CN106709360A - Data transmission and storage method and system - Google Patents
Data transmission and storage method and system Download PDFInfo
- Publication number
- CN106709360A CN106709360A CN201510790533.9A CN201510790533A CN106709360A CN 106709360 A CN106709360 A CN 106709360A CN 201510790533 A CN201510790533 A CN 201510790533A CN 106709360 A CN106709360 A CN 106709360A
- Authority
- CN
- China
- Prior art keywords
- key
- plaintext
- data
- ciphertext
- receiving terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data transmission and storage method and system. The data transmission method comprises the steps that plaintext and plaintext abstracts in an unsecured environment are encrypted, and corresponding encrypted data and secret keys are obtained; the encrypted data is transmitted to a preset first receiving end in the unsecured environment through a first transmission tool; the preset first receiving end activates a preset second receiving end in a secure environment, and the encrypted data is transmitted to the preset second receiving end; after the secrete keys are encrypted through a second transmission tool, a secret key file is formed and transmitted to the second receiving end; the secrete key file received by the second receiving end is decrypted to obtain the secrete keys in the secret key file; the encrypted data received by the second receiving end is decrypted according to the obtained secret keys to obtain the corresponding plaintext and plaintext abstracts, and the integrity of the plaintext is verified according to the plaintext abstracts. According to the data transmission and storage method and system, the secret keys and the encrypted data are subjected to time-share transmission through different transmission channels, the transmission security is improved, and the plaintext cracking difficulty is increased.
Description
Technical field
The present invention relates to technical field of data administration, more particularly to data transfer technical field of memory, specially a kind of data are passed
Defeated and storage method and system.
Background technology
Arm Trustzone technologies are a kind of comprehensive security solutions, and its safe design runs through processor, bus, system
Module, peripheral hardware, operating system and application, it is ensured that use the safety of the equipment that it is developed.Trustzone and Arm Cortex
A series processors tight associations, security information is transmitted by AMBA AXI buses between whole system and periphery IP, so
It is avoided that the modules such as internal memory, encrypting module, keyboard, display screen are subject to software attacks.
The equipment safety system developed using Trustzone technologies is, it is necessary to including TEE (secure execution environments), security kernel
Program, security service and TA (trusted application).Two domains (normal mode and safe mode) are divided into based on equipment safety system,
So security system can be developed independently of non-security system.Safe mode operates in independent memory headroom and can access
Resource under all normal modes.This module (Monitor) is switched over by security monitoring for normal mode and safe mode.
More and more application scenarios need for data to be transferred to security context from insecure environments, at present by data from insecure environments
It is transferred to security context and mainly uses two methods:One is that data clear text directly is transferred into security context, and two are calculated using encryption
Key in plain text, is transferred to security context by method encryption data together with ciphertext.It is easy to be stolen using first method data,
Security is extremely low;Although using second method transmission is ciphertext, key is transmitted together with ciphertext, and security is not also high.
The content of the invention
The shortcoming of prior art in view of the above, it is an object of the invention to provide a kind of data transfer and storage method and system,
For solve the problems, such as in the prior art data to be transferred to security context security from insecure environments low.
In order to achieve the above objects and other related objects, the present invention provides a kind of data transmission method, for by insecure environments
Data transfer to security context in, the data transmission method includes:Plaintext in insecure environments and plaintext summary are carried out
Encrypt and obtain to corresponding ciphertext data and key after the plaintext and plaintext summary encryption;Will be described by the first delivery means
Default first receiving terminal in ciphertext data transfer to insecure environments;It is pre- in the default first receiving terminal activation security context
If the second receiving terminal and by the ciphertext data transfer to default second receiving terminal;Will be described close by the second delivery means
Key file is formed after key encryption and the key file is transmitted to second receiving terminal;Second receiving terminal is received
Key file be decrypted the key obtained in the key file;Termination is received to described second according to the key for obtaining
The ciphertext data for receiving are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data;Tested according to plaintext summary
Demonstrate,prove the integrality of the plaintext.
In one embodiment of the invention, first delivery means are transmitted using wired connection.
In one embodiment of the invention, second delivery means are transmitted using wireless connection.
In one embodiment of the invention, the period and the period for transmitting the key for transmitting the ciphertext data differ.
To achieve the above object, the present invention also provides a kind of plaintext obtained according to above-mentioned data transmission method that stores and is made a summary with plaintext
Date storage method, for by the plaintext in security context and in plain text summary store into insecure environments, the data storage
Method includes:Acquisition first is encrypted using the first key in the security context to the plaintext and plaintext summary that obtain to encrypt
Data;The second encryption data of acquisition is encrypted to first encryption data using the second key in the security context;Will
The the second encryption data storage for obtaining is written in insecure environments.
In one embodiment of the invention, the first key is random key.
In one embodiment of the invention, second key is generated by calling the secure storage interfaces in security context.
To achieve the above object, the present invention a kind of data transmission system is also provided, for by the data transfer in insecure environments extremely
In security context, the data transmission system includes:Encryption acquisition module, for being plucked to the plaintext in insecure environments and plaintext
It is encrypted and obtains to corresponding ciphertext data and key after the plaintext and plaintext summary encryption;Ciphertext transport module, uses
In by the first delivery means by the ciphertext data transfer to default first receiving terminal in insecure environments, and using described pre-
If default second receiving terminal in the first receiving terminal activation security context is simultaneously by the ciphertext data transfer to default described second
Receiving terminal;Cipher key delivery module, for forming key file and will be described close after the second delivery means encrypt the key
Key file is transmitted to second receiving terminal;Key Acquisition Module, for entering to the key file that second receiving terminal is received
Row decryption obtains the key in the key file;Plaintext acquisition module, for being connect to described second according to the key for obtaining
The ciphertext data that receiving end is received are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data;Authentication module, with
The plaintext acquisition module is connected, for the integrality of the plaintext according to the plaintext Digest Authentication.
In one embodiment of the invention, first delivery means are transmitted using wired connection.
In one embodiment of the invention, second delivery means are transmitted using wireless connection.
In one embodiment of the invention, the ciphertext transport module transmits the period of the ciphertext data and the cipher key delivery mould
The period that block transmits the key differs.
To achieve the above object, the present invention also provides a kind of plaintext obtained according to above-mentioned data transmission system that stores and is plucked with plaintext
The data-storage system wanted, for the plaintext in security context and plaintext summary to be stored into insecure environments, the data are deposited
Storage system includes:First encrypting module, for being made a summary to the plaintext and plaintext that obtain using the first key in the security context
It is encrypted the first encryption data of acquisition;Second encrypting module, for using the second key in the security context to described the
One encryption data is encrypted the second encryption data of acquisition;Storage writing module, for second encryption data for obtaining to be deposited
Storage is written in insecure environments.
In one embodiment of the invention, the first key is random key.
In one embodiment of the invention, second key is generated by calling the secure storage interfaces in security context.
As described above, a kind of data transfer of the invention and storage method and system, have the advantages that:
The present invention by key from ciphertext by different transmission channel time sharing transmissions, improve transmission security, will in plain text use Efuse
Random key encryption increased and crack difficulty in plain text, and protect again by storage after the secondary encryption of secure storage interfaces to exterior space
Every machine storage of card is different from the ciphertext data of exterior space.
Brief description of the drawings
Fig. 1 is shown as the schematic flow sheet of data transmission method of the invention.
Fig. 2 is shown as the schematic flow sheet of date storage method of the invention.
Fig. 3 is shown as the idiographic flow schematic diagram of data transfer of the invention and storage.
Fig. 4 is shown as the structural representation of data transmission system of the invention.
Fig. 5 is shown as the structural representation of data-storage system of the invention.
Component label instructions
1 data transmission system
11 encryption acquisition modules
12 ciphertext transport modules
13 cipher key delivery modules
14 Key Acquisition Modules
15 plaintext acquisition modules
16 authentication modules
2 data-storage systems
21 first encrypting modules
22 second encrypting modules
23 storage writing modules
S11~S17 steps
S21~S23 steps
Specific embodiment
Embodiments of the present invention are illustrated below by way of specific instantiation, those skilled in the art can be as disclosed by this specification
Content understand other advantages of the invention and effect easily.The present invention can also add by way of a different and different embodiment
To implement or apply, the various details in this specification can also be based on different viewpoints and application, without departing from essence of the invention
Various modifications or alterations are carried out under god.
The purpose of the present embodiment is to provide a kind of data transfer and storage method and system, for solve in the prior art data from
Insecure environments are transferred to the low problem of security context security.A kind of data transfer of the present embodiment described in detail below and deposit
The principle and implementation method of method for storing and system, make those skilled in the art not need creative work to be appreciated that the present embodiment
A kind of data transfer and storage method and system.
The present embodiment provides a kind of data transmission method, for by the data transfer in insecure environments to security context, specifically
Ground, as shown in figure 1, the data transmission method is comprised the following steps.
Step S11, the plaintext in insecure environments and plaintext are made a summary to be encrypted and obtain adds to the plaintext and plaintext summary
Close rear corresponding ciphertext data and key.
Step S12, the first receiving terminal is preset by the first delivery means by the ciphertext data transfer in insecure environments.
Step S13, presetting the second receiving terminal and passing the ciphertext data in the default first receiving terminal activation security context
Transport to default second receiving terminal.
Step S14, by the second delivery means by the key encrypt after formed key file and by the key file transmit to
Second receiving terminal.
Step S15, the key obtained in the key file is decrypted to the key file that second receiving terminal is received.
Step S16, according to the key for obtaining is decrypted acquisition to the ciphertext data that second receiving terminal is received
Corresponding plaintext and plaintext are made a summary in ciphertext data.
Step S17, the integrality of plaintext according to the plaintext Digest Authentication.
Step S11 to step S17 is described in detail below.
Step S11, the plaintext in insecure environments and plaintext are made a summary to be encrypted and obtain adds to the plaintext and plaintext summary
Close rear corresponding ciphertext data and key.
Specifically, in the present embodiment, calculated using digest algorithm using Encryption Tool and made a summary in plain text, the plaintext summary that will be calculated
Plaintext head is added in, is then calculated using Encryption Tool and is obtained a random key, be encrypted to plaintext summary and in plain text, together
When Encryption Tool random key is encrypted using the password of agreement, generate corresponding ciphertext data and key.
Step S12, the first receiving terminal is preset by the first delivery means by the ciphertext data transfer in insecure environments.
Specifically, in the present embodiment, first delivery means are transmitted using wired connection, for example, described first passes
Defeated instrument is transmitted using USB data line.Specifically, search transmission equipment is the first delivery means of search, by USB
Data line transfer ciphertext data give default first receiving terminal, wherein in the present embodiment, default first receiving terminal is equipment
End application CA (client application).
Step S13, presetting the second receiving terminal and passing the ciphertext data in the default first receiving terminal activation security context
Transport to default second receiving terminal.
I.e. in the present embodiment, equipment end application CA (client application) by USB data line receive that client transmits it is close
Text bag, by the second receiving terminal under CA activation security contexts, wherein, second receiving terminal is in the present embodiment for TA (is received
Trust application), ciphertext is passed to TA by CA.
Step S14, by the second delivery means by the key encrypt after formed key file and by the key file transmit to
Second receiving terminal.
Specifically, in the present embodiment, second delivery means are transmitted using wireless connection.For example, described second passes
Defeated instrument is transmitted using wireless network, and the wireless network is specially the wireless networks such as wifi, Zigbee.
In the present embodiment, key request bag is received to LAN broadcast first, it is the second reception to wait TA (trusted application)
The key reception response bag at end, takes receipts Target IP from response bag, to TA (trusted application) transport keybag.TA is opened
Wifi is serviced, and with the presence or absence of key request broadcast in monitoring network, after detecting key request broadcast, response is sent to initiator
Bag is shaken hands, and key is transmitted after being encrypted using the password of agreement, and TA (trusted application) obtains key.
Additionally, in the present embodiment, first delivery means transmit the period of the ciphertext data and second delivery means
The period for transmitting the key differs.Because the ciphertext is transmitted using wired connection, the key is transmitted using wireless connection,
Both separately transmit and delivering path is different, effectively reduce ciphertext and key in transmitting procedure while the possibility of the acquisition that is cracked
Property, improve ciphertext and key security in the transmission.
Step S15, the key obtained in the key file is decrypted to the key file that second receiving terminal is received.
Step S16, according to the key for obtaining is decrypted acquisition to the ciphertext data that second receiving terminal is received
Corresponding plaintext and plaintext are made a summary in ciphertext data.
Specifically, in the present embodiment, TA is decrypted using agreement password to encryption key, is entered using data key ciphertext
Row decryption
Step S17, the integrality of plaintext according to the plaintext Digest Authentication.Specifically, using the verification of plaintext summary in plain text
Integrality.If complete in plain text, can further store, if imperfect in plain text, this should be abandoned in plain text.
The present embodiment also provides a kind of data storage side for storing the plaintext and plaintext summary obtained according to above-mentioned data transmission method
Method, for the plaintext in security context and plaintext summary to be stored into insecure environments, specifically, as shown in Fig. 2 described
Date storage method is comprised the following steps:
Step S21, is encrypted acquisition first and adds using the first key in the security context to the plaintext of acquisition and in plain text summary
Ciphertext data.Specifically, in the present embodiment, the first key is random key, further, in the present embodiment, profit
The first encryption data of acquisition is encrypted to the plaintext and plaintext summary that obtain with the random key in Efuse.
Step S22, is encrypted acquisition second to first encryption data and encrypts number using the second key in the security context
According to;Specifically, in the present embodiment, second key is generated by calling the secure storage interfaces in security context, i.e., in
In the present embodiment, the secure storage interfaces of security system are called further to encrypt the first encryption data.
Step S23, the second encryption data storage for obtaining is written in insecure environments.Efuse is used by by plaintext
Random key encryption increased and crack difficulty in plain text, and protect again by storage after the secondary encryption of secure storage interfaces to exterior space
Every machine storage of card is different from the ciphertext data of exterior space.Data deciphering and encryption dump are all to enter in a secure environment
OK, the security of data has been effectively ensured.
To make data transmission method and date storage method it is further understood that the present embodiment, below to this reality
The implementation process of the data transmission method and date storage method of applying example is further described.
As shown in figure 3, key and ciphertext are obtained, by ciphertext to summary is encrypted in plain text and in plain text first with Encryption Tool
The reception CA (client application) of equipment end is transferred to by USB data line, (is received by the TA under CA activation security contexts
Trust application), and ciphertext is passed into TA (trusted application).TA (trusted application) opens Wifi services, monitors
Whether there is cipher key broadcasting in network, after detecting cipher key broadcasting, shaken hands with broadcasting server, obtain key, key is using about
Fixed password is transmitted after being encrypted, and TA is decrypted using agreement password to key ciphertext, is carried out using data key ciphertext
Decryption, the integrality of verification data plaintext.So the present embodiment is encrypted to transmission data, encryption key and ciphertext are passed through
Different passage time sharing transmissions are to TA.Then plaintext is encrypted using the random key in Efuse, produces ciphertext 1 to call peace
System-wide secure storage interfaces are stored in external environment condition after being encrypted to ciphertext 1.I.e. under secure system environment, first make
The key data encrypted is decrypted with symmetric key, is then decrypted using the data ciphertext of the key pair encryption for solving,
After solving in plain text, then whether correctly to verify plaintext summary, first correctly is carried out to plaintext using the random key in Efuse
Secondary encryption generation ciphertext 1, then recall secure storage interfaces carries out being dumped to insecure environments to ciphertext 1.This programme will be close
Key and ciphertext are from different passage time sharing transmissions, and whole decryption and dump procedure are completed all under security system, greatly improve data
Transmission security.
To realize above-mentioned data transmission method, the present embodiment correspondence provides a kind of data transmission system, for by insecure environments
Data transfer to security context in, specifically, as shown in figure 4, the data transmission system 1 includes:Encryption acquisition module
11, ciphertext transport module 12, cipher key delivery module 13, Key Acquisition Module 14, plaintext acquisition module 15 and authentication module
16。
In the present embodiment, the encryption acquisition module 11 is used to be encrypted simultaneously the plaintext in insecure environments and plaintext summary
Obtain to corresponding ciphertext data and key after the plaintext and plaintext summary encryption.
Specifically, in the present embodiment, the encryption acquisition module 11 is calculated using Encryption Tool using digest algorithm makes a summary in plain text,
The plaintext of calculating summary is added in plaintext head, is then calculated using Encryption Tool and is obtained a random key, to plaintext summary and
Be encrypted in plain text, while Encryption Tool is encrypted using the password of agreement to random key, generate corresponding ciphertext data and
Key.
In the present embodiment, the ciphertext transport module 12 is used to pass through the first delivery means by the ciphertext data transfer to non-peace
Default first receiving terminal in full ambient engine, and using default second receiving terminal in the default first receiving terminal activation security context
Simultaneously by the ciphertext data transfer to default second receiving terminal.
Specifically, in the present embodiment, first delivery means are transmitted using wired connection, for example, described first passes
Defeated instrument is transmitted using USB data line.Specifically, search transmission equipment is the first delivery means of search, by USB
Data line transfer ciphertext data give default first receiving terminal, wherein in the present embodiment, default first receiving terminal is equipment
End application CA (client application).
I.e. in the present embodiment, equipment end application CA (client application) by USB data line receive that client transmits it is close
Text bag, by the second receiving terminal under CA activation security contexts, wherein, second receiving terminal is in the present embodiment for TA (is received
Trust application), ciphertext is passed to TA by CA.
In the present embodiment, the cipher key delivery module 13 is used to form key after the second delivery means encrypt the key
File is simultaneously transmitted to second receiving terminal key file.
Specifically, in the present embodiment, second delivery means are transmitted using wireless connection.For example, described second passes
Defeated instrument is transmitted using wireless network, and the wireless network is specially the wireless networks such as wifi, Zigbee.
In the present embodiment, the cipher key delivery module 13 receives key request bag to LAN broadcast first, waits TA (to receive
Trust application) be the second receiving terminal key reception response bag, receipts Target IP is taken from response bag, to TA (trusted application)
Transport keybag.TA opens Wifi services, with the presence or absence of key request broadcast in monitoring network, detects key request broadcast
Afterwards, send response bag to initiator to be shaken hands, key is transmitted after being encrypted using the password of agreement, TA (trusted application)
Obtain key.
Additionally, in the present embodiment, first delivery means transmit the period of the ciphertext data and second delivery means
The period for transmitting the key differs.I.e. described ciphertext transport module 12 transmits the period of the ciphertext data and the key is passed
The period that defeated module 13 transmits the key differs.Because the ciphertext is transmitted using wired connection, the key is using wireless
Connection transmission, both separately transmit and delivering path is different, effectively reduce ciphertext and key in transmitting procedure while being cracked
The possibility of acquisition, improves ciphertext and key security in the transmission.
In the present embodiment, the Key Acquisition Module 14 is used to be decrypted the key file that second receiving terminal is received
The key in the key file is obtained, the plaintext acquisition module 15 is used to be received to described second according to the key for obtaining
The ciphertext data that termination is received are decrypted corresponding plaintext and plaintext summary in the acquisition ciphertext data.
Specifically, in the present embodiment, TA is decrypted using agreement password to encryption key, is entered using data key ciphertext
Row decryption.
In the present embodiment, the authentication module is connected with the plaintext acquisition module, for according to the plaintext Digest Authentication institute
State the integrality of text clearly.Specifically, the authentication module verifies the integrality of plaintext using summary in plain text.If complete in plain text,
Can further store, if imperfect in plain text, this should be abandoned in plain text.
As shown in figure 5, the present embodiment also provides a kind of plaintext obtained according to above-mentioned data transmission system 1 that stores being plucked with plaintext
The data-storage system 2 wanted, for the plaintext in security context and plaintext summary to be stored into insecure environments, the data
Storage system 2 includes:First encrypting module 21, the second encrypting module 22 and storage writing module 23.
In the present embodiment, first encrypting module 21 is used for the plaintext to acquisition using the first key in the security context
The first encryption data of acquisition is encrypted with plaintext summary.
Specifically, in the present embodiment, the first key is random key, further, in the present embodiment, described the
One encrypting module 21 is encrypted acquisition first and encrypts number using the random key in Efuse to the plaintext and plaintext summary that obtain
According to.
In the present embodiment, second encrypting module 22 is used to add to described first using the second key in the security context
Ciphertext data is encrypted the second encryption data of acquisition.
Specifically, in the present embodiment, second key is generated by calling the secure storage interfaces in security context, i.e., in
In the present embodiment, second encrypting module 22 calls the secure storage interfaces of security system to carry out further the first encryption data
Encryption.
In the present embodiment, the storage writing module 23 is non-security for the second encryption data storage for obtaining to be written to
In environment.
Encrypted again by storage after the secondary encryption of secure storage interfaces to exterior space using Efuse random keys by by plaintext,
Increased and crack difficulty in plain text, and ensure that every machine storage is different from the ciphertext data of exterior space.Data deciphering and plus
Close dump is all to carry out in a secure environment, and the security of data has been effectively ensured.
It is right below to make data transmission system 1 and data-storage system 2 it is further understood that the present embodiment
The data transmission system 1 of the present embodiment and the implementation process of data-storage system 2 are further described.
As shown in figure 3, the implementation process of the data transmission system 1 is as follows:Encryption acquisition module 11 first utilizes Encryption Tool
To summary is encrypted in plain text and in plain text, key and ciphertext are obtained, ciphertext transport module 12 passes ciphertext by USB data line
The reception CA (client application) of equipment end is defeated by, by the TA (trusted application) under CA activation security contexts, and will be close
Text passes to TA (trusted application).TA (trusted application) opens Wifi services, wide with the presence or absence of key in monitoring network
Broadcast, after detecting cipher key broadcasting, shaken hands with broadcasting server, obtain key, key is passed after being encrypted using the password of agreement
Defeated, TA is decrypted using agreement password to key ciphertext, is decrypted using data key ciphertext, using plaintext summary school
Test the integrality of data clear text.So the present embodiment is encrypted to transmission data, encryption key and ciphertext are passed through into different passages
Time sharing transmissions are to TA.
The implementation process of the data-storage system 2 is as follows:First encrypting module 21 is using the random key in Efuse in plain text
It is encrypted, produces ciphertext 1.Second encrypting module 22 calls the secure storage interfaces of security system to be encrypted life to ciphertext 1
Into ciphertext 2, storage writing module 23 stores ciphertext 2 in external environment condition.I.e. under secure system environment, first using symmetrical
The key data of key pair encryption is decrypted, and is then decrypted using the data ciphertext of the key pair encryption for solving, and solves bright
Wen Hou, then whether correctly to verify plaintext summary, first time encryption correctly is carried out to plaintext using the random key in Efuse
Generation ciphertext 1, then recall secure storage interfaces carries out being dumped to insecure environments to ciphertext 1.This programme is by key and close
Text is from different passage time sharing transmissions, and whole decryption and dump procedure are completed all under security system, greatly improve data transfer peace
Quan Xing.
In sum, the present invention by key from ciphertext by different transmission channel time sharing transmissions, improve transmission security, will be bright
Text is encrypted again by storage after the secondary encryption of secure storage interfaces to exterior space using Efuse random keys, increased broken in plain text
Solution difficulty, and ensure that every machine storage is different from the ciphertext data of exterior space.So, the present invention effectively overcomes existing
There is the various shortcoming in technology and have high industrial utilization.
The above-described embodiments merely illustrate the principles and effects of the present invention, not for the limitation present invention.It is any to be familiar with this skill
The personage of art all can carry out modifications and changes under without prejudice to spirit and scope of the invention to above-described embodiment.Therefore, such as
Those of ordinary skill in the art completed under without departing from disclosed spirit and technological thought all etc.
Effect modifications and changes, should be covered by claim of the invention.
Claims (14)
1. a kind of data transmission method, for by the data transfer in insecure environments to security context, it is characterised in that the number
Include according to transmission method:
It is encrypted and obtains to the plaintext and right after summary encryption in plain text to the plaintext in insecure environments and in plain text summary
The ciphertext data and key answered;
The ciphertext data transfer is preset into the first receiving terminal in insecure environments by the first delivery means;
Default second receiving terminal in the default first receiving terminal activation security context and by the ciphertext data transfer to pre-
If second receiving terminal;
Key file is formed after the second delivery means encrypt the key and the key file is transmitted to described the
Two receiving terminals;
The key obtained in the key file is decrypted to the key file that second receiving terminal is received;
The acquisition ciphertext number is decrypted to the ciphertext data that second receiving terminal is received according to the key for obtaining
Corresponding plaintext and plaintext are made a summary in;
The integrality of plaintext according to the plaintext Digest Authentication.
2. data transmission method according to claim 1, it is characterised in that:First delivery means are carried out using wired connection
Transmission.
3. data transmission method according to claim 1, it is characterised in that:Second delivery means are carried out using wireless connection
Transmission.
4. data transmission method according to claim 1, it is characterised in that:The period for transmitting the ciphertext data is described with transmission
The period of key differs.
5. it is a kind of store plaintext that data transmission method according to any claim in claim 1 to claim 4 obtains and
The date storage method of summary, stores into insecure environments for the plaintext in security context and plaintext to be made a summary in plain text, its
It is characterised by:The date storage method includes:
Acquisition first is encrypted to the plaintext and plaintext summary that obtain using the first key in the security context and encrypts number
According to;
The second encryption data of acquisition is encrypted to first encryption data using the second key in the security context;
The the second encryption data storage for obtaining is written in insecure environments.
6. date storage method according to claim 5, it is characterised in that:The first key is random key.
7. date storage method according to claim 5, it is characterised in that:During second key is by calling security context
Secure storage interfaces are generated.
8. a kind of data transmission system, for by the data transfer in insecure environments to security context, it is characterised in that the number
Include according to Transmission system:
Encryption acquisition module, for being encrypted to the plaintext in insecure environments and in plain text summary and obtain to the plaintext and
Corresponding ciphertext data and key after summary is encrypted in plain text;
Ciphertext transport module, for by the first delivery means by the ciphertext data transfer to default the in insecure environments
One receiving terminal, and using default second receiving terminal in the default first receiving terminal activation security context simultaneously by the ciphertext
Data transfer is to default second receiving terminal;
Cipher key delivery module, for forming key file after the second delivery means encrypt the key and by the key
File is transmitted to second receiving terminal;
Key Acquisition Module, for being decrypted the acquisition key file to the key file that second receiving terminal is received
In key;
Plaintext acquisition module, for being solved to the ciphertext data that second receiving terminal is received according to the key for obtaining
It is close to obtain corresponding plaintext and plaintext summary in the ciphertext data;
Authentication module, is connected with the plaintext acquisition module, for the integrality of the plaintext according to the plaintext Digest Authentication.
9. data transmission system according to claim 8, it is characterised in that:First delivery means are carried out using wired connection
Transmission.
10. data transmission system according to claim 8, it is characterised in that:Second delivery means are entered using wireless connection
Row transmission.
11. data transmission systems according to claim 8, it is characterised in that:The ciphertext transport module transmits the ciphertext number
According to period differed with the period of key described in the cipher key delivery module transfer.
It is bright that a kind of 12. data transmission systems stored according to any claim in claim 8 to claim 11 are obtained
Text and the in plain text data-storage system of summary, for the plaintext in security context to be stored to insecure environments with summary in plain text
In, it is characterised in that:The data-storage system includes:
First encrypting module, for being added to the plaintext and plaintext summary that obtain using the first key in the security context
The first encryption data of close acquisition;
Second encrypting module, is obtained for being encrypted to first encryption data using the second key in the security context
Take the second encryption data;
Storage writing module, for the second encryption data storage for obtaining to be written in insecure environments.
13. data-storage systems according to claim 12, it is characterised in that:The first key is random key.
14. data-storage systems according to claim 12, it is characterised in that:Second key is by calling security context
In secure storage interfaces generation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510790533.9A CN106709360A (en) | 2015-11-17 | 2015-11-17 | Data transmission and storage method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510790533.9A CN106709360A (en) | 2015-11-17 | 2015-11-17 | Data transmission and storage method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106709360A true CN106709360A (en) | 2017-05-24 |
Family
ID=58932537
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510790533.9A Pending CN106709360A (en) | 2015-11-17 | 2015-11-17 | Data transmission and storage method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106709360A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107172106A (en) * | 2017-07-21 | 2017-09-15 | 深圳易方数码科技股份有限公司 | Safe information interaction method and system |
CN108777720A (en) * | 2018-07-05 | 2018-11-09 | 湖州贝格信息安全科技有限公司 | Document transmission method and Related product |
CN109286488A (en) * | 2017-07-21 | 2019-01-29 | 展讯通信(上海)有限公司 | HDCP key cryptographic key protection method |
WO2019114451A1 (en) * | 2017-12-14 | 2019-06-20 | 晶晨半导体(上海)股份有限公司 | Key writing system and method employing trusted execution environment |
CN110351730A (en) * | 2019-06-24 | 2019-10-18 | 惠州Tcl移动通信有限公司 | Mobile terminal WIFI processing method, mobile terminal and storage medium |
CN111030984A (en) * | 2019-10-22 | 2020-04-17 | 上海泰宇信息技术股份有限公司 | Data safety transmission system and method |
CN111444528A (en) * | 2020-03-31 | 2020-07-24 | 海信视像科技股份有限公司 | Data security protection method, device and storage medium |
WO2020233423A1 (en) * | 2019-05-20 | 2020-11-26 | 创新先进技术有限公司 | Receipt storage method and node based on transaction type |
CN112632592A (en) * | 2021-03-05 | 2021-04-09 | 江苏荣泽信息科技股份有限公司 | Block chain credible privacy computing power improving system based on TEE technology |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103930899A (en) * | 2011-11-14 | 2014-07-16 | 意法爱立信有限公司 | A method for managing public and private data input at a device |
CN104992122A (en) * | 2015-07-20 | 2015-10-21 | 武汉大学 | Cell phone private information safe box based on ARM Trust Zone |
-
2015
- 2015-11-17 CN CN201510790533.9A patent/CN106709360A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103930899A (en) * | 2011-11-14 | 2014-07-16 | 意法爱立信有限公司 | A method for managing public and private data input at a device |
CN104992122A (en) * | 2015-07-20 | 2015-10-21 | 武汉大学 | Cell phone private information safe box based on ARM Trust Zone |
Non-Patent Citations (2)
Title |
---|
于工 等: "《现代密码学原理与实践》", 31 January 2009, 西安电子科技大学出版社 * |
胡伟雄 等: "《电子商务安全技术》", 30 June 2011, 华中师范大学出版社 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107172106B (en) * | 2017-07-21 | 2020-12-22 | 深圳易方数码科技股份有限公司 | Security information interaction method and system |
CN107172106A (en) * | 2017-07-21 | 2017-09-15 | 深圳易方数码科技股份有限公司 | Safe information interaction method and system |
CN109286488A (en) * | 2017-07-21 | 2019-01-29 | 展讯通信(上海)有限公司 | HDCP key cryptographic key protection method |
CN109286488B (en) * | 2017-07-21 | 2021-09-21 | 展讯通信(上海)有限公司 | HDCP key protection method |
US11283606B2 (en) | 2017-12-14 | 2022-03-22 | Amlogic (Shanghai) Co., Ltd. | Trusted execution environment-based key burning system and method |
WO2019114451A1 (en) * | 2017-12-14 | 2019-06-20 | 晶晨半导体(上海)股份有限公司 | Key writing system and method employing trusted execution environment |
CN108777720A (en) * | 2018-07-05 | 2018-11-09 | 湖州贝格信息安全科技有限公司 | Document transmission method and Related product |
WO2020233423A1 (en) * | 2019-05-20 | 2020-11-26 | 创新先进技术有限公司 | Receipt storage method and node based on transaction type |
CN110351730A (en) * | 2019-06-24 | 2019-10-18 | 惠州Tcl移动通信有限公司 | Mobile terminal WIFI processing method, mobile terminal and storage medium |
CN110351730B (en) * | 2019-06-24 | 2023-12-15 | 惠州Tcl移动通信有限公司 | WIFI processing method for mobile terminal, mobile terminal and storage medium |
CN111030984A (en) * | 2019-10-22 | 2020-04-17 | 上海泰宇信息技术股份有限公司 | Data safety transmission system and method |
CN111030984B (en) * | 2019-10-22 | 2022-08-19 | 上海泰宇信息技术股份有限公司 | Data safety transmission system and method |
CN111444528A (en) * | 2020-03-31 | 2020-07-24 | 海信视像科技股份有限公司 | Data security protection method, device and storage medium |
CN111444528B (en) * | 2020-03-31 | 2022-03-29 | 海信视像科技股份有限公司 | Data security protection method, device and storage medium |
CN112632592A (en) * | 2021-03-05 | 2021-04-09 | 江苏荣泽信息科技股份有限公司 | Block chain credible privacy computing power improving system based on TEE technology |
CN112632592B (en) * | 2021-03-05 | 2021-07-06 | 江苏荣泽信息科技股份有限公司 | Block chain credible privacy computing power improving system based on TEE technology |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106709360A (en) | Data transmission and storage method and system | |
CN105978917B (en) | A kind of system and method for trusted application safety certification | |
WO2021022701A1 (en) | Information transmission method and apparatus, client terminal, server, and storage medium | |
CN114024710B (en) | Data transmission method, device, system and equipment | |
WO2018127081A1 (en) | Method and system for obtaining encryption key | |
EP2917867B1 (en) | An improved implementation of robust and secure content protection in a system-on-a-chip apparatus | |
CN107172056A (en) | A kind of channel safety determines method, device, system, client and server | |
CN101772024B (en) | User identification method, device and system | |
CN106464488A (en) | Information transmission method and mobile device | |
CN111726224A (en) | Quantum secret communication-based data integrity rapid authentication method, system, terminal and storage medium | |
CN108599925A (en) | A kind of modified AKA identity authorization systems and method based on quantum communication network | |
CN106302422B (en) | Business encryption and decryption method and device | |
US9998287B2 (en) | Secure authentication of remote equipment | |
US20150271163A1 (en) | Secure data transmission using multi-channel communication | |
CN109309566B (en) | Authentication method, device, system, equipment and storage medium | |
CN105162808A (en) | Safety login method based on domestic cryptographic algorithm | |
CN109257347A (en) | Communication means and relevant apparatus, storage medium suitable for data interaction between bank | |
CN106162537A (en) | Method, Wireless Telecom Equipment and the terminal that a kind of safety certification connects | |
CN104243452B (en) | A kind of cloud computing access control method and system | |
CN116132025A (en) | Key negotiation method, device and communication system based on preset key group | |
CN104168565A (en) | Method for controlling safe communication of intelligent terminal under undependable wireless network environment | |
CN101902610B (en) | Method for realizing secure communication between IPTV set top box and smart card | |
CN109492359A (en) | A kind of secure network middleware and its implementation and device for authentication | |
CN101442656A (en) | Method and system for safe communication between machine cards | |
US11153288B2 (en) | System and method for monitoring leakage of internal information by analyzing encrypted traffic |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170524 |
|
RJ01 | Rejection of invention patent application after publication |