将所述授权信息密文发送至所述授权电路;所述授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式。 [0042] Further, the microprocessor and an authentication key seed key seed whether to repeat the last received, if repeated, generating authorization information according to the service information, using the key seed authorization information is encrypted, the ciphertext sending the authorization information to the authorization circuit; said entitlement information includes a data format, length, encryption circuit provides the processing result of authorization.

[0043]进一步,所述授权电路在利用密钥种子解密授权信息获得授权信息明文,并授权其对应的业务功能电路开始工作后,还用于将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器。 [0043] Further, after the authorization circuit decrypt the seed with the key information in plain text authorization information is authorized, and the authorization function of the corresponding service circuit to work, but also operations for the processing result of the functional circuit of the microprocessor according to the requirements data format, length, encryption transmission to the microprocessor.

[0044]进一步,所述授权电路用于将处理结果按照所述微处理器要求的数据格式、长度、加密方式发送至微处理器后,发送业务完成信息至所述微处理器; [0044] Further, the authorization result of the processing circuit according to the data format, the length, the encryption is sent to the microprocessor after the microprocessor required, sends a service completion information to said microprocessor;

[0045]所述微处理器用于收到业务完成信息后,清空缓存数据。 After [0045] completion of the microprocessor for receiving the service information, empty the cache data.

[0046]进一步,所述基于静态随机存储器的可编程门阵列芯片加密系统还包括外设加密芯片,所述外设加密芯片包括第二密钥单元和第二校验码生成单元;所述FPGA模块的配置模块包括:配置单元、随机数生成单元、第一密钥单元、第一校验码生成单元以及对比单元; [0046] Further, a programmable gate array chip based on said encryption system further comprises a static random access memory peripheral encryption chip, the chip includes a second encryption key peripheral unit and a second check code generating unit; the FPGA module configuration module comprises: a configuration unit, a random number generation unit, a first key unit, the first check code generation unit, and comparison means;

[0047]其中,所述配置单元用于根据所述配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,使所述业务功能电路和授权电路处于等待状态; [0047] wherein the configuration unit configured to configure the circuit according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, the circuit function and service authorization circuit in a wait state;

[0048]所述随机数生成单元用于生成随机数,并将随机数发送至外设加密芯片和第一校验码生成单元; [0048] The random number generation unit for generating a random number, and the encrypted random number is transmitted to the peripheral chips and the first check code generating means;

[0049]所述第一密钥单元内置有第一密钥,所述第一校验码生成单元用于根据内置的所述第一密钥和所述随机数生成第一校验码; [0049] The first key has a first key unit is built, the first check code generating means for generating a first check code according to the built-in key and the first random number;

[0050]所述对比单元用于接受所述外设加密芯片发送的第二校验码,比较第一校验码和第二校验码,当二者一致时,将所述授权电路置于工作状态; [0050] The second check code comparison means for receiving the transmitted encryption chip peripheral, comparison of the first check code and the second check code, when they coincide, the authorization circuit in working condition;

[0051]所述第二密钥单元内置有第二密钥,所述第二校验码生成单元用于根据内置的所述第二密钥和所述随机数生成第二校验码,并将第二校验码发送至所述对比单元。 [0051] The second key has a second key unit is built, the second check code generating means for generating a second check code in accordance with the built-in key and the second random number, and the checksum is transmitted to the second comparison unit.

[0052]进一步,所述FPGA模块的配置模块包括配置单元以及解密单元,所述配置数据为加密配置数据;所述解密单元用于对加密配置数据解密,所述配置单元用于对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态。 [0052] Further, the configuration of the FPGA module and a decryption module comprising a unit configuration unit, the configuration data are encrypted configuration data; a decrypting unit configured to decrypt the encrypted data, the configuration unit configured to configure the circuit to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit is put into an operational state.

[0053]采用本发明提供的基于静态随机存储器的可编程门阵列芯片加密方法及系统,在原有加密方式的基础上,对配置的业务功能电路设置对应的授权电路,在需要具体的业务功能电路进行工作时,根据该业务功能电路的功能,由其对应的授权电路向协处理器发出服务请求,协处理器生成密钥种子,微处理器和授权电路根据密钥种子完成临时加密数据通道连接,授权电路授权其对应的业务功能电路工作,并以微处理器要求的数据格式、长度、加密方式将业务功能电路的处理结果发送至微处理器,由此实现了在业务处理过程中的动态加密保护,增加了系统的可靠性和被破解的难度。 [0053] Programmable Gate Array-based encryption method and system for chip static random access memory, on the basis of the original encryption, business function circuit arrangement corresponding to the circuit configuration of the authorization, the need for specific business function provided by the circuit of the invention when working, the service function according to the function circuit, by a circuit corresponding to a service request authorization to the coprocessor, the coprocessor generates a seed key, and the microprocessor circuitry to complete the authorized data channel connection according to the temporary encryption key seed authorizing the authorized business function circuit corresponding to the circuit, and the data format, the length, the microprocessor requires encryption processing result will be sent to the microprocessor circuit business functions, thereby achieving a dynamic process in the business of encryption protection, increase system reliability and difficult to break.

附图说明 BRIEF DESCRIPTION

[0054]图1为现有技术中外部加密芯片加密方法示意图; [0054] FIG. 1 is a prior art schematic external encrypted encryption chip;

[0055]图2为本发明基于静态随机存储器的可编程门阵列芯片加密方法流程示意图; [0055] FIG. 2 is a schematic diagram based on the programmable gate array chip SRAM encryption process of the present invention;

[0056]图3a、3b为本发明基于静态随机存储器的可编程门阵列芯片加密方法一种实施例的流程示意图; [0056] Figures 3a, 3b of the present embodiment schematic view of one kind of flow according to the encryption method based on a programmable gate array chip static random access memory of the present invention;

[0057]图4为3a、3b所示方法实施例对应的基于静态随机存储器的可编程门阵列芯片加密系统结构示意图; [0057] FIG. 4 is a 3a, a schematic diagram of the corresponding SRAM-based programmable gate array chip 3b encryption method illustrated embodiment the system configuration;

[0058]图5为本发明基于静态随机存储器的可编程门阵列芯片加密方法另一种实施例的流程示意图; [0058] FIG. 5 is a schematic view of another embodiment of the process based on the embodiment of a programmable gate array chip static random access memory of the encryption method of the present invention;

[0059]图6为对应图5所示实施例的基于静态随机存储器的可编程门阵列芯片加密系统结构示意图。 Schematic structural diagram of [0059] FIG. 6 correspond to the embodiment shown in FIG. 5 is based on a static random access memory of the programmable gate array chip encryption system.

具体实施方式 detailed description

[0060]为了使本发明的目的、技术方案及优点更加清楚明白,以下参照附图并举实施例,对本发明作进一步详细说明。 [0060] To make the objectives, technical solutions and advantages of the present invention will become more apparent, with reference to the accompanying drawings and the following embodiments, the present invention is described in further detail.

[0061]本发明提供了一种基于静态随机存储器的可编程门阵列芯片加密方法,如图2所示,包括: [0061] The present invention provides a programmable gate array based static random access memory chips of the encryption method, shown in Figure 2, comprising:

[0062]初始化配置步骤: [0062] Configuration Initialization Step:

[0063]外置存储器向FPGA芯片发送配置数据,所述配置数据包括用于配置业务功能电路的第一配置信息和用于配置与业务功能电路对应的授权电路的第二配置信息; [0063] The external memory to the FPGA chip to send configuration data, the configuration data includes configuration information for a first service and a second functional circuit configuration information and the service authorization circuit configuration corresponding to the functional circuit;

[0064]所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态; [0064] The FPGA chip circuit configuration according to the configuration data, to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit is put into an operational state ;

[0065] 业务处理步骤: [0065] Business process steps:

[0066]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路向协处理器发起服务请求; [0066] When the required service function circuit operates, the coprocessor initiates a service request to the service function and authorization circuit corresponding to the circuit;

[0067]所述协处理器根据所述服务请求生成密钥种子,并将密钥种子发送至所述微处理器和授权电路,将服务请求发送至微处理器; [0067] The coprocessor generated a request according to the service key seed, and a seed key and the authorization is transmitted to the microprocessor circuit, transmits a service request to the microprocessor;

[0068]所述微处理器根据所述服务请求生成授权信息,并利用密钥种子加密授权信息得到授权信息密文,将授权信息密文发送至授权电路; [0068] The microprocessor generates an authorization request according to the service information, and the seed of the encryption key using authorization information obtained ciphertext authorization information, the authorization information is transmitted to the ciphertext authorization circuit;

[0069]授权电路利用密钥种子解密授权信息密文得到授权信息的明文后,授权其对应的业务功能电路进入工作状态。 After [0069] the decrypted license key seed circuit using authorization information obtained plaintext ciphertext authorization information, authorized business function corresponding circuit into operation.

[0070]以下分别结合内置加密芯片方式和外部加密芯片方式两种方式对本申请基于静态随机存储器的可编程门阵列芯片加密方法进行详细说明。 [0070] The present application hereinafter described in detail based on a programmable gate array chip encryption static random access memory chips in conjunction with built-in encryption mode and the encryption chip outside of two ways.

[0071] 实施例一: [0071] Example a:

[0072]在本实施例中,以结合外部加密芯片方式为例,详细说明本申请的加密方法流程,具体如下: [0072] In the present embodiment, the external encryption chip to bind an example embodiment, detailed description of the encryption process flow of the present application, as follows:

[0073]在本实施例中,加密方法包括: [0073] In the present embodiment, the encryption method comprising:

[0074]初始化配置步骤,如图3a所示: [0074] Step initialization configuration shown in Figure 3a:

[0075]外置存储器向FPGA芯片发送配置数据,配置数据包括用于配置业务功能电路的第一配置信息和用于配置与业务功能电路对应的授权电路的第二配置信息;其中,第一配置信息包括其配置的业务功能电路的功能等级信息,第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息。 [0075] External memory chip to send configuration data to the FPGA, configuration data includes configuration information for a first service and a second functional circuit configuration information and the service authorization circuit configuration corresponding to the functional circuit; wherein the first configuration functional class service information includes information that the functional circuit configuration, the second configuration information includes different business functions of different levels of authorization circuit corresponding to the circuit, the circuit functions the same level of service information corresponding to the authorization corresponding to the same circuit. 例如,可预先根据业务功能电路实现的功能进行分级,将业务功能电路分为基础业务功能电路、底层业务功能电路、尚层业务功能电路和核心业务功能电路,不同等级的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路; For example, the function may be performed in advance according to the classification circuit implementation business function, the business functions based service circuit into functional circuits, the underlying business functional circuits, circuits, and still layer service circuit core business functions, different levels of service corresponding to the functional circuit authorization circuit, the circuit functions the same level of service corresponding to the same authorization circuit;

[0076] FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使业务功能电路和授权电路处于等待状态; [0076] FPGA chip circuit configuration according to the configuration data, to form functional circuits and a service circuit corresponding to the authorized business function circuit, circuits, and authorization and service circuit in a wait state;

[0077] FPGA芯片生成随机数,根据内置的第一密钥和随机数生成第一校验码,并将随机数发送至外设加密芯片;外设加密芯片接收随机数,根据内置的第二密钥和随机数生成第二校验码,并将第二校验码发送至FPGA芯片; [0077] FPGA chip generates a random number generated by the built first key and a first random number check code, and the encrypted random number is transmitted to the peripheral chip; peripheral chip receives the encrypted random number, according to the built-in second generating a second key and the random number check code and the second check code transmitted to the FPGA chip;

[0078] FPGA芯片比较第一校验码和第二校验码,当二者一致时,将授权电路置于工作状态; [0078] FPGA chip comparison of the first check code and the second check code, when they coincide, the authorization circuit is put into an operational state;

[0079] 业务处理步骤,如图3b所示: [0079] Business process step, shown in Figure 3b:

[0080]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路向协处理器发起服务请求;服务请求包括授权电路对应的业务功能电路的功能等级信息; [0080] When the required service function circuit operates, the coprocessor initiates a service request to the service authorized circuit corresponding to the circuit function; service request functional level functional circuit information includes service circuit corresponding authorization;

[0081]协处理器根据服务请求中的功能等级信息生成密钥种子,并将密钥种子发送至微处理器和授权电路,将服务请求发送至微处理器;对于密钥种子,可根据预先设定的方式产生,依据上述划分的功能等级,可针对底层业务功能电路的功能等级信息,协处理器生成AES加密标准中的128位密钥种子,针对高层业务功能电路的功能等级信息,协处理器生成AES加密标准中的192位密钥种子,针对核心业务功能电路的功能等级信息,协处理器生成AES加密标准中的256位密钥种子,上述密钥种子均为唯一不重复的密钥种子; [0081] The coprocessor generates a key seed functional class information service request, and transmitting the seed key to the microprocessor circuit and authorization, sending a service request to the microprocessor; for key seed, according to previously generating a set manner, according to the above-described functional class division, class information may be directed to the underlying business function of the functional circuit, the coprocessor generates a 128-bit key AES encryption standard seed, the function for high level information service functional circuit, co 192 processor generates a seed key AES encryption standard, the level information for the function circuit core business functions, the coprocessor generates a 256-bit key AES encryption standard seed the unique key seed are not repeated adhesion key seed;

[0082]微处理器接收到密钥种子后,首先验证密钥种子与上次接收的密钥种子是否重复,若重复,则不处理此次服务请求,若不重复,则根据服务请求生成授权信息,利用密钥种子对授权信息进行加密,将授权信息密文发送至授权电路;在本实施例中,授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式; After the [0082] key seed microprocessor receives first authentication key and a seed key seed whether to repeat the last received, if repeated, does not process the service request, if repeated, according to the authorized service request generator information, the authorization information is encrypted using the key seed, the authorization information is transmitted to the ciphertext authorization circuit; in the present embodiment, the authorization information including data format, length, encryption circuit provides the processing result of the authorization;

[0083]授权电路利用密钥种子解密授权信息密文得到授权信息的明文后,授权其对应的业务功能电路进入工作状态;业务功能电路开始工作,授权电路将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器。 After [0083] the decrypted license key seed circuit using authorization information obtained plaintext ciphertext authorization information, authorized business function corresponding circuit into operation; circuit operates business function, the business results of the authorization function processing circuit according to the microprocessing circuit data format, length, encryption requires the transmission to the microprocessor.

[0084]在本实施例中,优选的,在授权电路将处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器后,发送业务完成信息至微处理器;微处理器收到业务完成信息后,清空缓存数据,以便实现更好的保护效果。 After [0084] In the present embodiment, preferably, the authorization circuit transmits the processing result to the microprocessor according to the data format, the length, encryption requirements microprocessor, sends a service completion information to the microprocessor; the microprocessor Upon receipt of the completion of business information, empty the cache data in order to achieve better protection.

[0085]根据本实施例上述的方法流程,本实施例对应的构成了一个基于静态随机存储器的可编程门阵列芯片加密系统,如图4所示,包括:外置存储器、FPGA芯片、外设加密芯片、协处理器和微处理器; [0085] According to the above-described embodiment of the present method flow embodiment, corresponding to the embodiment of the present embodiment constitutes a programmable gate array based static random access memory chips of the encryption system, shown in Figure 4, comprising: an external memory, FPGA chip, peripheral encryption chip, a microprocessor and a coprocessor;

[0086]其中,外置存储器用于向FPGA芯片发送配置数据,配置数据包括用于配置业务功能电路的第一配置信息和用于配置与功能电路对应的授权电路的第二配置信息; [0086] wherein an external memory for sending configuration data to the FPGA chip, the configuration data includes configuration information for a first service and a second functional circuit configuration information for authorization circuit configuration corresponding to the functional circuit;

[0087] FPGA芯片包括配置模块,配置模块用于根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使业务功能电路处于等待状态,将所述授权电路置于工作状态;其中,配置模块包括配置单元、随机数生成单元、第一密钥单元、第一校验码生成单元以及对比单元;外设加密芯片包括第二密钥单元和第二校验码生成单元;配置单元用于根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,使业务功能电路和授权电路处于等待状态;随机数生成单元用于生成随机数,并将随机数发送至外设加密芯片和第一校验码生成单元;第一密钥单元内置有第一密钥,第一校验码生成单元用于根据内置的第一密钥和随机数生成第一校验码;对比单元用于接受外设加密芯片发送的第二校验码,比较第一校验 [0087] FPGA chip includes a configuration module, the configuration module configured to configure the circuit according to the configuration data to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit placed in working condition; wherein the configuration module includes a configuration unit, a random number generation unit, a first key unit, the first check code generation unit, and comparison means; encryption chip includes a second peripheral unit and a second verification key code generating means; means for the circuit configured according to the configuration data arranged to form functional circuits and a service circuit corresponding to the authorized business function circuit, circuits, and service authorization circuit in a wait state; random number generation unit for generating a random number, and the random number transmitted to the encryption chip peripherals and the first check code generating means; a first key unit built first key, means for generating a first check code from the first key and built random number generating a first check code; a second check code comparison means for receiving the transmitted encryption chip peripherals, comparing the first checksum 和第二校验码,当二者一致时,将授权电路置于工作状态;第二密钥单元内置有第二密钥,第二校验码生成单元用于根据内置的第二密钥和随机数生成第二校验码,并将第二校验码发送至对比单元; And a second check code, when they coincide, the authorization circuit is put into an operational state; a second key with a second key unit built, means for generating a second check code in accordance with a built-in key and a second random number generating a second check code, and transmits the checksum to the second comparison means;

[0088]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路用于向协处理器发起服务请求,以及接收密钥种子和授权信息密文,并在利用密钥种子解密授权信息获得授权信息明文后,授权其对应的业务功能电路进入工作状态;还用于将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器,并发送业务完成信息至微处理器; [0088] When required service work function circuit, the circuit with the service authorization function corresponding to a circuit for initiating a service request, and receives a key seed and authorization information to the coprocessor ciphertext, and decrypted using the authorization key seed after the plaintext information obtaining authorization information, authorized business function corresponding circuit into operation; processing result is further configured to transmit traffic to the microprocessor function circuit according to the data format, the length, encryption requirements of the microprocessor, and send a service completion information to the microprocessor;

[0089]协处理器用于根据服务请求生成密钥种子,并将密钥种子发送至微处理器和授权电路,将服务请求发送至微处理器; [0089] The co-processor for generating a request according to a service key seed, and a seed key and sent to the microprocessor circuit authorization, sending a service request to the microprocessor;

[0090]微处理器用于验证密钥种子与上次接收的密钥种子是否重复,若重复,则根据服务信息生成授权信息,利用密钥种子对授权信息进行加密,将授权信息密文发送至授权电路,授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式;以及用于收到业务完成信息后,清空缓存数据。 [0090] authentication key seed and a microprocessor for key seed whether to repeat the last received, if repeated, generating authorization information according to the service information, the authorization information is encrypted using the key seed, the authorization information is transmitted to the ciphertext authorization circuit, the authorization information including data format, length, encryption circuit provides the processing result of the authorization; and after receiving the completion information service, empty the cache data.

[0091]与本实施例上述加密方法相同的,第一配置信息包括其配置的业务功能电路的功能等级信息,第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息;服务请求包括授权电路对应的业务功能电路的功能等级信息;协处理器生成的密钥种子为根据服务请求中的功能等级信息生成对应的唯一密钥种子。 [0091] The same encryption method described above in Example of the present embodiment, the first configuration information comprises service level information function which functional circuit configuration, the second configuration information includes different business functions of different levels of authorization circuit corresponding to the circuit, the same level of service the authorization information corresponding to the same functional circuit corresponding to the circuit; service request message includes an authorization level functions corresponding service circuit of the functional circuit; coprocessor generated unique key seed key seed generated based on the function corresponding to the class information in the service request .

[0092] 实施例二: [0092] Example II:

[0093]在本实施例中,以结合FPGA内置解密模块的加密方式,详细说明本申请的加密方法流程。 [0093] In the present embodiment, in conjunction with the built-in FPGA encryption decryption module, the encryption process flow detailed description of the present application.

[0094]如图5所示,在本实施例中,加密方法包括: [0094] FIG. 5, in the present embodiment, the encryption method comprising:

[0095]初始化配置步骤: [0095] Configuration Initialization Step:

[0096]外置存储器向FPGA芯片发送加密的配置数据,配置数据包括用于配置业务功能电路的第一配置信息和用于配置与业务功能电路对应的授权电路的第二配置信息; [0096] External memory sends the encrypted configuration data to the FPGA chip configuration data includes configuration information for a first service and a second functional circuit configuration information and the service authorization circuit configuration corresponding to the functional circuit;

[0097] FPGA芯片通过内置的解密模块解密加密的配置数据,根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将授权电路置于工作状态; [0097] FPGA chip is decrypted by the decryption module built encrypted configuration data, the circuit configuration according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the circuit is in a wait state business function, the authorization circuit in the operating state;

[0098] 业务处理步骤: [0098] Business process steps:

[0099]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路向协处理器发起服务请求;与实施例一相同的,服务请求包括授权电路对应的业务功能电路的功能等级信息; [0099] When the required service function circuit operates, the coprocessor initiates a service request to the service authorized circuit corresponding to the circuit function; same as in Embodiment 1, the service request message includes an authorization level functions corresponding service circuit of the functional circuit ;

[0100]协处理器根据服务请求生成密钥种子,并将密钥种子发送至微处理器和授权电路,将服务请求发送至微处理器;在本实施例中,可与实施例一相同的,密钥种子根据服务请求中的功能等级信息生成,依据上述划分的功能等级,可针对底层业务功能电路的功能等级信息,协处理器生成AES加密标准中的128位密钥种子,针对高层业务功能电路的功能等级信息,协处理器生成AES加密标准中的192位密钥种子,针对核心业务功能电路的功能等级信息,协处理器生成AES加密标准中的256位密钥种子,上述密钥种子均为唯一不重复的密钥种子; [0100] The service request generation coprocessor key seed, and a seed key and sent to the microprocessor circuit authorization, sending a service request to the microprocessor; In the present embodiment, may be a same embodiment , according to the function key seed level in the information service request is generated based on the function of the partition level, level information may be directed to the underlying business function of the functional circuit, the coprocessor generates a 128-bit key AES encryption seed standard for high-level business functional class of the functional circuit information, coprocessor 192 generates seed key AES encryption standard, the level information for the function circuit core business functions, the coprocessor generates a 256-bit key AES encryption standard seed, said key seeds are the only non-repetition of key seed;

[0101 ]微处理器根据服务请求生成授权信息,并利用密钥种子加密授权信息得到授权信息密文,将授权信息密文发送至授权电路;在本实施例中,与实施例一相同的,微处理器需要先验证密钥种子的唯一性,验证通过时发送由密钥种子加密的授权信息密文,在此不再赘述; [0101] The microprocessor generates a service request authorization message, and the seed of the encryption key using authorization information obtained ciphertext authorization information, the authorization information is transmitted to the ciphertext authorization circuit; In the present embodiment, the same first embodiment, the microprocessor need to verify the uniqueness of the key seed and transmits the encrypted authorization information from the key seed by the ciphertext verification, are not repeated here;

[0102]授权电路利用密钥种子解密授权信息密文得到授权信息的明文后,授权其对应的业务功能电路进入工作状态。 After the [0102] authorization circuit decrypts the authorization information by using the seed key ciphertext plaintext authorization information, authorized business function corresponding circuit into operation.

[0103]需要说明的是,在本实施例中,除初始化步骤与实施例一存在区别外,业务处理步骤细节与实施例一一致,在此不再赘述。 [0103] Incidentally, in the present embodiment, the initialization procedure of Example except a difference exists, the details of the business process steps consistent with an embodiment, not described herein again.

[0104]针对本实施例的方法流程,对应的还提供了一种基于静态随机存储器的可编程门阵列芯片加密系统,如图6所示,包括:外置存储器、FPGA芯片、协处理器和微处理器,其中FPGA芯片内置有解密模块; [0104] The method for the embodiment of the process according to the present embodiment, is also provided a corresponding programmable gate array based static random access memory chip encryption system as shown in FIG 6, comprising: an external memory, FPGA chip, and the coprocessor a microprocessor, wherein the FPGA chip built decryption module;

[0105]其中,外置存储器用于向FPGA芯片发送加密的配置数据,配置数据包括用于配置业务功能电路的第一配置信息和用于配置与功能电路对应的授权电路的第二配置信息; [0105] wherein an external memory for transmitting encrypted configuration data to the FPGA chip configuration data includes configuration information for a first service and a second functional circuit configuration information for authorization circuit configuration corresponding to the functional circuit;

[0106] FPGA芯片包括配置模块,配置模块包括配置单元以及解密单元;解密单元用于对加密配置数据解密,配置单元用于对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使业务功能电路处于等待状态,将授权电路置于工作状态; [0106] FPGA chip includes a configuration module, a configuration module comprising configuration unit, and a decryption unit; a decrypting unit configured to decrypt the encrypted data, the configuration unit configured to configure a circuit to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the business function circuit in a wait state, the authorization circuit in the operating state;

[0107]当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路用于向协处理器发起服务请求,以及接收密钥种子和授权信息密文,并在利用密钥种子解密授权信息获得授权信息明文后,授权其对应的业务功能电路进入工作状态;还用于将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器,并发送业务完成信息至微处理器; [0107] When required service work function circuit, the circuit with the service authorization function corresponding to a circuit for initiating a service request, and receives a key seed and authorization information to the coprocessor ciphertext, and decrypted using the authorization key seed after the plaintext information obtaining authorization information, authorized business function corresponding circuit into operation; processing result is further configured to transmit traffic to the microprocessor function circuit according to the data format, the length, encryption requirements of the microprocessor, and send a service completion information to the microprocessor;

[0108]协处理器用于根据服务请求生成密钥种子,并将密钥种子发送至微处理器和授权电路,将服务请求发送至微处理器; [0108] Coprocessor key seed used to generate service requests, and transmitting the seed key to the microprocessor circuit and authorization, sending a service request to the microprocessor;

[0109]微处理器用于验证密钥种子与上次接收的密钥种子是否重复,若重复,则根据服务信息生成授权信息,利用密钥种子对授权信息进行加密,将授权信息密文发送至授权电路,授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式;以及用于收到业务完成信息后,清空缓存数据。 [0109] authentication key seed and a microprocessor for key seed whether to repeat the last received, if repeated, generating authorization information according to the service information, the authorization information is encrypted using the key seed, the authorization information is transmitted to the ciphertext authorization circuit, the authorization information including data format, length, encryption circuit provides the processing result of the authorization; and after receiving the completion information service, empty the cache data.

[0110]需要说明的是,本实施例加密方法中的业务处理步骤与实施例一相同,因此,本实施例提供的加密系统中的协处理器、微处理器以及FPGA芯片中的授权电路和业务功能电路的在业务处理步骤中的功能限定可参照实施例一中的加密系统,在此不再赘述。 [0110] Incidentally, the business process steps of the present embodiment encryption method embodiment with the same first embodiment, therefore, the present embodiment provides an encryption system according to the coprocessor, the microprocessor circuit and the authorization and FPGA chip function service function of the circuit in the business process step may be defined with reference to an embodiment of the encryption system embodiment, not described herein again.

[0111]采用本发明提供的加密方法和系统,在原有加密方式的基础上,对配置的业务功能电路设置对应的授权电路,在需要具体的业务功能电路进行工作时,根据该业务功能电路的功能,由其对应的授权电路向协处理器发出服务请求,协处理器生成密钥种子,微处理器和授权电路根据密钥种子完成临时加密数据通道连接,授权电路授权其对应的业务功能电路工作,并以微处理器要求的数据格式、长度、加密方式将业务功能电路的处理结果发送至微处理器,由此实现了在业务处理过程中的动态加密保护,增加了系统的可靠性和被破解的难度。 [0111] The encryption method and system of the present invention provides, on the basis of the original encryption on the business function of the circuit configuration provided corresponding to the authorization circuit, when a concrete service function circuit operates according to the service functional circuit function, its corresponding circuit issues a service request authorization to the coprocessor, the coprocessor generates a seed key, and the microprocessor circuitry to complete the authorized data channel connection according to the temporary encryption key seed authorizing circuit authorized service corresponding functional circuit work, and the data format, the length, the microprocessor requires encryption processing result will be sent to the microprocessor circuit business functions, thereby achieving a dynamic encryption protection in the business process, and increases the reliability of the system difficult to crack.

[0112]以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明保护的范围之内。 [0112] The foregoing is only preferred embodiments of the present invention but are not intended to limit the present invention, all within the spirit and principle of the present invention, any changes made, equivalent substitutions and improvements should be included within the scope of protection of the present invention.

Claims (16)

  1. 1.一种基于静态随机存储器的可编程门阵列芯片加密方法,其特征在于,包括: 初始化配置步骤: 外置存储器向FPGA芯片发送配置数据,所述配置数据包括用于配置业务功能电路的第一配置信息和用于配置与业务功能电路对应的授权电路的第二配置信息; 所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态; 业务处理步骤: 当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路向协处理器发起服务请求; 所述协处理器根据所述服务请求生成密钥种子,并将密钥种子发送至微处理器和授权电路,将服务请求发送至所述微处理器; 所述微处理器根据所述服务请求生成授权信息,并利用密钥种子加密所述授权信息得到授权信息 An encryption method based on a programmable gate array chip static random access memory, characterized by comprising: initializing configuration steps: sending an external memory to the FPGA chip configuration data, the configuration data comprising a first functional circuit configuration service configuration information for a second configuration information to the authorization service circuit configuration corresponding to the functional circuit; FPGA chip of the circuit configured according to the configuration data, to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the business function circuit is in a wait state, the authorization circuit is put into an operational state; business process steps: when a service needs work function circuit, initiating the service request to the coprocessor with a circuit corresponding to the service authorization function circuit; the said coprocessor generates a request according to the service key seed, and a seed key and sent to the microprocessor circuit authorization, sending a service request to said microprocessor; the microprocessor according to the service request generation authorization information, and using the seed of the encryption key the authorization information obtained authorization information 文,将所述授权信息密文发送至所述授权电路; 所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态。 Text, the encrypted authorization information is transmitted to the authorization circuit; the circuit using the authorization key seed ciphertext decrypts the authorization information obtained in the authorization information expressly authorized business function corresponding circuit into operation .
  2. 2.根据权利要求1所述的方法,其特征在于,所述第一配置信息包括其配置的业务功能电路的功能等级信息,所述第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息。 2. The method according to claim 1, wherein said first functional circuit includes a service configuration information configured functional class information, the second configuration information comprises various different levels of service corresponding to the functional circuit authorization circuits, the same level of service corresponding to the functional circuit information corresponding to the same authorization circuit.
  3. 3.根据权利要求2所述的方法,其特征在于,业务处理步骤中,所述服务请求包括授权电路对应的业务功能电路的功能等级信息; 所述协处理器根据所述服务请求中的功能等级信息生成对应的唯一密钥种子。 3. The method according to claim 2, wherein the service processing step, the service request message includes an authorization level functions corresponding service circuit of the functional circuit; said coprocessor according to the service request function the only key seed corresponding level information generated.
  4. 4.根据权利要求3所述的方法,其特征在于,所述微处理器根据所述服务请求生成授权信息,并利用密钥种子加密所述授权信息得到授权信息密文,将所述授权信息密文发送至所述授权电路包括: 微处理器验证密钥种子与上次接收的密钥种子是否重复,若重复,则不处理此次服务请求,若不重复,则根据服务信息生成授权信息,利用密钥种子对所述授权信息进行加密,将所述授权信息密文发送至所述授权电路;所述授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式。 4. The method according to claim 3, wherein said microprocessor generates an authorization request information according to the service, and the seed of the encryption key using the authorization information obtained ciphertext authorization information, the authorization information the ciphertext is sent to the authorization circuit comprising: a microprocessor with a verification key seed key seed whether the last received repeated, if repeated, does not process the service request, if repeated, authorization information is generated according to the service information , using the key seed of the authorization information is encrypted, the encrypted authorization information is transmitted to the authorization circuit; said entitlement information includes a data format, length, encryption circuit provides the processing result of authorization.
  5. 5.根据权利要求4所述的方法,其特征在于,所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态包括: 所述授权电路利用密钥种子解密所述授权信息密文得到所述授权信息的明文后,授权其对应的业务功能电路进入工作状态; 所述业务功能电路开始工作,并将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器。 The method according to claim 4, characterized in that the circuit using the authorization key seed ciphertext decrypts the authorization information obtained after the authorization service functional circuit plaintext information, the corresponding authorization into operation comprising : the circuit uses the authorization key seed ciphertext decrypts the authorization information obtained authorization information of the plaintext, the corresponding service authorization function circuit into operation; circuit operates with the business function, and the business function circuit processing result is transmitted to the microprocessor according to the data format, the length, the microprocessor encryption requirements.
  6. 6.根据权利要求5所述的方法,其特征在于,所述授权电路将处理结果按照所述微处理器要求的数据格式、长度、加密方式发送至微处理器后,发送业务完成信息至所述微处理器,所述微处理器收到业务完成信息后,清空缓存数据。 6. The method according to claim 5, characterized in that, the authorization circuit in accordance with the processing result data format, the length, the encryption is sent to the microprocessor after the microprocessor claims, transmits traffic information to complete the said microprocessor after receiving the completion information service, empty the cache data.
  7. 7.根据权利要求1-6任一项所述的方法,其特征在于,所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态包括: 所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路和授权电路处于等待状态; 所述FPGA芯片生成随机数,根据内置的第一密钥和所述随机数生成第一校验码,并将随机数发送至外设加密芯片;所述外设加密芯片接收所述随机数,根据内置的第二密钥和所述随机数生成第二校验码,并将第二校验码发送至所述FPGA芯片; 所述FPGA芯片比较第一校验码和第二校验码,当二者一致时,将所述授权电路置于工作状态。 The method according to any one of claims 1-6, wherein said circuit is configured FPGA chip according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the said service function circuit is in a wait state, the authorization circuit in the operating state comprising: a chip of the FPGA circuit is configured according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, and a authorization service circuits, and a circuit in a wait state; the FPGA chip generates a random number, generate a first check code according to a built-in key and the first random number and the encrypted random number is transmitted to the peripheral chip; the receiving said peripheral encryption chip random number, generating a second key and the nonce built second check code and the second check code transmitted to the FPGA chip; comparing said first FPGA chip a second check code and the check code, when they coincide, the authorization circuit is put into an operational state.
  8. 8.根据权利要求1-6任一项所述的方法,其特征在于,所述FPGA芯片根据配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态包括: 所述配置数据为加密配置数据,所述FPGA芯片解密所述加密配置数据,并对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态。 8. A method according to any one of claims 1-6, wherein said circuit is configured FPGA chip according to the configuration data to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the said service function circuit is in a wait state, the authorization circuit in the operating state comprises: the configuration data are encrypted configuration data, the FPGA chip decrypting the encrypted configuration data, and the circuit is configured to form a service function circuit and a circuit corresponding to the authorized business function circuit, and the service function circuit is in a wait state, the authorization circuit is put into an operational state.
  9. 9.一种基于静态随机存储器的可编程门阵列芯片加密系统,其特征在于,包括外置存储器、FPGA芯片、协处理器和微处理器; 所述外置存储器用于向FPGA芯片发送配置数据,所述配置数据包括用于配置业务功能电路的第一配置信息和用于配置与功能电路对应的授权电路的第二配置信息; 所述FPGA芯片包括配置模块,所述配置模块用于根据所述配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态; 当需要业务功能电路进行工作时,与该业务功能电路对应的授权电路用于向所述协处理器发起服务请求,以及接收密钥种子和授权信息密文,并在利用密钥种子解密授权信息获得授权ί目息明文后,授权其对应的业务功能电路进入工作状态; 所述协处理器用于根 A programmable gate array based static random access memory chips of the encryption system, characterized by comprising an external memory, FPGA chip, a microprocessor and a coprocessor; said external memory for transmitting configuration data to the FPGA chip , the configuration data includes configuration information for a first service and a second functional circuit configuration information for authorization circuit configuration corresponding to the functional circuit; comprising configuring the FPGA chip module, the configuration module according to the said configuration data circuit is configured to form functional circuits and a business service authorization circuit corresponding to the circuit function, and the business function circuit is in a wait state, the authorization circuit is put into an operational state; when it is necessary business function circuit in operation, the circuit function corresponding service authorization circuit for initiating a service request, and receives a key seed and authorization information to said coprocessor, ciphertext, and decrypted using the key seed authorization information entry information expressly authorized ί after the authorized business function corresponding circuit into operation; root for the coprocessor 服务请求生成密钥种子,并将密钥种子发送至微处理器和所述授权电路,将服务请求发送至所述微处理器; 所述微处理器用于根据服务请求生成授权信息,并利用密钥种子加密所述授权信息得到授权信息密文,将授权信息密文发送至授权电路。 Service request generation key seed, and a seed key and the authorization is transmitted to the microprocessor circuit, transmits a service request to said microprocessor; said microprocessor for generating authorization information according to the service request, using dense seed of the encryption key the authorization information is authorized ciphertext information, the authorization information is transmitted to the ciphertext authorization circuit.
  10. 10.根据权利要求9所述的系统,其特征在于,所述第一配置信息包括其配置的业务功能电路的功能等级信息,所述第二配置信息包括不同级别的业务功能电路对应不同的授权电路,相同级别的业务功能电路对应相同的授权电路的对应信息。 10. The system according to claim 9, wherein said first functional circuit includes a service configuration information configured functional class information, the second configuration information comprises various different levels of service corresponding to the functional circuit authorization circuits, the same level of service corresponding to the functional circuit information corresponding to the same authorization circuit.
  11. 11.根据权利要求10所述的系统,其特征在于,所述服务请求包括授权电路对应的业务功能电路的功能等级信息; 所述协处理器用于根据所述服务请求中的功能等级信息生成对应的唯一密钥种子。 11. The system of claim 10, wherein the service authorization request comprises a service circuit corresponding to a function level functional circuit information; said coprocessor for generating class information corresponding to the function in accordance with the service request the only key seed.
  12. 12.根据权利要求11所述的系统,其特征在于,所述微处理器用于验证密钥种子与上次接收的密钥种子是否重复,若重复,则根据服务信息生成授权信息,利用密钥种子对所述授权信息进行加密,将所述授权信息密文发送至所述授权电路;所述授权信息包括授权电路提供的处理结果的数据格式、长度、加密方式。 12. The system according to claim 11, characterized in that the microprocessor for verification key seed and key seed whether to repeat the last received, if repeated, generating authorization information according to the service information, using the key seeds of the authorization information is encrypted, the encrypted authorization information is transmitted to the authorization circuit; said entitlement information includes a data format, length, encryption circuit provides the processing result of authorization.
  13. 13.根据权利要求12所述的系统,其特征在于,所述授权电路在利用密钥种子解密授权信息获得授权信息明文,并授权其对应的业务功能电路开始工作后,还用于将业务功能电路的处理结果按照微处理器要求的数据格式、长度、加密方式发送至微处理器。 13. The system according to claim 12, characterized in that, the authorization circuit is decrypted using the key seed authorized authorization information in clear text and the corresponding authorized business function circuit to work, but also for business functions transmits the processing result to the microprocessor circuit according to the data format, the length, the microprocessor encryption requirements.
  14. 14.根据权利要求13所述的系统,其特征在于,所述授权电路用于将处理结果按照所述微处理器要求的数据格式、长度、加密方式发送至微处理器后,发送业务完成信息至所述微处理器; 所述微处理器用于收到业务完成信息后,清空缓存数据。 14. The system according to claim 13, characterized in that, after the authorization circuit for transmitting the processing result to the microprocessor of the microprocessor according to the requirements of the data format, the length, encryption, transmission completion information service to the microprocessor; the microprocessor after receiving the completion information service, empty the cache data.
  15. 15.根据权利要求9-14任一项所述的系统,其特征在于,还包括外设加密芯片,所述外设加密芯片包括第二密钥单元和第二校验码生成单元;所述FPGA芯片的配置模块包括:配置单元、随机数生成单元、第一密钥单元、第一校验码生成单元以及对比单元; 其中,所述配置单元用于根据所述配置数据对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,使所述业务功能电路和授权电路处于等待状态; 所述随机数生成单元用于生成随机数,并将随机数发送至外设加密芯片和第一校验码生成单元; 所述第一密钥单元内置有第一密钥,所述第一校验码生成单元用于根据内置的所述第一密钥和所述随机数生成第一校验码; 所述对比单元用于接受所述外设加密芯片发送的第二校验码,比较第一校验码和第二校验码,当二者一致时,将所述授权电 15. The system according to any of claims 9-14, characterized in that, further comprising a peripheral encryption chip, the chip includes a second encryption key peripheral unit and a second check code generating unit; the FPGA chip configuration module comprises: a configuration unit, a random number generation unit, a first key unit, generation unit, and a first check code matching unit; wherein the configuration unit configured to configure the circuit according to the configuration data, to form functional circuits and a service circuit corresponding to the authorized business function circuit, the circuit function and service authorization circuit in a wait state; the random number generation unit for generating a random number, the random number transmitted to the encryption chip peripherals and a first check code generating means; the first key has a first key unit is built, the first check code generating means for generating a first built according to the first key and the random number a check code; matching unit for receiving the second check code transmitted by the encryption chip peripheral, comparison of the first check code and the second check code, when they coincide, the authorization electrically 置于工作状态; 所述第二密钥单元内置有第二密钥,所述第二校验码生成单元用于根据内置的所述第二密钥和所述随机数生成第二校验码,并将第二校验码发送至所述对比单元。 Placed in the operating state; the second key has a second key unit is built, the second check code generating unit for the built-in key and the second random number generation according to the second check code and transmits the second check code to the comparison unit.
  16. 16.根据权利要求9-14任一项所述的系统,其特征在于,所述FPGA芯片的配置模块包括配置单元以及解密单元,所述配置数据为加密配置数据;所述解密单元用于对加密配置数据解密,所述配置单元用于对电路进行配置,以形成业务功能电路和与业务功能电路对应的授权电路,并使所述业务功能电路处于等待状态,将所述授权电路置于工作状态。 16. The system according to any of claims 9-14, wherein said module comprises a configuration of the FPGA chip and a decryption unit configuration unit, the configuration data are encrypted configuration data; a decrypting unit configured to decrypting the encrypted configuration data, the configuration unit configured to configure a circuit to form functional circuits and a service circuit corresponding to the authorized business function circuit, and the service function circuit is in a wait state, the circuit is put into an operational authorization status.
CN 201410258908 2014-06-11 2014-06-11 Programmable gate array based on an encryption method and system for chip static random access memory CN104035890B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201410258908 CN104035890B (en) 2014-06-11 2014-06-11 Programmable gate array based on an encryption method and system for chip static random access memory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201410258908 CN104035890B (en) 2014-06-11 2014-06-11 Programmable gate array based on an encryption method and system for chip static random access memory

Publications (2)

Publication Number Publication Date
CN104035890A true CN104035890A (en) 2014-09-10
CN104035890B true CN104035890B (en) 2017-02-15

Family

ID=51466662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201410258908 CN104035890B (en) 2014-06-11 2014-06-11 Programmable gate array based on an encryption method and system for chip static random access memory

Country Status (1)

Country Link
CN (1) CN104035890B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105897410A (en) * 2014-12-08 2016-08-24 深圳市创成微电子有限公司 Audio frequency chip spi communication encryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010117968A (en) * 2008-11-14 2010-05-27 National Institute Of Advanced Industrial Science & Technology System and method for protecting logic program data of reconfigurable logic device
CN101854243A (en) * 2010-04-30 2010-10-06 株洲南车时代电气股份有限公司 Circuit system design encryption circuit and encryption method thereof
CN103593622A (en) * 2013-11-05 2014-02-19 浪潮集团有限公司 FPGA-based design method of safe and trusted computer

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8516268B2 (en) * 2010-08-23 2013-08-20 Raytheon Company Secure field-programmable gate array (FPGA) architecture
US9230091B2 (en) * 2012-06-20 2016-01-05 Microsoft Technology Licensing, Llc Managing use of a field programmable gate array with isolated components

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010117968A (en) * 2008-11-14 2010-05-27 National Institute Of Advanced Industrial Science & Technology System and method for protecting logic program data of reconfigurable logic device
CN101854243A (en) * 2010-04-30 2010-10-06 株洲南车时代电气股份有限公司 Circuit system design encryption circuit and encryption method thereof
CN103593622A (en) * 2013-11-05 2014-02-19 浪潮集团有限公司 FPGA-based design method of safe and trusted computer

Also Published As

Publication number Publication date Type
CN104035890A (en) 2014-09-10 application

Similar Documents

Publication Publication Date Title
US20060072762A1 (en) Stateless hardware security module
US20060072748A1 (en) CMOS-based stateless hardware security module
US20030223585A1 (en) Methods and apparatus for performing encryption and authentication
CN101005361A (en) Server and software protection method and system
US20020083332A1 (en) Creation and distribution of a secret value between two devices
CN101345619A (en) Electronic data protection method and device based on biological characteristic and mobile cryptographic key
CN101056166A (en) A method for improving the data transmission security
US20100067689A1 (en) Computing platform with system key
CN102427449A (en) Trusted mobile storage method based on security chips
CN102412967A (en) Data transmission system and method
CN101719205A (en) Digital copyright management method and system
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
JP2013106162A (en) Storage media, host device, memory device, and system
CN1702999A (en) A method for backup and recovery of encryption key
CN101582109A (en) Data encryption method and device, data decryption method and device and solid state disk
US20140093083A1 (en) System, device, and method for securing voice authentication and end-to-end speech interaction
US20100027790A1 (en) Methods for authenticating a hardware device and providing a secure channel to deliver data
JP2004038445A (en) Ic card and encryption method for the same
CN101122942A (en) Data safe reading method and its safe storage device
CN1698309A (en) Device authentication system
CN101977190A (en) Digital content encryption transmission method and server side
US20060115081A1 (en) Method and apparatus for security over multiple interfaces
US8953790B2 (en) Secure generation of a device root key in the field
CN103236930A (en) Data encryption method and system
CN103491094A (en) Rapid identity authentication method based on C/S mode

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model