CN104463026B - A kind of system and method for the anti-flight of hardware - Google Patents

A kind of system and method for the anti-flight of hardware Download PDF

Info

Publication number
CN104463026B
CN104463026B CN201410741935.5A CN201410741935A CN104463026B CN 104463026 B CN104463026 B CN 104463026B CN 201410741935 A CN201410741935 A CN 201410741935A CN 104463026 B CN104463026 B CN 104463026B
Authority
CN
China
Prior art keywords
data
master controller
product master
hardware product
hardware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410741935.5A
Other languages
Chinese (zh)
Other versions
CN104463026A (en
Inventor
龚明杨
陈毅成
吴水源
张明宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan ruinajie Semiconductor Co.,Ltd.
Original Assignee
SHENZHEN ZHONGKE XUNLIAN TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHENZHEN ZHONGKE XUNLIAN TECHNOLOGY Co Ltd filed Critical SHENZHEN ZHONGKE XUNLIAN TECHNOLOGY Co Ltd
Priority to CN201410741935.5A priority Critical patent/CN104463026B/en
Publication of CN104463026A publication Critical patent/CN104463026A/en
Application granted granted Critical
Publication of CN104463026B publication Critical patent/CN104463026B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/76Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers

Abstract

The invention belongs to the copyright protection technology field of hardware product, more particularly to a kind of system and method for the anti-flight of hardware.The system for the anti-flight of hardware includes hardware product master controller and IC chip, and the hardware product master controller is used for the cipher key calculation MAC data according to random data and storage, and sends the random data to IC chip;The random data that the IC chip is used to be transmitted according to hardware product master controller calculates another MAC data, and the MAC data is returned into hardware product master controller;The hardware product master controller judges whether two MAC datas are equal, if two MAC datas are equal, certification passes through, and the hardware product master controller is continued executing with;If two MAC datas are unequal, authentification failure, the hardware product master controller resets system or enters endless loop.The present invention prevents clone from replicating by way of two-way authentication, greatly improves the safe class of hardware product.

Description

A kind of system and method for the anti-flight of hardware
Technical field
The invention belongs to the copyright protection technology field of hardware product, more particularly to a kind of system for the anti-flight of hardware And method.
Background technology
A set of hardware product is made up of hardware and the software code being solidificated in hardware memory.Use reverse engineering can be with It is easy to clone corresponding hardware product, the interests of infringement original product manufacturer, supplier and Chevron Research Company (CRC) are unfavorable for industry Benign development.In the prior art, common flight, clonal fashion have following several:
1) operation code is deposited using nonvolatile memories such as plate level Flash;This memory is solidification, is being fallen Also it still is able to preserve when electric;The memory of original product is removed and is put into specific card reader, can read and be stored in storage Total data inside device, the data programming of reading is entered on the hardware single board memory of clone, completes copying for whole hardware product Plate, damages the interests of original product manufacturer.
2) (constituted by covering PCB single board more for complicated system product, PCI/PCIE/SATA/ is passed through between each PCB The interface protocols such as PC104 are connected on master control veneer), some board integrations are very high, and flight cost is very high, and some veneers are copied Plate cost is very low, and malice rival may take replacement wherein certain one or more PCB mode to damage product vendor Interests.
3) manufacturing factory of many companies without oneself, it generates manufacture and gives third party foundries, and company finishes Product design, transfers to foundries generation and burning program, Chevron Research Company (CRC) is to foundry by PCB schematic diagrams and corresponding software code Factory actually generates quantity and can not strictly controlled, it is possible that foundries are thrown using generation product more than schematic diagram and software code Market is put into, the interests of Chevron Research Company (CRC) are damaged.
4) for fast consumer market, product function is relatively easy, and size of code very little can be stored in main control chip Product, because software is stored in main control chip, is appeared in outside chip, the code in memory can not be straight without exposed port Connect reading, be not in 1) described in phenomenon and usually occur 3) described by phenomenon.
The content of the invention
The invention provides a kind of system and method for the anti-flight of hardware, it is intended to solves existing hardware product and uses Reverse engineering is easy to be cloned duplication, damages original product interests and is unfavorable for the technical problem of industry development.
The present invention is achieved in that a kind of system for the anti-flight of hardware, including hardware product master controller and collection Into circuit chip, the hardware product master controller is used for the cipher key calculation MAC data according to random data and storage, and by institute State random data and send IC chip to;The IC chip be used for according to hardware product master controller transmit with Machine data calculate another MAC data, and the MAC data is returned into hardware product master controller;The hardware product main control Device judges whether two MAC datas are equal, if two MAC datas are equal, certification passes through, the hardware product master controller Continue executing with;If two MAC datas are unequal, authentification failure, the hardware product master controller resets system or entrance Endless loop.
The technical scheme that the embodiment of the present invention is taken also includes:The hardware product master controller include memory module, AES/SHA algoritic modules, data transmitting module, data read module and the first data judge module;
The primary key that the memory module is used for needed for authentication storage;
The AES/SHA algoritic modules be used for the random data produced by hardware product master controller and store it is close Key, calls AES/SHA algorithms to calculate MAC data;
The data transmitting module be used for by for calculate the random data or/and MAC data of MAC data send to it is integrated Circuit chip;
The data read module is used for the MAC data or supplemental characteristic for reading IC chip passback;
The first data judge module is used for the MAC data and ic core for judging that AES/SHA algoritic modules are calculated Whether the MAC data of piece passback is equal, if what the MAC data that AES/SHA algoritic modules are calculated was returned with IC chip MAC data is equal, then certification passes through, and hardware product master controller is continued executing with;If the MAC that AES/SHA algoritic modules are calculated Data and the MAC data that IC chip is returned are unequal, then authentification failure, and hardware product master controller resets system or entered Enter endless loop.
The technical scheme that the embodiment of the present invention is taken also includes:The IC chip includes memory, initialization and used Family ID microcommands module, initialization device data microcommand module, initialization key microcommand module, host machine authentication legitimacy are micro- Instruction module, the 3rd data judge module;
Primary key and the normal work of system boot that the memory is used for needed for the sequence number of storage hardware product, certification Supplemental characteristic required for making;
The initialising subscriber ID microcommands module, initialization device data microcommand module and initialization key microcommand Module:Initialization for IC chip;
The host machine authentication legitimacy microcommand module be used for the random data that is transmitted by hardware product master controller or/ Start AES/SHA hardware engines with MAC data, calculate MAC data, and MAC data is returned into hardware product master controller;
The 3rd data judge module is used for the MAC data for judging the calculating of host machine authentication legitimacy microcommand module and hard Whether the MAC data of part product master controller transmission matches, if the MAC data that host machine authentication legitimacy microcommand module is calculated The MAC data transmitted with hardware product master controller is matched, then the supplemental characteristic prestored in memory is returned into hardware production Product master controller;If the MAC data that host machine authentication legitimacy microcommand module is calculated is transmitted with hardware product master controller MAC data is mismatched, then returns full FF or full 0 to hardware product master controller.
The technical scheme that the embodiment of the present invention is taken also includes:The hardware product master controller is also sentenced including the second data Disconnected module, the second data judge module is used for the supplemental characteristic returned by preset decipherment algorithm to IC chip Processing is decrypted, former data are recovered, and judges whether the supplemental characteristic of passback is correct, if the supplemental characteristic of passback is just Really, corresponding power up function, hardware product normal work are configured according to supplemental characteristic;If the supplemental characteristic of passback is incorrect, firmly Part product master controller will be unable to normal boot-strap work.
The technical scheme that the embodiment of the present invention is taken also includes:The hardware product master controller also includes key updating mould Block, the IC chip also includes more new key microcommand module;
The key updating module is used at regular intervals, according to primary key, random data and a part of device count A new key is calculated by AES/SHA algorithms according to inside hardware product master controller, to original close in memory module Key is updated processing;
The more new key microcommand module is used at regular intervals, according to the primary key stored in memory, firmly The random data and a part of device data that part product master controller is brought calculate a new key, to original in memory Key is updated processing.
The technical scheme that the embodiment of the present invention is taken also includes:It is micro- that the IC chip also includes renewal device data Instruction module and reading device data microcommand module;The renewal device data microcommand module and reading device data are micro- to be referred to Module is made to require that IC chip and hardware product master controller certification could read/write data therebetween after.
Another technical scheme that the embodiment of the present invention is taken is:A kind of method for the anti-flight of hardware, including:
Step a:Random data is produced by hardware product master controller, according to the random data and the cipher key calculation of storage MAC1 data, and IC chip will be sent to for the random data for calculating MAC1;
Step b:The AES/SHA that the random data transmitted by hardware product master controller starts in IC chip is hard Part engine, calculates MAC2 data, and MAC2 data or supplemental characteristic are returned into hardware product master control according to the random data Device processed;
Step c:MAC2 data are read by hardware product master controller, and judge MAC1 data and MAC2 data whether phase Deng if MAC1 data are equal with MAC2 data, certification passes through, and hardware product master controller is continued executing with;If MAC1 data Unequal, the authentification failure with MAC2 data, hardware product master controller resets system or enters endless loop;Or, pass through hardware Product master controller reads the supplemental characteristic of IC chip passback, and judges whether the supplemental characteristic returned is correct ginseng Number data, if the supplemental characteristic of passback is not correct supplemental characteristic, hardware product master controller is unable to normal boot-strap work; If the supplemental characteristic of passback is correct supplemental characteristic, corresponding power up function, hardware product master are configured according to the supplemental characteristic Controller is continued executing with.
The technical scheme that the embodiment of the present invention is taken also includes:In the step b, if IC chip passback It is supplemental characteristic, also includes in the step c:If MAC1 data are equal with MAC2 data, hardware product master controller continues Random data is produced, according to the random data and the key of storage, calls AES/SHA algorithms to calculate MAC3 data, and will be used for The random data and MAC3 data for calculating MAC3 data are sent to IC chip together, and IC chip is random by this Data calculate MAC4 data, and judge whether MAC4 data match with MAC3 data, if MAC4 data and MAC3 data Match somebody with somebody, the supplemental characteristic being pre-stored in IC chip memory is returned into hardware product master controller;If MAC4 data Mismatched with MAC3 data, full FF or full 0 are returned to hardware product master controller.
The technical scheme that the embodiment of the present invention is taken also includes:In the step c, the IC chip passback Supplemental characteristic can be encryption data or non-encrypted data, if the supplemental characteristic of passback is encryption data, hardware product master control Device processed return data is decrypted processing according to preset decipherment algorithm, and recovers former data.
The technical scheme that the embodiment of the present invention is taken also includes:Also include after the step c:At regular intervals, hardware Product master controller and IC chip are updated processing to primary key according to the key updating mode of agreement, and according to Legal sequence number and the key updated are mutually authenticated again, if certification passes through, hardware product normal work;If recognized Card does not pass through, and hardware product master controller does not work and closed immediately.
The system and method for the anti-flight of hardware of the embodiment of the present invention is by needed for the sequence number of hardware product, certification Primary key is registered to IC chip, in system boot, and hardware product master controller and IC chip carry out phase Mutual certification, certification is by rear, and hardware product master controller is continued executing with;Certification does not pass through, then hardware product master controller resets System enters endless loop;And the key appointed at regular intervals according to legal sequence number and with IC chip is more New paragon is updated processing to key, and is mutually authenticated again according to the key of renewal, when certification by when, hardware production Product normal work, when certification is obstructed out-of-date, hardware product master controller does not work and closed immediately;The present invention passes through two-way authentication Mode prevent clone replicate, greatly improve the safe class of hardware product.
Brief description of the drawings
Fig. 1 is the structural representation of the system for the anti-flight of hardware of the embodiment of the present invention;
Fig. 2 is the flow chart of the method for the anti-flight of hardware of first embodiment of the invention;
Fig. 3 is the flow chart of the method for the anti-flight of hardware of second embodiment of the invention.
Embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Referring to Fig. 1, being the structural representation of the system for the anti-flight of hardware of the embodiment of the present invention.The present invention is implemented The system for the anti-flight of hardware of example includes hardware product master controller and IC chip, and hardware product master controller is used According to random data and storage key by identifying algorithm calculate MAC (Media Access Control, address) data, And send the random data to IC chip;IC chip is based on according to the random data by identifying algorithm Another MAC data is calculated, and the MAC data is returned into hardware product master controller;Judge two by hardware product master controller Whether individual MAC data is equal, if two MAC datas are equal, certification passes through, and hardware product master controller is continued executing with;Such as Really two MAC datas are unequal, then authentification failure, and hardware product master controller resets system or enters endless loop;Wherein, certification Algorithm includes AES (Advanced Encryption Standard, Advanced Encryption Standard) or SHA (Secure Hash Algorithm, SHA), hardware product master controller can be DSP, FPGA, 8051, ARM etc..
Hardware product master controller includes two kinds with the authentication mode that IC chip is mutually authenticated, can be according to specific Application scenarios select authentication mode:
Authentication mode 1:One random data is produced by hardware product master controller, according to the random data and storage Key, calls AES/SHA algorithms to calculate a MAC1 data, and will send integrated circuit to for the random data for calculating MAC1 Chip;The random data transmitted by hardware product master controller starts the AES/SHA hardware engines in IC chip, adjusts One MAC2 data is calculated according to the random data with AES/SHA algorithms, and hardware product main control is given by MAC2 data backs Device;MAC2 data are read by hardware product master controller, and judge whether MAC1 data are equal with MAC2 data, if MAC1 Data are equal with MAC2 data, then certification passes through, and hardware product master controller is continued executing with;If MAC1 data and MAC2 data Unequal, then authentification failure, hardware product master controller resets system or enters endless loop.
Authentication mode 2:Important parameter data pre-storage required for system boot normal work is deposited in IC chip In reservoir;One random data is produced by hardware product master controller, according to the random data and the key of storage, called AES/SHA algorithms calculate a MAC1 data, and will send IC chip to for the random data for calculating MAC1;Pass through The random data of hardware product master controller transmission starts the AES/SHA hardware engines in IC chip, calls AES/SHA Algorithm calculates a MAC2 data according to the random data, and gives hardware product master controller by MAC2 data backs;Pass through Hardware product master controller reads MAC2 data, and judges whether MAC1 data equal with MAC2 data, if MAC1 data and MAC2 data are unequal, then authentification failure, and hardware product master controller resets system or enters endless loop;If MAC1 data with MAC2 data are equal, then certification passes through, and hardware product master controller continues to produce a random data, according to the random data and The key of storage, call AES/SHA algorithms calculate a MAC3 data, and by for calculate MAC3 data random data and MAC3 data are sent to IC chip together;IC chip calculates a MAC4 data by the random data, And judge whether MAC4 data match with MAC3 data, if MAC4 data and MAC3 Data Matchings, will be pre-stored in integrated electricity Supplemental characteristic in the chip memory of road returns to hardware product master controller;If MAC4 data are mismatched with MAC3 data, Then full FF or full 0 are returned to hardware product master controller;Hardware product master controller reads the number of IC chip passback According to rear, processing is decrypted to return data with preset decipherment algorithm, former data are recovered, and judge passback data whether It is correct supplemental characteristic, if the data of passback are correct supplemental characteristics, according to the corresponding start of supplemental characteristic configuration Function, hardware product normal work;If the data of passback are not correct supplemental characteristics, hardware product master controller can not Normal boot-strap works;Wherein, the supplemental characteristic being pre-stored in IC chip memory can be encryption data or non-encrypted Data, can specifically be selected by hardware product master controller according to different safe classes.
Specifically, hardware product master controller includes memory module, AES/SHA algoritic modules, data transmitting module, data Read module, the first data judge module, the second data judge module and key updating module, wherein, memory module, AES/ SHA algoritic modules and key updating module are software function;
The primary key that memory module is used for needed for authentication storage;In embodiments of the present invention, hardware product master controller It is different according to different safe class implementations to the memory mechanism of key;High occasion, hardware production are required safe class Product master controller will again be preserved to key after first encryption;
AES/SHA algoritic modules are used for the cipher key calculation of the random data produced by hardware product master controller and storage MAC data;Wherein, hardware product master controller is realized and IC chip identical AES/SHA algorithms by related software, The software is run in the way of APP, in start by running software authentication function APP;
Data transmitting module is used to that integrated circuit will to be sent to for the random data or/and MAC data that calculate MAC data Chip;
Data read module is used for the MAC data or supplemental characteristic for reading IC chip passback;
First data judge module is used to judge that the MAC data that AES/SHA algoritic modules are calculated is returned with IC chip Whether the MAC data of biography is equal, if the MAC number that the MAC data that AES/SHA algoritic modules are calculated is returned with IC chip According to equal, then certification passes through, and hardware product master controller is continued executing with;If AES/SHA algoritic modules calculate MAC data with The MAC data of IC chip passback is unequal, then authentification failure, and hardware product master controller, which resets system or entered, extremely to follow Ring;
The supplemental characteristic that second data judge module is used to return IC chip by preset decipherment algorithm enters Row decryption processing, recovers former data, and judges whether the supplemental characteristic of passback is correct, if the supplemental characteristic of passback is correct, Corresponding power up function, hardware product normal work are configured according to supplemental characteristic;If the supplemental characteristic of passback is incorrect, hardware production Product master controller will be unable to normal boot-strap work;
Key updating module is used at regular intervals, according to the key updating mode pair appointed with IC chip Primary key in memory module is updated processing;Key updating mode is:According to primary key, random data and a part Device data calculates a new key inside hardware product master controller by AES/SHA algorithms;Hardware product main control Device is mutually authenticated again according to the key after legal sequence number and renewal with IC chip, when certification passes through When, hardware product normal work;When certification is obstructed out-of-date, hardware product master controller does not work and closed immediately;And in certification After the completion of remove the new key, used after loading and decrypt from memory module again when next time using;Wherein, the present invention is by every Key is updated every certain time and certification again is carried out, safe class is effectively increased, certification interval time can be according to peace Congruent level is set, and safe class is higher, and certification interval time is shorter.
IC chip includes memory, initialising subscriber ID microcommands module, initialization device data microcommand mould Block, initialization key microcommand module, host machine authentication legitimacy microcommand module, the 3rd data judge module, more new key are micro- Instruction module, renewal device data microcommand module and reading device data microcommand module;
Primary key and system boot normal work institute that memory is used for needed for the sequence number of storage hardware product, certification The data such as the parameter needed;Wherein, the primary key needed for the sequence number of hardware product, certification is first registered to ic core In piece memory, to obtain the legal right to use, hardware product operationally, at regular intervals, according to legal sequence number and The key that the key updating mode appointed with IC chip updates is mutually authenticated;Memory is non-volatile memories Device, in power down, storage content is not lost;The supplemental characteristic prestored in memory can be encryption data or non-encrypted data, It can specifically be selected by hardware product master controller according to different safe classes;
Initialising subscriber ID microcommands module, initialization device data microcommand module and initialization key microcommand mould Block:For the initialization of IC chip, these three microcommand moulds of IC chip automatic shield after the completion of initialization Block, after three microcommand modules are shielded, subsequently either restarting or re-powering can not all reuse, to ensure integrated electricity The security of road chip;Initialising subscriber ID microcommands module, initialization device data microcommand module and initialization key are micro- Instruction module is operated by hardware product master controller, but soft by burning before IC chip is welded to PCB Part is completed, and hardware product master controller can not be changed again, it is not required that retain corresponding software APP;
Host machine authentication legitimacy microcommand module be used for the random data that is transmitted by hardware product master controller or/and MAC data starts AES/SHA hardware engines, calculates MAC data and MAC data is returned into hardware product master controller;
3rd data judge module is used to judge that the MAC data that host machine authentication legitimacy microcommand module is calculated is produced with hardware Whether the MAC data of product master controller transmission matches, if the MAC data that calculates of host machine authentication legitimacy microcommand module with it is hard The MAC data matching of part product master controller transmission, then return to hardware product master by the supplemental characteristic prestored in memory Controller;If the MAC number that the MAC data that host machine authentication legitimacy microcommand module is calculated is transmitted with hardware product master controller According to mismatch, then full FF or full 0 are returned to hardware product master controller;
More new key microcommand module is used at regular intervals, according to the key updating mode appointed in memory Primary key be updated processing;Key updating mode is:According to the primary key, hardware product master control stored in memory The random data and a part of device data that device processed is brought calculate a new key;IC chip is according to legal sequence Number and update after key be mutually authenticated again with hardware product master controller;Wherein, the security of AES/SHA algorithms All concentrate on key, the primary key stored in IC chip memory is unreadable, can only refer to by the way that more new key is micro- Module is made to be updated, and the key after renewal is also unreadable;
Update device data microcommand module and reading device data microcommand module:It is required that IC chip and hardware The certification of product master controller passes through rear (MAC data and hardware product master control that IC chip calls AES/SHA engines to calculate The MAC data matching of device processed transmission) could read/write data therebetween.
Referring to Fig. 2, being the flow chart of the method for the anti-flight of hardware of first embodiment of the invention.The present invention first The method for the anti-flight of hardware of embodiment comprises the following steps:
Step 100:By required for the primary key needed for the sequence number of hardware product, certification and system boot normal work The data pre-storage such as parameter in IC chip memory;
Step 110:By hardware product master controller produce a random data, according to the random data and storage it is close Key, calls AES/SHA algorithms to calculate a MAC1 data, and will send ic core to for the random data for calculating MAC1 Piece;
Step 120:The random data transmitted by hardware product master controller starts the AES/SHA in IC chip Hardware engine, calls AES/SHA algorithms to calculate a MAC2 data according to the random data, and by MAC2 data backs to hard Part product master controller;
Step 130:MAC2 data are read by hardware product master controller, and judge whether are MAC1 data and MAC2 data It is equal, if MAC1 data and MAC2 data are unequal, perform step 140;If MAC1 data are equal with MAC2 data, perform Step 150;
Step 140:Authentification failure, hardware product master controller resets system or enters endless loop;
Step 150:Certification passes through, and hardware product master controller is continued executing with;
Step 160:At regular intervals, hardware product master controller and IC chip according to the key appointed more New paragon is updated processing to primary key, and is mutually authenticated again according to legal sequence number and the key updated, If certification passes through, step 170 is performed;If certification does not pass through, step 180 is performed;
In a step 160, key updating mode is:Hardware product master controller is according to primary key, random data and one Part of devices data calculate a new key, ic core inside hardware product master controller by AES/SHA algorithms Random data and a part of device data that piece is brought according to the primary key, hardware product master controller that are stored in memory Calculate a new key.
Step 170:Hardware product normal work;
Step 180:Hardware product master controller does not work and closed immediately.
Referring to Fig. 3, being the flow chart of the method for the anti-flight of hardware of second embodiment of the invention.The present invention second The method for the anti-flight of hardware of embodiment comprises the following steps:
Step 200:By required for the primary key needed for the sequence number of hardware product, certification and system boot normal work The data pre-storage such as parameter in IC chip memory;
In step 200, the supplemental characteristic being pre-stored in IC chip memory can be encryption data or it is non-plus Ciphertext data, can specifically be selected by hardware product master controller according to different safe classes.
Step 210:By hardware product master controller produce a random data, according to the random data and storage it is close Key, calls AES/SHA algorithms to calculate a MAC1 data, and will send ic core to for the random data for calculating MAC1 Piece;
Step 220:The random data transmitted by hardware product master controller starts the AES/SHA in IC chip Hardware engine, calls AES/SHA algorithms to calculate a MAC2 data according to the random data, and by MAC2 data backs to hard Part product master controller;
Step 230:MAC2 data are read by hardware product master controller, and judge whether are MAC1 data and MAC2 data It is equal, if MAC1 data and MAC2 data are unequal, perform step 240;If if MAC1 data are equal with MAC2 data, Perform step 250;
Step 240:Hardware product master controller resets system or enters endless loop;
Step 250:Hardware product master controller continue produce a random data, according to the random data and storage it is close Key, calls AES/SHA algorithms to calculate a MAC3 data, and by the random data and MAC3 data one for calculating MAC3 data Rise and be sent to IC chip;
Step 260:IC chip calculates a MAC4 data by the random data, and judge MAC4 data with Whether MAC3 data match, if MAC4 data are mismatched with MAC3 data, perform step 270;If MAC4 data and MAC3 Data Matching, performs step 280;
Step 270:Full FF or full 0 are returned to hardware product master controller, and performs step 290;
Step 280:The supplemental characteristic being pre-stored in IC chip memory is returned into hardware product master controller;
Step 290:The data that IC chip is returned are read by hardware product master controller, according to preset decryption Algorithm return data is decrypted processing, recovers former data, and judges whether the data returned are correct supplemental characteristics, If the data of passback are not correct supplemental characteristics, step 300 is performed;If the data of passback are correct supplemental characteristics, Perform step 310;
Step 300:Authentification failure, hardware product master controller is unable to normal boot-strap work;
Step 310:Corresponding power up function is configured according to the supplemental characteristic, hardware product master controller is continued executing with;
Step 320:At regular intervals, hardware product master controller and IC chip according to the key appointed more New paragon is updated processing to primary key, and is mutually authenticated again according to legal sequence number and the key updated, If certification passes through, step 330 is performed;If certification does not pass through, step 340 is performed;
In step 320, key updating mode is:Hardware product master controller is according to primary key, random data and one Part of devices data calculate a new key, ic core inside hardware product master controller by AES/SHA algorithms Random data and a part of device data that piece is brought according to the primary key, hardware product master controller that are stored in memory Calculate a new key.
Step 330:Hardware product normal work;
Step 340:Hardware product master controller does not work and closed immediately.
The system and method for the anti-flight of hardware of the embodiment of the present invention is by needed for the sequence number of hardware product, certification Primary key is registered to IC chip, in system boot, and hardware product master controller and IC chip carry out phase Mutual certification, certification is by rear, and hardware product master controller is continued executing with;Certification does not pass through, then hardware product master controller resets System enters endless loop;And the key appointed at regular intervals according to legal sequence number and with IC chip is more New paragon is updated processing to key, and is mutually authenticated again according to the key of renewal, when certification by when, hardware production Product normal work, when certification is obstructed out-of-date, hardware product master controller does not work and closed immediately;The present invention passes through two-way authentication Mode prevent clone replicate, greatly improve the safe class of hardware product.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present invention Any modifications, equivalent substitutions and improvements made within refreshing and principle etc., should be included in the scope of the protection.

Claims (7)

1. a kind of system for the anti-flight of hardware, it is characterised in that:Including hardware product master controller and IC chip, The hardware product master controller is used for the cipher key calculation MAC data according to random data and storage, and by the random data Send IC chip to;The random data that the IC chip is used to be transmitted according to hardware product master controller is calculated Another MAC data, and the MAC data is returned into hardware product master controller;The hardware product master controller judges two Whether MAC data is equal, if two MAC datas are equal, certification passes through, and the hardware product master controller is continued executing with; If two MAC datas are unequal, authentification failure, the hardware product master controller resets system or enters endless loop;
The hardware product master controller includes memory module, AES/SHA algoritic modules, data transmitting module, digital independent mould Block and the first data judge module;
The primary key that the memory module is used for needed for authentication storage;
The AES/SHA algoritic modules are used for the random data produced by hardware product master controller and the key of storage, adjust MAC data is calculated with AES/SHA algorithms;
The data transmitting module is used to that integrated circuit will to be sent to for the random data or/and MAC data that calculate MAC data Chip;
The data read module is used for the MAC data or supplemental characteristic for reading IC chip passback;
The first data judge module is used to judge that the MAC data that AES/SHA algoritic modules are calculated is returned with IC chip Whether the MAC data of biography is equal, if the MAC number that the MAC data that AES/SHA algoritic modules are calculated is returned with IC chip According to equal, then certification passes through, and hardware product master controller is continued executing with;If AES/SHA algoritic modules calculate MAC data with The MAC data of IC chip passback is unequal, then authentification failure, and hardware product master controller, which resets system or entered, extremely to follow Ring;
The IC chip includes memory, initialising subscriber ID microcommands module, initialization device data microcommand mould Block, initialization key microcommand module, host machine authentication legitimacy microcommand module, the 3rd data judge module;
Primary key and system boot normal work institute that the memory is used for needed for the sequence number of storage hardware product, certification The supplemental characteristic needed;
The initialising subscriber ID microcommands module, initialization device data microcommand module and initialization key microcommand mould Block:Initialization for IC chip;
The host machine authentication legitimacy microcommand module be used for the random data that is transmitted by hardware product master controller or/and MAC data starts AES/SHA hardware engines, calculates MAC data, and MAC data is returned into hardware product master controller;
The 3rd data judge module is used to judge that the MAC data that host machine authentication legitimacy microcommand module is calculated is produced with hardware Whether the MAC data of product master controller transmission matches, if the MAC data that calculates of host machine authentication legitimacy microcommand module with it is hard The MAC data matching of part product master controller transmission, then return to hardware product master by the supplemental characteristic prestored in memory Controller;If the MAC number that the MAC data that host machine authentication legitimacy microcommand module is calculated is transmitted with hardware product master controller According to mismatch, then full FF or full 0 are returned to hardware product master controller.
2. the system according to claim 1 for the anti-flight of hardware, it is characterised in that the hardware product master controller Also include the second data judge module, the second data judge module is used for by preset decipherment algorithm to ic core Processing is decrypted in the supplemental characteristic of piece passback, recovers former data, and judges whether the supplemental characteristic of passback is correct, if returned The supplemental characteristic of biography is correct, and corresponding power up function, hardware product normal work are configured according to supplemental characteristic;If the parameter of passback Data are incorrect, and hardware product master controller will be unable to normal boot-strap work.
3. the system according to claim 1 for the anti-flight of hardware, it is characterised in that the hardware product master controller Also include key updating module, the IC chip also includes more new key microcommand module;
The key updating module is used at regular intervals, according to primary key, random data and a part of device data be existed A new key is calculated by AES/SHA algorithms inside hardware product master controller, the primary key in memory module is entered Row renewal is handled;
The more new key microcommand module is used at regular intervals, be produced according to the primary key, hardware that store in memory The random data and a part of device data that product master controller is brought calculate a new key, to the primary key in memory It is updated processing.
4. the system according to claim 1 for the anti-flight of hardware, it is characterised in that the IC chip is also wrapped Include renewal device data microcommand module and reading device data microcommand module;It is described renewal device data microcommand module and Reading device data microcommand module require IC chip and hardware product master controller certification after could read/write its Between data.
5. a kind of method for the anti-flight of hardware, including:
Step a:Random data is produced by hardware product master controller, according to the random data and the cipher key calculation MAC1 of storage Data, and IC chip will be sent to for the random data for calculating MAC1;
Step b:The AES/SHA hardware that the random data transmitted by hardware product master controller starts in IC chip draws Hold up, MAC2 data are calculated according to the random data, and hardware product master controller is given by MAC2 data backs;
Step c:MAC2 data are read by hardware product master controller, and judge whether MAC1 data are equal with MAC2 data, If MAC1 data are equal with MAC2 data, certification passes through, and hardware product master controller is continued executing with;If MAC1 data with MAC2 data are unequal, authentification failure, and hardware product master controller resets system or enters endless loop;
Also include in the step c:If MAC1 data are equal with MAC2 data, hardware product master controller continues to produce at random Data, according to the random data and the key of storage, call AES/SHA algorithms to calculate MAC3 data, and will be used to calculate MAC3 The random data and MAC3 data of data are sent to IC chip together, and IC chip is calculated by the random data Go out MAC4 data, and judge whether MAC4 data match with MAC3 data, if MAC4 data and MAC3 Data Matchings, will prestore Supplemental characteristic in IC chip memory returns to hardware product master controller;Read by hardware product master controller The supplemental characteristic for taking IC chip to return, and judge whether the supplemental characteristic returned is correct supplemental characteristic, if returned The supplemental characteristic of biography is not correct supplemental characteristic, and hardware product master controller is unable to normal boot-strap work;If the ginseng of passback Number data are correct supplemental characteristics, and corresponding power up function is configured according to the supplemental characteristic, and hardware product master controller continues to hold OK;If MAC4 data are mismatched with MAC3 data, full FF or full 0 are returned to hardware product master controller.
6. the method according to claim 5 for the anti-flight of hardware, it is characterised in that:In the step c, the collection The supplemental characteristic returned into circuit chip can be encryption data or non-encrypted data, if the supplemental characteristic of passback is encryption number According to hardware product master controller return data is decrypted processing according to preset decipherment algorithm, and recovers former data.
7. the method according to claim 5 for the anti-flight of hardware, it is characterised in that:Also include after the step c:Often Every certain time, hardware product master controller and IC chip are carried out according to the key updating mode of agreement to primary key Renewal is handled, and is mutually authenticated again according to legal sequence number and the key updated, if certification passes through, hardware product Normal work;If certification does not pass through, hardware product master controller does not work and closed immediately.
CN201410741935.5A 2014-12-08 2014-12-08 A kind of system and method for the anti-flight of hardware Active CN104463026B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410741935.5A CN104463026B (en) 2014-12-08 2014-12-08 A kind of system and method for the anti-flight of hardware

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410741935.5A CN104463026B (en) 2014-12-08 2014-12-08 A kind of system and method for the anti-flight of hardware

Publications (2)

Publication Number Publication Date
CN104463026A CN104463026A (en) 2015-03-25
CN104463026B true CN104463026B (en) 2017-11-07

Family

ID=52909045

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410741935.5A Active CN104463026B (en) 2014-12-08 2014-12-08 A kind of system and method for the anti-flight of hardware

Country Status (1)

Country Link
CN (1) CN104463026B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105512574B (en) * 2015-12-08 2019-01-04 李灵超 The anti-shovelling plate encryption method and device of electronic product
CN106897640B (en) * 2015-12-18 2024-02-02 深圳市振华微电子有限公司 Separate computer encryption lock for pipes
CN106203134A (en) * 2016-06-30 2016-12-07 珠海智融科技有限公司 Anti-brush machine system and method based on hardware encryption
CN107967413A (en) * 2017-11-28 2018-04-27 深圳进化动力数码科技有限公司 Software enciphering method and device
CN110135199A (en) * 2019-05-09 2019-08-16 中国电子科技集团公司第五十八研究所 Safety general Digital Signal Processing dsp chip
CN111881488B (en) * 2020-08-03 2024-03-29 浙江大学 Hardware encryption system and method for unmanned aerial vehicle flight control system
CN112100692A (en) * 2020-09-18 2020-12-18 北京国科环宇科技股份有限公司 Encryption method and encryption device for hardware module

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6356637B1 (en) * 1998-09-18 2002-03-12 Sun Microsystems, Inc. Field programmable gate arrays
CN102339369B (en) * 2011-08-18 2014-03-19 珠海天威技术开发有限公司 MCU (Micro-programmed Control Unit) information protection method
CN102567671B (en) * 2011-12-30 2015-03-11 大连捷成实业发展有限公司 Encryption system and encryption method for field-programmable gate array (FPGA) configuration data
CN103198242A (en) * 2013-04-02 2013-07-10 厦门亿联网络技术股份有限公司 Method for encrypting through chip

Also Published As

Publication number Publication date
CN104463026A (en) 2015-03-25

Similar Documents

Publication Publication Date Title
CN104463026B (en) A kind of system and method for the anti-flight of hardware
US10110380B2 (en) Secure dynamic on chip key programming
US9992678B2 (en) Network locking or card locking method and device for a mobile terminal, terminal, SIM card, storage media
CN103049681B (en) A kind of anti-flight system and method based on anti-copying circuit
CN105069350A (en) Encryption method and apparatus for embedded operating system
CN103782538A (en) Authenticator
CN106503494A (en) A kind of firmware protection location and guard method with flash memory microcontroller on piece
CN103761456B (en) A kind of anti-method cracking of monolithic microcomputer kernel code
JP2018500823A (en) Device key protection
EP3471336A1 (en) Puf based boot-loading for data recovery on secure flash devices
CN106133739A (en) Data are to the safeguard protection of the loading in the nonvolatile memory of safety element
US7693675B2 (en) Method for protection of sensor node's data, a systems for secure transportation of a sensor node and a sensor node that achieves these
CN110765477A (en) Target program data anti-theft method used in ARM + FPGA architecture
WO2023240866A1 (en) Cipher card and root key protection method therefor, and computer readable storage medium
CN105608775B (en) A kind of method of authentication, terminal, access card and SAM card
CN109889334A (en) Embedded firmware encrypting method, apparatus, wifi equipment and storage medium
WO2015154469A1 (en) Database operation method and device
CN101950345B (en) Hardware decryption-based high-reliability terminal equipment and working method thereof
KR101656092B1 (en) Secured computing system with asynchronous authentication
CN110880965A (en) Outgoing electronic document encryption method, system, terminal and storage medium
EP2575068A1 (en) System and method for providing hardware-based security
CN107330318A (en) A kind of binding encryption method of digital signal panel card and its debugging system
CN111159652A (en) Management and control platform authorization file verification method, device, equipment and storage medium
CN105184139B (en) A kind of implementation method of encryption data switching equipment
CN110414192A (en) Keyholed back plate system and method applied to safe manufacturing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 518055 1407 floor, 14 floor, Fuguang business building, 1 Nanshan District Road, Taoyuan, Shenzhen, Guangdong

Patentee after: Shenzhen Bureau of Polytron Technologies Inc

Address before: 518067 Room 301, B building, No.1 business building, six industrial road, Nanshan District, Shenzhen, Guangdong.

Patentee before: Shenzhen Zhongke Xunlian Technology Co., Ltd

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20210413

Address after: 430000 building 01, building 15, optical valley wisdom Park, No.7, financial port 1st Road, Donghu New Technology Development Zone, Wuhan City, Hubei Province

Patentee after: Wuhan ruinajie Semiconductor Co.,Ltd.

Address before: 518055 1407 floor, 14 floor, Fuguang business building, 1 Nanshan District Road, Taoyuan, Shenzhen, Guangdong

Patentee before: SHENZHEN ZHONGKE XUNLIAN TECHNOLOGY Co.,Ltd.