CN106909851A - A kind of secure storage method of data and device - Google Patents

A kind of secure storage method of data and device Download PDF

Info

Publication number
CN106909851A
CN106909851A CN201710106872.XA CN201710106872A CN106909851A CN 106909851 A CN106909851 A CN 106909851A CN 201710106872 A CN201710106872 A CN 201710106872A CN 106909851 A CN106909851 A CN 106909851A
Authority
CN
China
Prior art keywords
data
secure data
stored
storage
safe class
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710106872.XA
Other languages
Chinese (zh)
Inventor
吕森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nubia Technology Co Ltd
Original Assignee
Nubia Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nubia Technology Co Ltd filed Critical Nubia Technology Co Ltd
Priority to CN201710106872.XA priority Critical patent/CN106909851A/en
Publication of CN106909851A publication Critical patent/CN106909851A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Abstract

The present invention provides a kind of secure storage method of data and device.The device includes:Dispensing unit, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life cycle;First determining unit, for when being stored to secure data, determining that secure data is stored in credible performing environment TEE or hardware encryption chip according to size of data and safe class;Second determining unit, for being determined secure data is stored in solid-state storage region or the dynamic storage zone of credible performing environment/hardware encryption chip according to safe class and life cycle.The present invention is by way of software and hardware is combined, effectively improve the storage efficiency of hardware encryption safe mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so as to realize that limited memory space is applied into " unlimited " safety applications gets on, and is effectively ensured the storage safety of data.

Description

A kind of secure storage method of data and device
Technical field
The present invention relates to field electronic technology field, more particularly to a kind of secure storage method of data and device.
Background technology
The security of information of mobile terminal increasingly becomes the strong demand of user, is occurred in that with regard to this current mobile terminal industry Diversified security solution, including software, hardware, software and hardware combining solution, protect to a certain extent The data safety of mobile terminal is protected.
The application of the SE safety chips of current industry main flow is concentrated mainly in the card simulation application of NFC, such as mass transit card, silver Row card, gate inhibition's card business.Because it is in the application of payment technical field so that the safe class of SE is all very high, can be such high The hardware encryption chip input mobile terminal safety application of safe class, using upper, is a very good selection.But by Higher in safe class, the limitation of associated safety requirement determines the difficulty of memory headroom extension.If it is possible to solve Certainly the not enough problem of SE safety chips hardware memory space, certainly will be used widely in field of mobile terminals, it is ensured that mobile whole The data safety at end.
The content of the invention
It is a primary object of the present invention to propose a kind of secure storage method of data and device, it is intended to solve in the prior art The not enough problem of SE safety chips hardware memory space.
For achieving the above object, the present invention uses following technical schemes:
According to one aspect of the present invention, there is provided a kind of data safety storage device, including:
Dispensing unit, the attribute information for configuring secure data;Wherein, the attribute information include safe class and Life cycle;
First determining unit, for when being stored to the secure data, according to size of data and the safety etc. Level determines that the secure data is stored in the credible performing environment TEE or hardware encryption chip;
Second determining unit, for being determined secure data storage according to the safe class and the life cycle In the solid-state storage region of the credible performing environment/hardware encryption chip or dynamic storage zone.
Optionally, the dispensing unit, specifically for:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
Optionally, first determining unit, specifically for;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment In TEE;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE grades Not, and when TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the safety Data storage is in the hardware encryption chip.
Optionally, the safe class includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels;It is described Life cycle is divided into and permanently storing and impermanent storage;
Second determining unit, specifically for:
When the safe class for highest or described life cycle is when permanently storing, then to deposit the secure data It is stored in the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data storage In the dynamic storage zone.
Optionally, the dynamic administrative unit, is used for:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
When the secure data meets preset data using rule or receives operational order to the secure data, Dynamic memory management then is carried out to the secure data.
According to one aspect of the present invention, there is provided a kind of secure storage method of data, including:
Configure the attribute information of secure data;Wherein, the attribute information includes safe class and life cycle;
When being stored to the secure data, the secure data is determined according to size of data and the safe class It is stored in the credible performing environment TEE or hardware encryption chip;
Determine for the secure data to be stored in the credible execution ring according to the safe class and the life cycle The solid-state storage region of border/hardware encryption chip or dynamic storage zone.
Optionally, the attribute information of the configuration secure data, specifically includes:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
Optionally, it is described to determine that the secure data is stored in described credible hold according to size of data and the safe class Row environment TEE or hardware encryption chip;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment In TEE;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE grades Not, and when TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the safety Data storage is in the hardware encryption chip.
Optionally, the safe class includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels;It is described Life cycle is divided into and permanently storing and impermanent storage;
Determine for the secure data to be stored in the credible execution ring according to the safe class and the life cycle The solid-state storage region of border/hardware encryption chip or dynamic storage zone, specifically include:
When the safe class for highest or described life cycle is when permanently storing, then to deposit the secure data It is stored in the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data storage In the dynamic storage zone.
Optionally, methods described also includes:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
When the secure data meets preset data using rule or receives operational order to the secure data, Dynamic memory management then is carried out to the secure data.
Secure storage method of data and device proposed by the invention, by way of software and hardware is combined, is set many Individual storage region and multiple safe classes, effectively improve the storage efficiency of hardware encryption safe mobile phone, and limited hardware is deposited The degree that storage space carries out maximum is used, so that realize that limited memory space is applied into " unlimited " safety applications gets on, The storage safety of data is effectively ensured.Sufficiently can be stored using the hardware encryption chip of high safety grade by using the present invention Space, can push away more extensive according to actual conditions by range of application is encrypted again, there is stronger answering on actual products application Use meaning.
Brief description of the drawings
Fig. 1 is the hardware architecture diagram for realizing each optional mobile terminal of embodiment one of the invention;
Fig. 2 is the structural principle block diagram of data safety storage device in the embodiment of the present invention;
Fig. 3 is the structural principle block diagram of data safety storage device in a specific embodiment of the invention;
Fig. 4 is the flow chart of secure storage method of data in the embodiment of the present invention;
Fig. 5 is the flow chart of secure storage method of data in a specific embodiment of the invention;
Fig. 6 is the flow chart of secure storage method of data in a specific embodiment of the invention.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The mobile terminal of each embodiment of the invention is realized referring now to Description of Drawings.In follow-up description, use For represent element such as " module ", " part " or " unit " suffix only for being conducive to explanation of the invention, itself Not specific meaning.Therefore, " module " can be used mixedly with " part ".
Mobile terminal can be implemented in a variety of manners.For example, the terminal described in the present invention can include such as moving Phone, smart phone, notebook computer, digit broadcasting receiver, PDA (personal digital assistant), PAD (panel computer), PMP The mobile terminal of (portable media player), guider etc. and such as numeral TV, desktop computer etc. are consolidated Determine terminal.Hereinafter it is assumed that terminal is mobile terminal.However, it will be understood by those skilled in the art that, except being used in particular for movement Outside the element of purpose, construction according to the embodiment of the present invention can also apply to the terminal of fixed type.
Fig. 1 is the hardware architecture diagram for realizing each optional mobile terminal of embodiment one of the invention.
Mobile terminal 1 00 can include user input unit 130, sensing unit 140, output unit 150, memory 160, Interface unit 170, controller 180 and power subsystem 190 etc..Fig. 1 shows the mobile terminal with various assemblies, but should What is understood is, it is not required that implement all components for showing.More or less component can alternatively be implemented.To be detailed below The element of thin description mobile terminal.
Wireless communication unit 110 generally includes one or more assemblies, and it allows mobile terminal 1 00 and wireless communication system Or the radio communication between network.For example, wireless communication unit can include broadcasting reception module 111, mobile communication module 112nd, at least one of wireless Internet module 113, short range communication module 114 and location information module 115.
Broadcasting reception module 111 receives broadcast singal and/or broadcast via broadcast channel from external broadcast management server Relevant information.Broadcast channel can include satellite channel and/or terrestrial channel.Broadcast management server can be generated and sent The broadcast singal and/or broadcast related information generated before the server or reception of broadcast singal and/or broadcast related information And send it to the server of terminal.Broadcast singal can include TV broadcast singals, radio signals, data broadcasting Signal etc..And, broadcast singal may further include the broadcast singal combined with TV or radio signals.Broadcast phase Pass information can also be provided via mobile communications network, and in this case, broadcast related information can be by mobile communication mould Block 112 is received.Broadcast singal can exist in a variety of manners, for example, it can be with the electronics of DMB (DMB) The form of program guide (EPG), the electronic service guidebooks (ESG) of digital video broadcast-handheld (DVB-H) etc. and exist.Broadcast Receiver module 111 can receive signal and broadcast by using various types of broadcast systems.Especially, broadcasting reception module 111 Can be wide by using such as multimedia broadcasting-ground (DMB-T), DMB-satellite (DMB-S), digital video Broadcast-hand-held (DVB-H), Radio Data System, the received terrestrial digital broadcasting integrated service of forward link media (MediaFLO@) Etc. (ISDB-T) digit broadcasting system receives digital broadcasting.Broadcasting reception module 111 may be constructed such that and be adapted to provide for extensively Broadcast the various broadcast systems and above-mentioned digit broadcasting system of signal.Via broadcasting reception module 111 receive broadcast singal and/ Or broadcast related information can be stored in memory 160 (or other types of storage medium).
Mobile communication module 112 sends radio signals to base station (for example, access point, node B etc.), exterior terminal And at least one of server and/or receive from it radio signal.Such radio signal can be logical including voice Words signal, video calling signal or the various types of data for sending and/or receiving according to text and/or Multimedia Message.
Wireless Internet module 113 supports the Wi-Fi (Wireless Internet Access) of mobile terminal.The module can be internally or externally It is couple to terminal.Wi-Fi (Wireless Internet Access) technology involved by the module can include WLAN (WLAN) (Wi-Fi), Wibro (WiMAX), Wimax (worldwide interoperability for microwave accesses), HSDPA (high-speed downlink packet access) etc..
Short range communication module 114 is the module for supporting junction service.Some examples of short-range communication technology include indigo plant ToothTM, radio frequency identification (RFID), Infrared Data Association (IrDA), ultra wide band (UWB), purple honeybeeTMEtc..
Location information module 115 is the module for checking or obtaining the positional information of mobile terminal.Location information module Typical case be GPS (global positioning system).According to current technology, GPS module 115 is calculated and comes from three or more satellites Range information and correct time information and the Information application triangulation for calculating, so as to according to longitude, latitude Highly accurately calculate three-dimensional current location information.Currently, defended using three for calculating the method for position and temporal information Star and the position that is calculated by using other satellite correction and the error of temporal information.Additionally, GPS module 115 Can be by Continuous plus current location information in real time come calculating speed information.
A/V input blocks 120 are used to receive audio or video signal.A/V input blocks 120 can include the He of camera 121 Microphone 122, the static images that 121 pairs, camera is obtained in Video Capture pattern or image capture mode by image capture apparatus Or the view data of video is processed.Picture frame after treatment may be displayed on display unit 151.Processed through camera 121 Picture frame afterwards can be stored in memory 160 (or other storage mediums) or sent out via wireless communication unit 110 Send, two or more cameras 121 can be provided according to the construction of mobile terminal.Microphone 122 can be in telephone calling model, note Sound (voice data) is received via microphone in record pattern, speech recognition mode etc. operational mode, and can be by so Acoustic processing be voice data.Audio (voice) data after treatment can be converted in the case of telephone calling model can The form for being sent to mobile communication base station via mobile communication module 112 is exported.Microphone 122 can implement various types of making an uproar Sound eliminates (or suppression) algorithm to eliminate the noise or dry that (or suppression) produces during reception and transmission audio signal Disturb.
User input unit 130 can generate key input data to control each of mobile terminal according to the order of user input Plant operation.User input unit 130 allows the various types of information of user input, and can include keyboard, metal dome, touch Plate (for example, detection due to being touched caused by resistance, pressure, electric capacity etc. change sensitive component), roller, rocking bar etc. Deng.Especially, when touch pad is superimposed upon on display unit 151 in the form of layer, touch-screen can be formed.
Sensing unit 140 detects the current state of mobile terminal 1 00, (for example, mobile terminal 1 00 opens or closes shape State), the presence or absence of the contact (that is, touch input) of the position of mobile terminal 1 00, user for mobile terminal 1 00, mobile terminal The acceleration or deceleration movement of 100 orientation, mobile terminal 1 00 and direction etc., and generate for controlling mobile terminal 1 00 The order of operation or signal.For example, when mobile terminal 1 00 is embodied as sliding-type mobile phone, sensing unit 140 can be sensed The sliding-type phone is opened or closed.In addition, sensing unit 140 can detect power subsystem 190 whether provide electric power or Whether person's interface unit 170 couples with external device (ED).
Interface unit 170 is connected the interface that can pass through with mobile terminal 1 00 as at least one external device (ED).For example, External device (ED) can include wired or wireless head-band earphone port, external power source (or battery charger) port, wired or nothing Line FPDP, memory card port, the port for connecting the device with identification module, audio input/output (I/O) end Mouth, video i/o port, ear port etc..Identification module can be that storage uses each of mobile terminal 1 00 for verifying user Kind of information and subscriber identification module (UIM), client identification module (SIM), Universal Subscriber identification module (USIM) can be included Etc..In addition, the device (hereinafter referred to as " identifying device ") with identification module can take the form of smart card, therefore, know Other device can be connected via port or other attachment means with mobile terminal 1 00.Interface unit 170 can be used for reception and come from The input (for example, data message, electric power etc.) of the external device (ED) and input that will be received is transferred in mobile terminal 1 00 One or more elements can be used for transmitting data between mobile terminal and external device (ED).
In addition, when mobile terminal 1 00 is connected with external base, interface unit 170 can serve as allowing by it by electricity Power provides to the path of mobile terminal 1 00 from base or can serve as allowing the various command signals being input into from base to pass through it It is transferred to the path of mobile terminal.Be can serve as recognizing that mobile terminal is from the various command signals or electric power of base input The no signal being accurately fitted within base.Output unit 150 is configured to provide defeated with vision, audio and/or tactile manner Go out signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.).Output unit 150 can include display Unit 151, dio Output Modules 152, alarm unit 153 etc..
Display unit 151 may be displayed on the information processed in mobile terminal 1 00.For example, when mobile terminal 1 00 is in electricity During words call mode, display unit 151 can show and converse or other communicate (for example, text messaging, multimedia file Download etc.) related user interface (UI) or graphic user interface (GUI).When mobile terminal 1 00 is in video calling pattern Or during image capture mode, display unit 151 can show the image of capture and/or the image of reception, show video or figure UI or GUI of picture and correlation function etc..
Meanwhile, when display unit 151 and touch pad in the form of layer it is superposed on one another to form touch-screen when, display unit 151 can serve as input unit and output device.Display unit 151 can include liquid crystal display (LCD), thin film transistor (TFT) In LCD (TFT-LCD), Organic Light Emitting Diode (OLED) display, flexible display, three-dimensional (3D) display etc. at least It is a kind of.Some in these displays may be constructed such that transparence to allow user to be watched from outside, and this is properly termed as transparent Display, typical transparent display can be, for example, TOLED (transparent organic light emitting diode) display etc..According to specific Desired implementation method, mobile terminal 1 00 can include two or more display units (or other display devices), for example, moving Dynamic terminal can include outernal display unit (not shown) and inner display unit (not shown).Touch-screen can be used to detect touch Input pressure and touch input position and touch input area.
Dio Output Modules 152 can mobile terminal be in call signal reception pattern, call mode, logging mode, It is that wireless communication unit 110 is received or in memory 160 when under the isotypes such as speech recognition mode, broadcast reception mode The voice data transducing audio signal of middle storage and it is output as sound.And, dio Output Modules 152 can be provided and movement The audio output (for example, call signal receives sound, message sink sound etc.) of the specific function correlation that terminal 100 is performed. Dio Output Modules 152 can include loudspeaker, buzzer etc..
Alarm unit 153 can provide output and be notified to mobile terminal 1 00 with by event.Typical event can be with Including calling reception, message sink, key signals input, touch input etc..In addition to audio or video is exported, alarm unit 153 can in a different manner provide output with the generation of notification event.For example, alarm unit 153 can be in the form of vibrating Output is provided, when calling, message or some other entrance communication (incomingcommunication) are received, alarm list Unit 153 can provide tactile output (that is, vibrating) to notify to user.Exported by providing such tactile, even if When in pocket of the mobile phone of user in user, user also can recognize that the generation of various events.Alarm unit 153 The output of the generation of notification event can be provided via display unit 151 or dio Output Modules 152.
Memory 160 can store software program for the treatment and control operation performed by controller 180 etc., Huo Zheke Temporarily to store oneself data (for example, telephone directory, message, still image, video etc.) through exporting or will export.And And, memory 160 can store the vibration of various modes on being exported when touching and being applied to touch-screen and audio signal Data.
Memory 160 can include the storage medium of at least one type, and storage medium includes flash memory, hard disk, multimedia Card, card-type memory (for example, SD or DX memories etc.), random access storage device (RAM), static random-access memory (SRAM), read-only storage (ROM), Electrically Erasable Read Only Memory (EEPROM), programmable read only memory (PROM), magnetic storage, disk, CD etc..And, mobile terminal 1 00 can perform memory with by network connection The network storage device cooperation of 160 store function.
The overall operation of the generally control mobile terminal of controller 180.For example, controller 180 is performed and voice call, data Communication, video calling etc. related control and treatment.In addition, controller 180 can be included for reproducing (or playback) many matchmakers The multi-media module 181 of volume data, multi-media module 181 can be constructed in controller 180, or can be structured as and control Device 180 is separated.Controller 180 can be with execution pattern identifying processing, the handwriting input that will be performed on the touchscreen or picture Draw input and be identified as character or image.
Power subsystem 190 receives external power or internal power under the control of controller 180 and provides operation each unit Appropriate electric power needed for part and component.
Various implementation methods described herein can be with use such as computer software, hardware or its any combination of calculating Machine computer-readable recording medium is implemented.Implement for hardware, implementation method described herein can be by using application-specific IC (ASIC), digital signal processor (DSP), digital signal processing device (DSPD), programmable logic device (PLD), scene can Programming gate array (FPGA), processor, controller, microcontroller, microprocessor, it is designed to perform function described herein At least one in electronic unit is implemented, and in some cases, such implementation method can be implemented in controller 180. For software implementation, the implementation method of such as process or function can with allow to perform the single of at least one function or operation Software module is implemented.Software code can be come by the software application (or program) write with any appropriate programming language Implement, software code can be stored in memory 160 and performed by controller 180.
So far, oneself according to its function through describing mobile terminal.Below, for the sake of brevity, will description such as folded form, Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc. is used as showing Example.Therefore, the present invention can be applied to any kind of mobile terminal, and be not limited to slide type mobile terminal.
Mobile terminal 1 00 as shown in Figure 1 may be constructed such that using via frame or packet transmission data it is all if any Line and wireless communication system and satellite-based communication system are operated.
Based on above-mentioned mobile terminal hardware configuration, mobile terminal of the present invention and method each embodiment are proposed.
Thinking of the invention is by way of software and hardware is combined, to set multiple storage regions and multiple safety Grade.Specifically, three kinds of environment, including REE (common secure execution environments), TEE (credible execution ring are designed in the present invention Border), hardware encryption chip (SE).In every kind of performing environment, increase certain controlling mechanism, so that the utilization rate of storage region It is maximum optimal, it is ensured that secure data is effectively stored, solve the problems, such as that hardware memory space is not enough.Data of the invention are pacified below Full storage device describes in detail, as shown in Fig. 2 specifically including as follows:
Dispensing unit 31, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life The life cycle;
First determining unit 32, for when being stored to secure data, being determined according to size of data and safe class Secure data is stored in credible performing environment TEE or hardware encryption chip;
Second determining unit 33, for determining for secure data to be stored in credible execution according to safe class and life cycle The solid-state storage region of environment/hardware encryption chip or dynamic storage zone.
Data safety storage device proposed by the invention, by way of software and hardware is combined, effectively improve hardware The storage efficiency of encryption safe mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so that realize will be limited Memory space be applied to " unlimited " safety applications and get on, the storage safety of data is effectively ensured.
Technical scheme is described in detail with reference to specific embodiment.
Dispensing unit 31, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life The life cycle.
Wherein, all properties information of secure data is configured in common secure execution environments REE.Specifically, such as Fig. 3 institutes Show, common secure execution environments REE includes storage granted unit, data storage generation unit, safe class generation unit, life Cycle generation unit;Wherein,
Storage granted unit, can carry out application or the data of safe storage, for example for setting in the terminal Safe storage can be carried out to QQ applications, or safe storage can be carried out to finger print data.By configure can authorizing secure deposit The application of storage or the title of data extract the specific data message to be encrypted.
Data storage generation unit, will need to carry out for the application according to storage granted unit mandate or data name The data of safety storage are extracted.
Safe class generation unit, the safe class for setting secure data.Here, in setting, it is necessary to meet shifting Dynamic terminal itself rule, that is, institute of mobile terminal manufacturer restrictive rule.It is of course also possible to be that user sets and meets shifting Dynamic manufacturer terminal institute restrictive rule.Optionally, the safe class of setting includes highest hardware, hardware store level, TEE highests Level, TEE storage levels.Wherein, multiple ranks can also be set for storage level.
Life cycle generation unit, the life cycle for setting secure data.Here life cycle is broadly divided into two Kind:One kind is permanent;Another kind is non-permanent, for example, set storage time (such as 1 year) or set using secondary Number (such as 5 times).
First determining unit 32, for when being stored to secure data, being determined according to size of data and safe class Secure data is stored in credible performing environment TEE or hardware encryption chip.
First determining unit 32 is located in credible performing environment TEE, after incoming secure data is received, obtains safety The size of data of data and the corresponding attribute information of configuration.
Wherein, the first determining unit 32 is it is determined that secure data is stored in credible performing environment TEE or hardware encryption core During piece, specifically for:
Judge the size of size of data and the memory space of hardware encryption chip;
When size of data is more than memory space, then the insufficient memory of hardware encryption chip is illustrated, directly by safety number According to being stored in credible performing environment TEE;
When size of data is less than or equal to memory space, then need further judge it is storage according to security level information In credible performing environment TEE or hardware encryption chip.
The above-mentioned security level information for referring to understands to be divided into two kinds of TEE ranks and hardware-level, therefore when judgement safe level Not Wei TEE ranks, secure data is stored in credible performing environment TEE;When level of security is judged as hardware-level, then will peace Total evidence is stored in hardware encryption chip.
Understand, by according to size of data and level of security can accurate distinguishes data deposit position, it is ensured that memory block The reasonable utilization in domain.
Second determining unit 33, for determining for secure data to be stored in credible execution according to safe class and life cycle The solid-state storage region of environment/hardware encryption chip or dynamic storage zone.
Understood based on Fig. 3, solid-state storage is respectively provided with credible performing environment and hardware encryption chip in the present invention Region and dynamic storage zone.After it is determined that secure data is stored in credible performing environment or hardware encryption chip, need Further discriminate between secure data and deposit in solid-state storage region or dynamic storage zone.
Specifically, the second determining unit 33 deposits in solid-state storage region or dynamic area in judgement secure data , it is necessary to determine with reference to two factors of safe class and life cycle during domain.
The above-mentioned safe class for referring to includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels, also It is that to need in credible performing environment or hardware encryption chip to distinguish secure data be highest and storage level.And life cycle point To permanently store and impermanent storage.Therefore, the second determining unit 33, is judging that depositing in solid-state storage region or dynamic deposits During storage area domain, specifically for:
When safe class for highest or life cycle is when permanently storing, then secure data to be stored in into solid-state storage In region;
When safe class is storage level and life cycle is impermanent storage, then secure data is stored in dynamic area In domain.
Understand, in the present embodiment, solid-state storage region meets condition as optimum condition, when safe class and Life Cycle When phase one of them any one meets, then directly secure data is stored in solid-state storage region, it is ensured that the safety of data Property.And when two conditions are all unsatisfactory for, then illustrate that the storage environment security of data demand is not high, then by secure data dynamic State storage region is stored.
Optionally, in an embodiment, dynamic administrative unit is provided with credible performing environment/hardware encryption chip, is used In:
The secure data of the dynamic storage zone of real-time monitoring is credible performing environment/hardware encryption chip;
When secure data meets preset data using rule or receives operational order to secure data, then to safety Data carry out dynamic memory management.
By setting dynamic administrative unit in credible performing environment/hardware encryption chip, can be used according to default Data in dynamic storage zone are effectively integrated.For example, as periodically not high to frequency of use or frequency of use gradually drops Low secure data reduce the treatment of safe class, or receives the corresponding data security attribute change of mobile terminal transmission Request more, changing request according to attribute can be degraded and delete processing to data.Understand, deposited by dynamic in the present invention Storage area domain is monitored treatment, it is ensured that the space utilisation in credible performing environment and hardware encryption chip, it is ensured that hardware Memory space can be utilized effectively.
The embodiment of the present invention provides a kind of secure storage method of data, as shown in figure 4, specifically including following steps:
Step 501, configures the attribute information of secure data;Wherein, attribute information includes safe class and life cycle.
Wherein, all properties information of secure data is configured in common secure execution environments REE.Specifically,
Setting in the terminal can carry out application or the data of safe storage, for example, QQ applications can be pacified Full storage, or safe storage can be carried out to finger print data.Can the application that stores of authorizing secure or data by configuring Title extracts the specific data message to be encrypted.
Application or data name according to mandate is deposited will need the data for carrying out safe storage to extract.
Set the safe class of secure data.Here, setting when, it is necessary to meet mobile terminal itself rule, that is, Institute of mobile terminal manufacturer restrictive rule.It is of course also possible to be that user sets and meets institute of mobile terminal manufacturer restrictive rule. Optionally, the safe class of setting includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels.
Set the life cycle of secure data.Here life cycle is broadly divided into two kinds:One kind is permanent;It is another It is non-permanent to plant, for example, set storage time (such as 1 year) or setting access times (such as 5 times).
Step 502, when being stored to secure data, determines that secure data is stored according to size of data and safe class In credible performing environment TEE or hardware encryption chip.
After TEE receives REE incoming secure datas, obtain secure data size of data and configuration it is corresponding Attribute information.
Wherein, when it is determined that secure data is stored in credible performing environment TEE or hardware encryption chip, specifically include:
Judge the size of size of data and the memory space of hardware encryption chip;
When size of data is more than memory space, then the insufficient memory of hardware encryption chip is illustrated, directly by safety number According to being stored in credible performing environment TEE;
When size of data is less than or equal to memory space, then need further judge it is storage according to security level information In credible performing environment TEE or hardware encryption chip.
The above-mentioned security level information for referring to understands to be divided into two kinds of TEE ranks and hardware-level, therefore when judgement safe level Not Wei TEE ranks, secure data is stored in credible performing environment TEE;When level of security is judged as hardware-level, then will peace Total evidence is stored in hardware encryption chip.Understand, by can accurate distinguishes data according to size of data and level of security Deposit position, it is ensured that the reasonable utilization of storage region.
Step 503, determines that secure data is stored in into credible performing environment/hardware adds according to safe class and life cycle The solid-state storage region of close chip or dynamic storage zone.
Determine secure data after storage in credible performing environment or hardware encryption chip, it is necessary to further discriminate between peace Total evidence deposits in solid-state storage region or dynamic storage zone.
Specifically, judge secure data deposit in solid-state storage region or dynamic storage zone when, it is necessary to reference to Safe class and life cycle two factors determine, specifically include:
When safe class for highest or life cycle is when permanently storing, then secure data to be stored in into solid-state storage In region;
When safe class is storage level and life cycle is impermanent storage, then secure data is stored in dynamic area In domain.
Understand, in the present embodiment, solid-state storage region meets condition as optimum condition, when safe class and Life Cycle When phase one of them any one meets, then directly secure data is stored in solid-state storage region, it is ensured that the safety of data Property.And when two conditions are all unsatisfactory for, then illustrate that the storage environment security of data demand is not high, then by secure data dynamic State storage region is stored.
Optionally, in an embodiment, the method also includes:
The secure data of the dynamic storage zone of real-time monitoring is credible performing environment/hardware encryption chip;
When secure data meets preset data using rule or receives operational order to secure data, then to safety Data carry out dynamic memory management.
Preset data can have various using rule, and for example periodically not high to frequency of use or frequency of use is gradually reduced Secure data reduce the treatment of safe class, and the attribute of data is modified according to data service condition mainly.Or The request of the corresponding data security attribute change of mobile terminal transmission is received, changing request according to attribute can drop to data Level and delete processing.Understand, by being monitored treatment to dynamic storage zone in the present invention, it is ensured that credible performing environment With the space utilisation in hardware encryption chip, it is ensured that hardware memory space can be utilized effectively.
A specific embodiment of the invention provides a kind of secure storage method of data, as shown in figure 5, specifically including
Step 601, user configures fingerprint application for secure data in the common secure execution environments REE of mobile terminal, Finger print data needed for title is extracted according to needed for user;
Step 602, level of security and safety period are set to finger print data.Here, it is TEE highest to set level of security And safety period is to permanently store;
Step 603, after credible performing environment TEE obtains secure data, judges size of data less than hardware security chip Memory space, then further obtain level of security.
Step 604, level of security is that TEE is highest, permanently stores, then secure data is stored in into credible performing environment In the solid-state storage region of TEE.
Understood based on above-mentioned, it is of the invention by the way of software and hardware combination, by the safe level for setting finger print data Other and safety period, effectively increase mobile terminal data storage efficiency, it is ensured that limited SE memory headrooms.
A specific embodiment of the invention provides a kind of secure storage method of data, as shown in fig. 6, specifically including following step Suddenly:
Step 701, the data that user configures QQ applications in the common secure execution environments REE of mobile terminal are safe number According to the data message according to included by Apply Names extracts application;
Step 702, level of security and safety period are set to QQ application datas.Here, level of security is set for hardware is deposited 3 grades of level of storage and safety period are 3 years.Wherein, in the embodiment, storage level include 3 grades, and 3 rank storage levels the superlative degree.
Step 703, after credible performing environment TEE obtains secure data, judges size of data less than hardware security chip Memory space, then further obtain level of security.
Step 704, level of security be hardware store level and safety period for impermanent, then secure data is stored in firmly In the dynamic storage zone of part encryption chip.
Step 705, detects the service condition of QQ application datas in the dynamic storage zone of hardware encryption chip, when QQ applications When the frequency of use of data is half a year one time, then hardware store level is reduced to 2 grades.
Step 706, when detecting user QQ applications being set into non-secure data, then applies from hardware encryption chip QQ Deleted in dynamic storage zone.
Understood based on above-mentioned, the secure storage method of data that the embodiment of the present invention is provided, effectively improve hardware encryption peace The storage efficiency of full mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so as to realize limited storage Space application gets on to " unlimited " safety applications, and the storage safety of data is effectively ensured.
It should be noted that herein, term " including ", "comprising" or its any other variant be intended to non-row His property is included, so that process, method, article or device including a series of key elements not only include those key elements, and And also include other key elements being not expressly set out, or also include for this process, method, article or device institute are intrinsic Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including this Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably implementation method.Based on such understanding, technical scheme is substantially done to prior art in other words The part for going out contribution can be embodied in the form of software product, and the computer software product is stored in a storage medium In (such as ROM/RAM, magnetic disc, CD), including some instructions are used to so that a station terminal equipment (can be mobile phone, computer, clothes Business device, air-conditioner, or network equipment etc.) method that performs each embodiment of the invention.
The preferred embodiments of the present invention are these are only, the scope of the claims of the invention is not thereby limited, it is every to utilize this hair Equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of data safety storage device, it is characterised in that including:
Dispensing unit, the attribute information for configuring secure data;Wherein, the attribute information includes safe class and life Cycle;
First determining unit, it is true according to size of data and the safe class for when being stored to the secure data The fixed secure data is stored in the credible performing environment TEE or hardware encryption chip;
Second determining unit, for determining for the secure data to be stored in institute according to the safe class and the life cycle State solid-state storage region or the dynamic storage zone of credible performing environment/hardware encryption chip.
2. device as claimed in claim 1, it is characterised in that the dispensing unit, specifically for:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
3. device as claimed in claim 1, it is characterised in that first determining unit, specifically for;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment TEE In;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE ranks, and When TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the secure data It is stored in the hardware encryption chip.
4. device as claimed in claim 1, it is characterised in that the safe class include highest hardware, hardware store level, TEE is highest, TEE storage levels;The life cycle is divided into and permanently storing and impermanent storage;
Second determining unit, specifically for:
When the safe class for highest or described life cycle is when permanently storing, to be then stored in the secure data In the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data is stored in institute In stating dynamic storage zone.
5. device as claimed in claim 1, it is characterised in that the dynamic administrative unit, is used for:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
It is when the secure data meets preset data using rule or receives operational order to the secure data, then right The secure data carries out dynamic memory management.
6. a kind of secure storage method of data, it is characterised in that including:
Configure the attribute information of secure data;Wherein, the attribute information includes safe class and life cycle;
When being stored to the secure data, the secure data storage is determined according to size of data and the safe class In the credible performing environment TEE or hardware encryption chip;
Determined for the secure data to be stored in the credible performing environment/hard according to the safe class and the life cycle The solid-state storage region of part encryption chip or dynamic storage zone.
7. method as claimed in claim 6, it is characterised in that the attribute information of the configuration secure data, specifically includes:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
8. method as claimed in claim 6, it is characterised in that described according to size of data and the safe class determine Secure data is stored in the credible performing environment TEE or hardware encryption chip;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment TEE In;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE ranks, and When TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the secure data It is stored in the hardware encryption chip.
9. method as claimed in claim 6, it is characterised in that the safe class include highest hardware, hardware store level, TEE is highest, TEE storage levels;The life cycle is divided into and permanently storing and impermanent storage;
Determined for the secure data to be stored in the credible performing environment/hard according to the safe class and the life cycle The solid-state storage region of part encryption chip or dynamic storage zone, specifically include:
When the safe class for highest or described life cycle is when permanently storing, to be then stored in the secure data In the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data is stored in institute In stating dynamic storage zone.
10. method as claimed in claim 6, it is characterised in that methods described also includes:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
It is when the secure data meets preset data using rule or receives operational order to the secure data, then right The secure data carries out dynamic memory management.
CN201710106872.XA 2017-02-27 2017-02-27 A kind of secure storage method of data and device Pending CN106909851A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710106872.XA CN106909851A (en) 2017-02-27 2017-02-27 A kind of secure storage method of data and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710106872.XA CN106909851A (en) 2017-02-27 2017-02-27 A kind of secure storage method of data and device

Publications (1)

Publication Number Publication Date
CN106909851A true CN106909851A (en) 2017-06-30

Family

ID=59207912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710106872.XA Pending CN106909851A (en) 2017-02-27 2017-02-27 A kind of secure storage method of data and device

Country Status (1)

Country Link
CN (1) CN106909851A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108614977A (en) * 2018-04-28 2018-10-02 惠州市德赛西威汽车电子股份有限公司 A kind of vehicle-mounted sensitive data method for secure storing and its system for supporting HSM
CN109933994A (en) * 2017-12-18 2019-06-25 北京三快在线科技有限公司 Data classification storage and device and calculating equipment
WO2019148397A1 (en) * 2018-01-31 2019-08-08 华为技术有限公司 Storage of decomposed sensitive data in different application environments
US11200325B2 (en) 2018-04-09 2021-12-14 International Business Machines Corporation Dynamic data asset security using cognitive data analysis
US11321471B2 (en) 2017-12-18 2022-05-03 Beijing Sankuai Online Technology Co., Ltd Encrypted storage of data
WO2022099468A1 (en) * 2020-11-10 2022-05-19 深圳市大疆创新科技有限公司 Radar, radar data processing method, mobile platform, and storage medium
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN116663020A (en) * 2023-07-21 2023-08-29 江苏华存电子科技有限公司 Data storage environment safety monitoring method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136018A (en) * 2011-12-05 2013-06-05 联想(北京)有限公司 Setting method and setting system of basic input/ output system (BIOS)
CN104636666A (en) * 2013-11-07 2015-05-20 中国移动通信集团公司 Method and safety device for safely processing information of mobile terminal
US20150331698A1 (en) * 2013-01-03 2015-11-19 Giesecke & Devrient Gmbh Method for loading an application consisting of a plurality of components into a device consisting of a plurality of components
CN105678191A (en) * 2016-03-02 2016-06-15 上海瓶钵信息科技有限公司 Method for improving system safety by utilizing SoC Internal memory, terminal and system
CN106415564A (en) * 2014-06-05 2017-02-15 索尼公司 Dynamic configuration of trusted executed environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103136018A (en) * 2011-12-05 2013-06-05 联想(北京)有限公司 Setting method and setting system of basic input/ output system (BIOS)
US20150331698A1 (en) * 2013-01-03 2015-11-19 Giesecke & Devrient Gmbh Method for loading an application consisting of a plurality of components into a device consisting of a plurality of components
CN104636666A (en) * 2013-11-07 2015-05-20 中国移动通信集团公司 Method and safety device for safely processing information of mobile terminal
CN106415564A (en) * 2014-06-05 2017-02-15 索尼公司 Dynamic configuration of trusted executed environment
CN105678191A (en) * 2016-03-02 2016-06-15 上海瓶钵信息科技有限公司 Method for improving system safety by utilizing SoC Internal memory, terminal and system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109933994A (en) * 2017-12-18 2019-06-25 北京三快在线科技有限公司 Data classification storage and device and calculating equipment
US11321471B2 (en) 2017-12-18 2022-05-03 Beijing Sankuai Online Technology Co., Ltd Encrypted storage of data
WO2019148397A1 (en) * 2018-01-31 2019-08-08 华为技术有限公司 Storage of decomposed sensitive data in different application environments
US11200325B2 (en) 2018-04-09 2021-12-14 International Business Machines Corporation Dynamic data asset security using cognitive data analysis
CN108614977A (en) * 2018-04-28 2018-10-02 惠州市德赛西威汽车电子股份有限公司 A kind of vehicle-mounted sensitive data method for secure storing and its system for supporting HSM
WO2022099468A1 (en) * 2020-11-10 2022-05-19 深圳市大疆创新科技有限公司 Radar, radar data processing method, mobile platform, and storage medium
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN116663020A (en) * 2023-07-21 2023-08-29 江苏华存电子科技有限公司 Data storage environment safety monitoring method and system
CN116663020B (en) * 2023-07-21 2023-11-14 江苏华存电子科技有限公司 Data storage environment safety monitoring method and system

Similar Documents

Publication Publication Date Title
CN106909851A (en) A kind of secure storage method of data and device
CN104915582B (en) unlocking method and device
CN104618605B (en) Mobile terminal locating method and device
CN104915119B (en) Terminal desktop icon method of adjustment and device
CN106655358B (en) Battery charge controller and method between a kind of mobile terminal
CN105141738B (en) A kind of volume adjusting method and device
CN106941443A (en) One population historical record checks terminal and method
CN106656660A (en) Traffic monitoring device and method
CN106528298A (en) Resource distribution method and device
CN106850080A (en) The sending method and mobile terminal of a kind of associated person information
CN105095705B (en) A kind of information processing method and device
CN106991014A (en) A kind of method, device and mobile terminal for handling user's incoming event
CN106791195A (en) A kind of operation processing method and device
CN106791149A (en) A kind of method of mobile terminal and control screen
CN106648324A (en) Hidden icon operating method, device and terminal
CN106488035A (en) A kind of mobile terminal and control method
CN106406621B (en) A kind of mobile terminal and its method for handling touch control operation
CN104636044B (en) The method and mobile terminal of one-handed performance
CN104915103B (en) The method and mobile terminal of arranging desktop icons
CN107071161A (en) The aggregation display method and mobile terminal of icon in a kind of status bar
CN106792644A (en) Mobile terminal, server and information processing method
CN106790126A (en) A kind of method of the account mandate of application program, device and terminal
CN106534596A (en) Anti-harassment call filtering method and filtering system thereof
CN106776240A (en) A kind of Task Progress display terminal and method
CN106775381A (en) The apparatus and method of adjustment screen touch area

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170630

RJ01 Rejection of invention patent application after publication