CN106709360A - Data transmission and storage method and system - Google Patents

Data transmission and storage method and system Download PDF

Info

Publication number
CN106709360A
CN106709360A CN201510790533.9A CN201510790533A CN106709360A CN 106709360 A CN106709360 A CN 106709360A CN 201510790533 A CN201510790533 A CN 201510790533A CN 106709360 A CN106709360 A CN 106709360A
Authority
CN
China
Prior art keywords
key
plaintext
data
ciphertext
receiving terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510790533.9A
Other languages
Chinese (zh)
Inventor
张志杰
张昊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou Rockchip Electronics Co Ltd
Original Assignee
Fuzhou Rockchip Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou Rockchip Electronics Co Ltd filed Critical Fuzhou Rockchip Electronics Co Ltd
Priority to CN201510790533.9A priority Critical patent/CN106709360A/en
Publication of CN106709360A publication Critical patent/CN106709360A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a data transmission and storage method and system. The data transmission method comprises the steps that plaintext and plaintext abstracts in an unsecured environment are encrypted, and corresponding encrypted data and secret keys are obtained; the encrypted data is transmitted to a preset first receiving end in the unsecured environment through a first transmission tool; the preset first receiving end activates a preset second receiving end in a secure environment, and the encrypted data is transmitted to the preset second receiving end; after the secrete keys are encrypted through a second transmission tool, a secret key file is formed and transmitted to the second receiving end; the secrete key file received by the second receiving end is decrypted to obtain the secrete keys in the secret key file; the encrypted data received by the second receiving end is decrypted according to the obtained secret keys to obtain the corresponding plaintext and plaintext abstracts, and the integrity of the plaintext is verified according to the plaintext abstracts. According to the data transmission and storage method and system, the secret keys and the encrypted data are subjected to time-share transmission through different transmission channels, the transmission security is improved, and the plaintext cracking difficulty is increased.

Description

A kind of data transfer and storage method and system
Technical field
The present invention relates to technical field of data administration, more particularly to data transfer technical field of memory, specially a kind of data are passed Defeated and storage method and system.
Background technology
Arm Trustzone technologies are a kind of comprehensive security solutions, and its safe design runs through processor, bus, system Module, peripheral hardware, operating system and application, it is ensured that use the safety of the equipment that it is developed.Trustzone and Arm Cortex A series processors tight associations, security information is transmitted by AMBA AXI buses between whole system and periphery IP, so It is avoided that the modules such as internal memory, encrypting module, keyboard, display screen are subject to software attacks.
The equipment safety system developed using Trustzone technologies is, it is necessary to including TEE (secure execution environments), security kernel Program, security service and TA (trusted application).Two domains (normal mode and safe mode) are divided into based on equipment safety system, So security system can be developed independently of non-security system.Safe mode operates in independent memory headroom and can access Resource under all normal modes.This module (Monitor) is switched over by security monitoring for normal mode and safe mode.
More and more application scenarios need for data to be transferred to security context from insecure environments, at present by data from insecure environments It is transferred to security context and mainly uses two methods:One is that data clear text directly is transferred into security context, and two are calculated using encryption Key in plain text, is transferred to security context by method encryption data together with ciphertext.It is easy to be stolen using first method data, Security is extremely low;Although using second method transmission is ciphertext, key is transmitted together with ciphertext, and security is not also high.
The content of the invention
The shortcoming of prior art in view of the above, it is an object of the invention to provide a kind of data transfer and storage method and system, For solve the problems, such as in the prior art data to be transferred to security context security from insecure environments low.
In order to achieve the above objects and other related objects, the present invention provides a kind of data transmission method, for by insecure environments Data transfer to security context in, the data transmission method includes:Plaintext in insecure environments and plaintext summary are carried out Encrypt and obtain to corresponding ciphertext data and key after the plaintext and plaintext summary encryption;Will be described by the first delivery means Default first receiving terminal in ciphertext data transfer to insecure environments;It is pre- in the default first receiving terminal activation security context If the second receiving terminal and by the ciphertext data transfer to default second receiving terminal;Will be described close by the second delivery means Key file is formed after key encryption and the key file is transmitted to second receiving terminal;Second receiving terminal is received Key file be decrypted the key obtained in the key file;Termination is received to described second according to the key for obtaining The ciphertext data for receiving are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data;Tested according to plaintext summary Demonstrate,prove the integrality of the plaintext.
In one embodiment of the invention, first delivery means are transmitted using wired connection.
In one embodiment of the invention, second delivery means are transmitted using wireless connection.
In one embodiment of the invention, the period and the period for transmitting the key for transmitting the ciphertext data differ.
To achieve the above object, the present invention also provides a kind of plaintext obtained according to above-mentioned data transmission method that stores and is made a summary with plaintext Date storage method, for by the plaintext in security context and in plain text summary store into insecure environments, the data storage Method includes:Acquisition first is encrypted using the first key in the security context to the plaintext and plaintext summary that obtain to encrypt Data;The second encryption data of acquisition is encrypted to first encryption data using the second key in the security context;Will The the second encryption data storage for obtaining is written in insecure environments.
In one embodiment of the invention, the first key is random key.
In one embodiment of the invention, second key is generated by calling the secure storage interfaces in security context.
To achieve the above object, the present invention a kind of data transmission system is also provided, for by the data transfer in insecure environments extremely In security context, the data transmission system includes:Encryption acquisition module, for being plucked to the plaintext in insecure environments and plaintext It is encrypted and obtains to corresponding ciphertext data and key after the plaintext and plaintext summary encryption;Ciphertext transport module, uses In by the first delivery means by the ciphertext data transfer to default first receiving terminal in insecure environments, and using described pre- If default second receiving terminal in the first receiving terminal activation security context is simultaneously by the ciphertext data transfer to default described second Receiving terminal;Cipher key delivery module, for forming key file and will be described close after the second delivery means encrypt the key Key file is transmitted to second receiving terminal;Key Acquisition Module, for entering to the key file that second receiving terminal is received Row decryption obtains the key in the key file;Plaintext acquisition module, for being connect to described second according to the key for obtaining The ciphertext data that receiving end is received are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data;Authentication module, with The plaintext acquisition module is connected, for the integrality of the plaintext according to the plaintext Digest Authentication.
In one embodiment of the invention, first delivery means are transmitted using wired connection.
In one embodiment of the invention, second delivery means are transmitted using wireless connection.
In one embodiment of the invention, the ciphertext transport module transmits the period of the ciphertext data and the cipher key delivery mould The period that block transmits the key differs.
To achieve the above object, the present invention also provides a kind of plaintext obtained according to above-mentioned data transmission system that stores and is plucked with plaintext The data-storage system wanted, for the plaintext in security context and plaintext summary to be stored into insecure environments, the data are deposited Storage system includes:First encrypting module, for being made a summary to the plaintext and plaintext that obtain using the first key in the security context It is encrypted the first encryption data of acquisition;Second encrypting module, for using the second key in the security context to described the One encryption data is encrypted the second encryption data of acquisition;Storage writing module, for second encryption data for obtaining to be deposited Storage is written in insecure environments.
In one embodiment of the invention, the first key is random key.
In one embodiment of the invention, second key is generated by calling the secure storage interfaces in security context.
As described above, a kind of data transfer of the invention and storage method and system, have the advantages that:
The present invention by key from ciphertext by different transmission channel time sharing transmissions, improve transmission security, will in plain text use Efuse Random key encryption increased and crack difficulty in plain text, and protect again by storage after the secondary encryption of secure storage interfaces to exterior space Every machine storage of card is different from the ciphertext data of exterior space.
Brief description of the drawings
Fig. 1 is shown as the schematic flow sheet of data transmission method of the invention.
Fig. 2 is shown as the schematic flow sheet of date storage method of the invention.
Fig. 3 is shown as the idiographic flow schematic diagram of data transfer of the invention and storage.
Fig. 4 is shown as the structural representation of data transmission system of the invention.
Fig. 5 is shown as the structural representation of data-storage system of the invention.
Component label instructions
1 data transmission system
11 encryption acquisition modules
12 ciphertext transport modules
13 cipher key delivery modules
14 Key Acquisition Modules
15 plaintext acquisition modules
16 authentication modules
2 data-storage systems
21 first encrypting modules
22 second encrypting modules
23 storage writing modules
S11~S17 steps
S21~S23 steps
Specific embodiment
Embodiments of the present invention are illustrated below by way of specific instantiation, those skilled in the art can be as disclosed by this specification Content understand other advantages of the invention and effect easily.The present invention can also add by way of a different and different embodiment To implement or apply, the various details in this specification can also be based on different viewpoints and application, without departing from essence of the invention Various modifications or alterations are carried out under god.
The purpose of the present embodiment is to provide a kind of data transfer and storage method and system, for solve in the prior art data from Insecure environments are transferred to the low problem of security context security.A kind of data transfer of the present embodiment described in detail below and deposit The principle and implementation method of method for storing and system, make those skilled in the art not need creative work to be appreciated that the present embodiment A kind of data transfer and storage method and system.
The present embodiment provides a kind of data transmission method, for by the data transfer in insecure environments to security context, specifically Ground, as shown in figure 1, the data transmission method is comprised the following steps.
Step S11, the plaintext in insecure environments and plaintext are made a summary to be encrypted and obtain adds to the plaintext and plaintext summary Close rear corresponding ciphertext data and key.
Step S12, the first receiving terminal is preset by the first delivery means by the ciphertext data transfer in insecure environments.
Step S13, presetting the second receiving terminal and passing the ciphertext data in the default first receiving terminal activation security context Transport to default second receiving terminal.
Step S14, by the second delivery means by the key encrypt after formed key file and by the key file transmit to Second receiving terminal.
Step S15, the key obtained in the key file is decrypted to the key file that second receiving terminal is received.
Step S16, according to the key for obtaining is decrypted acquisition to the ciphertext data that second receiving terminal is received Corresponding plaintext and plaintext are made a summary in ciphertext data.
Step S17, the integrality of plaintext according to the plaintext Digest Authentication.
Step S11 to step S17 is described in detail below.
Step S11, the plaintext in insecure environments and plaintext are made a summary to be encrypted and obtain adds to the plaintext and plaintext summary Close rear corresponding ciphertext data and key.
Specifically, in the present embodiment, calculated using digest algorithm using Encryption Tool and made a summary in plain text, the plaintext summary that will be calculated Plaintext head is added in, is then calculated using Encryption Tool and is obtained a random key, be encrypted to plaintext summary and in plain text, together When Encryption Tool random key is encrypted using the password of agreement, generate corresponding ciphertext data and key.
Step S12, the first receiving terminal is preset by the first delivery means by the ciphertext data transfer in insecure environments.
Specifically, in the present embodiment, first delivery means are transmitted using wired connection, for example, described first passes Defeated instrument is transmitted using USB data line.Specifically, search transmission equipment is the first delivery means of search, by USB Data line transfer ciphertext data give default first receiving terminal, wherein in the present embodiment, default first receiving terminal is equipment End application CA (client application).
Step S13, presetting the second receiving terminal and passing the ciphertext data in the default first receiving terminal activation security context Transport to default second receiving terminal.
I.e. in the present embodiment, equipment end application CA (client application) by USB data line receive that client transmits it is close Text bag, by the second receiving terminal under CA activation security contexts, wherein, second receiving terminal is in the present embodiment for TA (is received Trust application), ciphertext is passed to TA by CA.
Step S14, by the second delivery means by the key encrypt after formed key file and by the key file transmit to Second receiving terminal.
Specifically, in the present embodiment, second delivery means are transmitted using wireless connection.For example, described second passes Defeated instrument is transmitted using wireless network, and the wireless network is specially the wireless networks such as wifi, Zigbee.
In the present embodiment, key request bag is received to LAN broadcast first, it is the second reception to wait TA (trusted application) The key reception response bag at end, takes receipts Target IP from response bag, to TA (trusted application) transport keybag.TA is opened Wifi is serviced, and with the presence or absence of key request broadcast in monitoring network, after detecting key request broadcast, response is sent to initiator Bag is shaken hands, and key is transmitted after being encrypted using the password of agreement, and TA (trusted application) obtains key.
Additionally, in the present embodiment, first delivery means transmit the period of the ciphertext data and second delivery means The period for transmitting the key differs.Because the ciphertext is transmitted using wired connection, the key is transmitted using wireless connection, Both separately transmit and delivering path is different, effectively reduce ciphertext and key in transmitting procedure while the possibility of the acquisition that is cracked Property, improve ciphertext and key security in the transmission.
Step S15, the key obtained in the key file is decrypted to the key file that second receiving terminal is received.
Step S16, according to the key for obtaining is decrypted acquisition to the ciphertext data that second receiving terminal is received Corresponding plaintext and plaintext are made a summary in ciphertext data.
Specifically, in the present embodiment, TA is decrypted using agreement password to encryption key, is entered using data key ciphertext Row decryption
Step S17, the integrality of plaintext according to the plaintext Digest Authentication.Specifically, using the verification of plaintext summary in plain text Integrality.If complete in plain text, can further store, if imperfect in plain text, this should be abandoned in plain text.
The present embodiment also provides a kind of data storage side for storing the plaintext and plaintext summary obtained according to above-mentioned data transmission method Method, for the plaintext in security context and plaintext summary to be stored into insecure environments, specifically, as shown in Fig. 2 described Date storage method is comprised the following steps:
Step S21, is encrypted acquisition first and adds using the first key in the security context to the plaintext of acquisition and in plain text summary Ciphertext data.Specifically, in the present embodiment, the first key is random key, further, in the present embodiment, profit The first encryption data of acquisition is encrypted to the plaintext and plaintext summary that obtain with the random key in Efuse.
Step S22, is encrypted acquisition second to first encryption data and encrypts number using the second key in the security context According to;Specifically, in the present embodiment, second key is generated by calling the secure storage interfaces in security context, i.e., in In the present embodiment, the secure storage interfaces of security system are called further to encrypt the first encryption data.
Step S23, the second encryption data storage for obtaining is written in insecure environments.Efuse is used by by plaintext Random key encryption increased and crack difficulty in plain text, and protect again by storage after the secondary encryption of secure storage interfaces to exterior space Every machine storage of card is different from the ciphertext data of exterior space.Data deciphering and encryption dump are all to enter in a secure environment OK, the security of data has been effectively ensured.
To make data transmission method and date storage method it is further understood that the present embodiment, below to this reality The implementation process of the data transmission method and date storage method of applying example is further described.
As shown in figure 3, key and ciphertext are obtained, by ciphertext to summary is encrypted in plain text and in plain text first with Encryption Tool The reception CA (client application) of equipment end is transferred to by USB data line, (is received by the TA under CA activation security contexts Trust application), and ciphertext is passed into TA (trusted application).TA (trusted application) opens Wifi services, monitors Whether there is cipher key broadcasting in network, after detecting cipher key broadcasting, shaken hands with broadcasting server, obtain key, key is using about Fixed password is transmitted after being encrypted, and TA is decrypted using agreement password to key ciphertext, is carried out using data key ciphertext Decryption, the integrality of verification data plaintext.So the present embodiment is encrypted to transmission data, encryption key and ciphertext are passed through Different passage time sharing transmissions are to TA.Then plaintext is encrypted using the random key in Efuse, produces ciphertext 1 to call peace System-wide secure storage interfaces are stored in external environment condition after being encrypted to ciphertext 1.I.e. under secure system environment, first make The key data encrypted is decrypted with symmetric key, is then decrypted using the data ciphertext of the key pair encryption for solving, After solving in plain text, then whether correctly to verify plaintext summary, first correctly is carried out to plaintext using the random key in Efuse Secondary encryption generation ciphertext 1, then recall secure storage interfaces carries out being dumped to insecure environments to ciphertext 1.This programme will be close Key and ciphertext are from different passage time sharing transmissions, and whole decryption and dump procedure are completed all under security system, greatly improve data Transmission security.
To realize above-mentioned data transmission method, the present embodiment correspondence provides a kind of data transmission system, for by insecure environments Data transfer to security context in, specifically, as shown in figure 4, the data transmission system 1 includes:Encryption acquisition module 11, ciphertext transport module 12, cipher key delivery module 13, Key Acquisition Module 14, plaintext acquisition module 15 and authentication module 16。
In the present embodiment, the encryption acquisition module 11 is used to be encrypted simultaneously the plaintext in insecure environments and plaintext summary Obtain to corresponding ciphertext data and key after the plaintext and plaintext summary encryption.
Specifically, in the present embodiment, the encryption acquisition module 11 is calculated using Encryption Tool using digest algorithm makes a summary in plain text, The plaintext of calculating summary is added in plaintext head, is then calculated using Encryption Tool and is obtained a random key, to plaintext summary and Be encrypted in plain text, while Encryption Tool is encrypted using the password of agreement to random key, generate corresponding ciphertext data and Key.
In the present embodiment, the ciphertext transport module 12 is used to pass through the first delivery means by the ciphertext data transfer to non-peace Default first receiving terminal in full ambient engine, and using default second receiving terminal in the default first receiving terminal activation security context Simultaneously by the ciphertext data transfer to default second receiving terminal.
Specifically, in the present embodiment, first delivery means are transmitted using wired connection, for example, described first passes Defeated instrument is transmitted using USB data line.Specifically, search transmission equipment is the first delivery means of search, by USB Data line transfer ciphertext data give default first receiving terminal, wherein in the present embodiment, default first receiving terminal is equipment End application CA (client application).
I.e. in the present embodiment, equipment end application CA (client application) by USB data line receive that client transmits it is close Text bag, by the second receiving terminal under CA activation security contexts, wherein, second receiving terminal is in the present embodiment for TA (is received Trust application), ciphertext is passed to TA by CA.
In the present embodiment, the cipher key delivery module 13 is used to form key after the second delivery means encrypt the key File is simultaneously transmitted to second receiving terminal key file.
Specifically, in the present embodiment, second delivery means are transmitted using wireless connection.For example, described second passes Defeated instrument is transmitted using wireless network, and the wireless network is specially the wireless networks such as wifi, Zigbee.
In the present embodiment, the cipher key delivery module 13 receives key request bag to LAN broadcast first, waits TA (to receive Trust application) be the second receiving terminal key reception response bag, receipts Target IP is taken from response bag, to TA (trusted application) Transport keybag.TA opens Wifi services, with the presence or absence of key request broadcast in monitoring network, detects key request broadcast Afterwards, send response bag to initiator to be shaken hands, key is transmitted after being encrypted using the password of agreement, TA (trusted application) Obtain key.
Additionally, in the present embodiment, first delivery means transmit the period of the ciphertext data and second delivery means The period for transmitting the key differs.I.e. described ciphertext transport module 12 transmits the period of the ciphertext data and the key is passed The period that defeated module 13 transmits the key differs.Because the ciphertext is transmitted using wired connection, the key is using wireless Connection transmission, both separately transmit and delivering path is different, effectively reduce ciphertext and key in transmitting procedure while being cracked The possibility of acquisition, improves ciphertext and key security in the transmission.
In the present embodiment, the Key Acquisition Module 14 is used to be decrypted the key file that second receiving terminal is received The key in the key file is obtained, the plaintext acquisition module 15 is used to be received to described second according to the key for obtaining The ciphertext data that termination is received are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data.
Specifically, in the present embodiment, TA is decrypted using agreement password to encryption key, is entered using data key ciphertext Row decryption.
In the present embodiment, the authentication module is connected with the plaintext acquisition module, for according to the plaintext Digest Authentication institute State the integrality of text clearly.Specifically, the authentication module verifies the integrality of plaintext using summary in plain text.If complete in plain text, Can further store, if imperfect in plain text, this should be abandoned in plain text.
As shown in figure 5, the present embodiment also provides a kind of plaintext obtained according to above-mentioned data transmission system 1 that stores being plucked with plaintext The data-storage system 2 wanted, for the plaintext in security context and plaintext summary to be stored into insecure environments, the data Storage system 2 includes:First encrypting module 21, the second encrypting module 22 and storage writing module 23.
In the present embodiment, first encrypting module 21 is used for the plaintext to acquisition using the first key in the security context The first encryption data of acquisition is encrypted with plaintext summary.
Specifically, in the present embodiment, the first key is random key, further, in the present embodiment, described the One encrypting module 21 is encrypted acquisition first and encrypts number using the random key in Efuse to the plaintext and plaintext summary that obtain According to.
In the present embodiment, second encrypting module 22 is used to add to described first using the second key in the security context Ciphertext data is encrypted the second encryption data of acquisition.
Specifically, in the present embodiment, second key is generated by calling the secure storage interfaces in security context, i.e., in In the present embodiment, second encrypting module 22 calls the secure storage interfaces of security system to carry out further the first encryption data Encryption.
In the present embodiment, the storage writing module 23 is non-security for the second encryption data storage for obtaining to be written to In environment.
Encrypted again by storage after the secondary encryption of secure storage interfaces to exterior space using Efuse random keys by by plaintext, Increased and crack difficulty in plain text, and ensure that every machine storage is different from the ciphertext data of exterior space.Data deciphering and plus Close dump is all to carry out in a secure environment, and the security of data has been effectively ensured.
It is right below to make data transmission system 1 and data-storage system 2 it is further understood that the present embodiment The data transmission system 1 of the present embodiment and the implementation process of data-storage system 2 are further described.
As shown in figure 3, the implementation process of the data transmission system 1 is as follows:Encryption acquisition module 11 first utilizes Encryption Tool To summary is encrypted in plain text and in plain text, key and ciphertext are obtained, ciphertext transport module 12 passes ciphertext by USB data line The reception CA (client application) of equipment end is defeated by, by the TA (trusted application) under CA activation security contexts, and will be close Text passes to TA (trusted application).TA (trusted application) opens Wifi services, wide with the presence or absence of key in monitoring network Broadcast, after detecting cipher key broadcasting, shaken hands with broadcasting server, obtain key, key is passed after being encrypted using the password of agreement Defeated, TA is decrypted using agreement password to key ciphertext, is decrypted using data key ciphertext, using plaintext summary school Test the integrality of data clear text.So the present embodiment is encrypted to transmission data, encryption key and ciphertext are passed through into different passages Time sharing transmissions are to TA.
The implementation process of the data-storage system 2 is as follows:First encrypting module 21 is using the random key in Efuse in plain text It is encrypted, produces ciphertext 1.Second encrypting module 22 calls the secure storage interfaces of security system to be encrypted life to ciphertext 1 Into ciphertext 2, storage writing module 23 stores ciphertext 2 in external environment condition.I.e. under secure system environment, first using symmetrical The key data of key pair encryption is decrypted, and is then decrypted using the data ciphertext of the key pair encryption for solving, and solves bright Wen Hou, then whether correctly to verify plaintext summary, first time encryption correctly is carried out to plaintext using the random key in Efuse Generation ciphertext 1, then recall secure storage interfaces carries out being dumped to insecure environments to ciphertext 1.This programme is by key and close Text is from different passage time sharing transmissions, and whole decryption and dump procedure are completed all under security system, greatly improve data transfer peace Quan Xing.
In sum, the present invention by key from ciphertext by different transmission channel time sharing transmissions, improve transmission security, will be bright Text is encrypted again by storage after the secondary encryption of secure storage interfaces to exterior space using Efuse random keys, increased broken in plain text Solution difficulty, and ensure that every machine storage is different from the ciphertext data of exterior space.So, the present invention effectively overcomes existing There is the various shortcoming in technology and have high industrial utilization.
The above-described embodiments merely illustrate the principles and effects of the present invention, not for the limitation present invention.It is any to be familiar with this skill The personage of art all can carry out modifications and changes under without prejudice to spirit and scope of the invention to above-described embodiment.Therefore, such as Those of ordinary skill in the art completed under without departing from disclosed spirit and technological thought all etc. Effect modifications and changes, should be covered by claim of the invention.

Claims (14)

1. a kind of data transmission method, for by the data transfer in insecure environments to security context, it is characterised in that the number Include according to transmission method:
It is encrypted and obtains to the plaintext and right after summary encryption in plain text to the plaintext in insecure environments and in plain text summary The ciphertext data and key answered;
The ciphertext data transfer is preset into the first receiving terminal in insecure environments by the first delivery means;
Default second receiving terminal in the default first receiving terminal activation security context and by the ciphertext data transfer to pre- If second receiving terminal;
Key file is formed after the second delivery means encrypt the key and the key file is transmitted to described the Two receiving terminals;
The key obtained in the key file is decrypted to the key file that second receiving terminal is received;
The acquisition ciphertext number is decrypted to the ciphertext data that second receiving terminal is received according to the key for obtaining Corresponding plaintext and plaintext are made a summary in;
The integrality of plaintext according to the plaintext Digest Authentication.
2. data transmission method according to claim 1, it is characterised in that:First delivery means are carried out using wired connection Transmission.
3. data transmission method according to claim 1, it is characterised in that:Second delivery means are carried out using wireless connection Transmission.
4. data transmission method according to claim 1, it is characterised in that:The period for transmitting the ciphertext data is described with transmission The period of key differs.
5. it is a kind of store plaintext that data transmission method according to any claim in claim 1 to claim 4 obtains and The date storage method of summary, stores into insecure environments for the plaintext in security context and plaintext to be made a summary in plain text, its It is characterised by:The date storage method includes:
Acquisition first is encrypted to the plaintext and plaintext summary that obtain using the first key in the security context and encrypts number According to;
The second encryption data of acquisition is encrypted to first encryption data using the second key in the security context;
The the second encryption data storage for obtaining is written in insecure environments.
6. date storage method according to claim 5, it is characterised in that:The first key is random key.
7. date storage method according to claim 5, it is characterised in that:During second key is by calling security context Secure storage interfaces are generated.
8. a kind of data transmission system, for by the data transfer in insecure environments to security context, it is characterised in that the number Include according to Transmission system:
Encryption acquisition module, for being encrypted to the plaintext in insecure environments and in plain text summary and obtain to the plaintext and Corresponding ciphertext data and key after summary is encrypted in plain text;
Ciphertext transport module, for by the first delivery means by the ciphertext data transfer to default the in insecure environments One receiving terminal, and using default second receiving terminal in the default first receiving terminal activation security context simultaneously by the ciphertext Data transfer is to default second receiving terminal;
Cipher key delivery module, for forming key file after the second delivery means encrypt the key and by the key File is transmitted to second receiving terminal;
Key Acquisition Module, for being decrypted the acquisition key file to the key file that second receiving terminal is received In key;
Plaintext acquisition module, for being solved to the ciphertext data that second receiving terminal is received according to the key for obtaining It is close to obtain corresponding plaintext and plaintext summary in the ciphertext data;
Authentication module, is connected with the plaintext acquisition module, for the integrality of the plaintext according to the plaintext Digest Authentication.
9. data transmission system according to claim 8, it is characterised in that:First delivery means are carried out using wired connection Transmission.
10. data transmission system according to claim 8, it is characterised in that:Second delivery means are entered using wireless connection Row transmission.
11. data transmission systems according to claim 8, it is characterised in that:The ciphertext transport module transmits the ciphertext number According to period differed with the period of key described in the cipher key delivery module transfer.
It is bright that a kind of 12. data transmission systems stored according to any claim in claim 8 to claim 11 are obtained Text and the in plain text data-storage system of summary, for the plaintext in security context to be stored to insecure environments with summary in plain text In, it is characterised in that:The data-storage system includes:
First encrypting module, for being added to the plaintext and plaintext summary that obtain using the first key in the security context The first encryption data of close acquisition;
Second encrypting module, is obtained for being encrypted to first encryption data using the second key in the security context Take the second encryption data;
Storage writing module, for the second encryption data storage for obtaining to be written in insecure environments.
13. data-storage systems according to claim 12, it is characterised in that:The first key is random key.
14. data-storage systems according to claim 12, it is characterised in that:Second key is by calling security context In secure storage interfaces generation.
CN201510790533.9A 2015-11-17 2015-11-17 Data transmission and storage method and system Pending CN106709360A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510790533.9A CN106709360A (en) 2015-11-17 2015-11-17 Data transmission and storage method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510790533.9A CN106709360A (en) 2015-11-17 2015-11-17 Data transmission and storage method and system

Publications (1)

Publication Number Publication Date
CN106709360A true CN106709360A (en) 2017-05-24

Family

ID=58932537

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510790533.9A Pending CN106709360A (en) 2015-11-17 2015-11-17 Data transmission and storage method and system

Country Status (1)

Country Link
CN (1) CN106709360A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172106A (en) * 2017-07-21 2017-09-15 深圳易方数码科技股份有限公司 Safe information interaction method and system
CN108777720A (en) * 2018-07-05 2018-11-09 湖州贝格信息安全科技有限公司 Document transmission method and Related product
CN109286488A (en) * 2017-07-21 2019-01-29 展讯通信(上海)有限公司 HDCP key cryptographic key protection method
WO2019114451A1 (en) * 2017-12-14 2019-06-20 晶晨半导体(上海)股份有限公司 Key writing system and method employing trusted execution environment
CN110351730A (en) * 2019-06-24 2019-10-18 惠州Tcl移动通信有限公司 Mobile terminal WIFI processing method, mobile terminal and storage medium
CN111030984A (en) * 2019-10-22 2020-04-17 上海泰宇信息技术股份有限公司 Data safety transmission system and method
CN111444528A (en) * 2020-03-31 2020-07-24 海信视像科技股份有限公司 Data security protection method, device and storage medium
WO2020233423A1 (en) * 2019-05-20 2020-11-26 创新先进技术有限公司 Receipt storage method and node based on transaction type
CN112632592A (en) * 2021-03-05 2021-04-09 江苏荣泽信息科技股份有限公司 Block chain credible privacy computing power improving system based on TEE technology

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103930899A (en) * 2011-11-14 2014-07-16 意法爱立信有限公司 A method for managing public and private data input at a device
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103930899A (en) * 2011-11-14 2014-07-16 意法爱立信有限公司 A method for managing public and private data input at a device
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
于工 等: "《现代密码学原理与实践》", 31 January 2009, 西安电子科技大学出版社 *
胡伟雄 等: "《电子商务安全技术》", 30 June 2011, 华中师范大学出版社 *

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107172106B (en) * 2017-07-21 2020-12-22 深圳易方数码科技股份有限公司 Security information interaction method and system
CN107172106A (en) * 2017-07-21 2017-09-15 深圳易方数码科技股份有限公司 Safe information interaction method and system
CN109286488A (en) * 2017-07-21 2019-01-29 展讯通信(上海)有限公司 HDCP key cryptographic key protection method
CN109286488B (en) * 2017-07-21 2021-09-21 展讯通信(上海)有限公司 HDCP key protection method
US11283606B2 (en) 2017-12-14 2022-03-22 Amlogic (Shanghai) Co., Ltd. Trusted execution environment-based key burning system and method
WO2019114451A1 (en) * 2017-12-14 2019-06-20 晶晨半导体(上海)股份有限公司 Key writing system and method employing trusted execution environment
CN108777720A (en) * 2018-07-05 2018-11-09 湖州贝格信息安全科技有限公司 Document transmission method and Related product
WO2020233423A1 (en) * 2019-05-20 2020-11-26 创新先进技术有限公司 Receipt storage method and node based on transaction type
CN110351730A (en) * 2019-06-24 2019-10-18 惠州Tcl移动通信有限公司 Mobile terminal WIFI processing method, mobile terminal and storage medium
CN110351730B (en) * 2019-06-24 2023-12-15 惠州Tcl移动通信有限公司 WIFI processing method for mobile terminal, mobile terminal and storage medium
CN111030984A (en) * 2019-10-22 2020-04-17 上海泰宇信息技术股份有限公司 Data safety transmission system and method
CN111030984B (en) * 2019-10-22 2022-08-19 上海泰宇信息技术股份有限公司 Data safety transmission system and method
CN111444528A (en) * 2020-03-31 2020-07-24 海信视像科技股份有限公司 Data security protection method, device and storage medium
CN111444528B (en) * 2020-03-31 2022-03-29 海信视像科技股份有限公司 Data security protection method, device and storage medium
CN112632592A (en) * 2021-03-05 2021-04-09 江苏荣泽信息科技股份有限公司 Block chain credible privacy computing power improving system based on TEE technology
CN112632592B (en) * 2021-03-05 2021-07-06 江苏荣泽信息科技股份有限公司 Block chain credible privacy computing power improving system based on TEE technology

Similar Documents

Publication Publication Date Title
CN106709360A (en) Data transmission and storage method and system
CN105978917B (en) A kind of system and method for trusted application safety certification
WO2021022701A1 (en) Information transmission method and apparatus, client terminal, server, and storage medium
CN114024710B (en) Data transmission method, device, system and equipment
WO2018127081A1 (en) Method and system for obtaining encryption key
EP2917867B1 (en) An improved implementation of robust and secure content protection in a system-on-a-chip apparatus
CN107172056A (en) A kind of channel safety determines method, device, system, client and server
CN101772024B (en) User identification method, device and system
CN106464488A (en) Information transmission method and mobile device
CN111726224A (en) Quantum secret communication-based data integrity rapid authentication method, system, terminal and storage medium
CN108599925A (en) A kind of modified AKA identity authorization systems and method based on quantum communication network
CN106302422B (en) Business encryption and decryption method and device
US9998287B2 (en) Secure authentication of remote equipment
US20150271163A1 (en) Secure data transmission using multi-channel communication
CN109309566B (en) Authentication method, device, system, equipment and storage medium
CN105162808A (en) Safety login method based on domestic cryptographic algorithm
CN109257347A (en) Communication means and relevant apparatus, storage medium suitable for data interaction between bank
CN106162537A (en) Method, Wireless Telecom Equipment and the terminal that a kind of safety certification connects
CN104243452B (en) A kind of cloud computing access control method and system
CN116132025A (en) Key negotiation method, device and communication system based on preset key group
CN104168565A (en) Method for controlling safe communication of intelligent terminal under undependable wireless network environment
CN101902610B (en) Method for realizing secure communication between IPTV set top box and smart card
CN109492359A (en) A kind of secure network middleware and its implementation and device for authentication
CN101442656A (en) Method and system for safe communication between machine cards
US11153288B2 (en) System and method for monitoring leakage of internal information by analyzing encrypted traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170524

RJ01 Rejection of invention patent application after publication