CN106909851A - A kind of secure storage method of data and device - Google Patents
A kind of secure storage method of data and device Download PDFInfo
- Publication number
- CN106909851A CN106909851A CN201710106872.XA CN201710106872A CN106909851A CN 106909851 A CN106909851 A CN 106909851A CN 201710106872 A CN201710106872 A CN 201710106872A CN 106909851 A CN106909851 A CN 106909851A
- Authority
- CN
- China
- Prior art keywords
- data
- secure data
- stored
- storage
- safe class
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
Abstract
The present invention provides a kind of secure storage method of data and device.The device includes:Dispensing unit, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life cycle;First determining unit, for when being stored to secure data, determining that secure data is stored in credible performing environment TEE or hardware encryption chip according to size of data and safe class;Second determining unit, for being determined secure data is stored in solid-state storage region or the dynamic storage zone of credible performing environment/hardware encryption chip according to safe class and life cycle.The present invention is by way of software and hardware is combined, effectively improve the storage efficiency of hardware encryption safe mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so as to realize that limited memory space is applied into " unlimited " safety applications gets on, and is effectively ensured the storage safety of data.
Description
Technical field
The present invention relates to field electronic technology field, more particularly to a kind of secure storage method of data and device.
Background technology
The security of information of mobile terminal increasingly becomes the strong demand of user, is occurred in that with regard to this current mobile terminal industry
Diversified security solution, including software, hardware, software and hardware combining solution, protect to a certain extent
The data safety of mobile terminal is protected.
The application of the SE safety chips of current industry main flow is concentrated mainly in the card simulation application of NFC, such as mass transit card, silver
Row card, gate inhibition's card business.Because it is in the application of payment technical field so that the safe class of SE is all very high, can be such high
The hardware encryption chip input mobile terminal safety application of safe class, using upper, is a very good selection.But by
Higher in safe class, the limitation of associated safety requirement determines the difficulty of memory headroom extension.If it is possible to solve
Certainly the not enough problem of SE safety chips hardware memory space, certainly will be used widely in field of mobile terminals, it is ensured that mobile whole
The data safety at end.
The content of the invention
It is a primary object of the present invention to propose a kind of secure storage method of data and device, it is intended to solve in the prior art
The not enough problem of SE safety chips hardware memory space.
For achieving the above object, the present invention uses following technical schemes:
According to one aspect of the present invention, there is provided a kind of data safety storage device, including:
Dispensing unit, the attribute information for configuring secure data;Wherein, the attribute information include safe class and
Life cycle;
First determining unit, for when being stored to the secure data, according to size of data and the safety etc.
Level determines that the secure data is stored in the credible performing environment TEE or hardware encryption chip;
Second determining unit, for being determined secure data storage according to the safe class and the life cycle
In the solid-state storage region of the credible performing environment/hardware encryption chip or dynamic storage zone.
Optionally, the dispensing unit, specifically for:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
Optionally, first determining unit, specifically for;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment
In TEE;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE grades
Not, and when TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the safety
Data storage is in the hardware encryption chip.
Optionally, the safe class includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels;It is described
Life cycle is divided into and permanently storing and impermanent storage;
Second determining unit, specifically for:
When the safe class for highest or described life cycle is when permanently storing, then to deposit the secure data
It is stored in the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data storage
In the dynamic storage zone.
Optionally, the dynamic administrative unit, is used for:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
When the secure data meets preset data using rule or receives operational order to the secure data,
Dynamic memory management then is carried out to the secure data.
According to one aspect of the present invention, there is provided a kind of secure storage method of data, including:
Configure the attribute information of secure data;Wherein, the attribute information includes safe class and life cycle;
When being stored to the secure data, the secure data is determined according to size of data and the safe class
It is stored in the credible performing environment TEE or hardware encryption chip;
Determine for the secure data to be stored in the credible execution ring according to the safe class and the life cycle
The solid-state storage region of border/hardware encryption chip or dynamic storage zone.
Optionally, the attribute information of the configuration secure data, specifically includes:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
Optionally, it is described to determine that the secure data is stored in described credible hold according to size of data and the safe class
Row environment TEE or hardware encryption chip;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment
In TEE;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE grades
Not, and when TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the safety
Data storage is in the hardware encryption chip.
Optionally, the safe class includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels;It is described
Life cycle is divided into and permanently storing and impermanent storage;
Determine for the secure data to be stored in the credible execution ring according to the safe class and the life cycle
The solid-state storage region of border/hardware encryption chip or dynamic storage zone, specifically include:
When the safe class for highest or described life cycle is when permanently storing, then to deposit the secure data
It is stored in the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data storage
In the dynamic storage zone.
Optionally, methods described also includes:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
When the secure data meets preset data using rule or receives operational order to the secure data,
Dynamic memory management then is carried out to the secure data.
Secure storage method of data and device proposed by the invention, by way of software and hardware is combined, is set many
Individual storage region and multiple safe classes, effectively improve the storage efficiency of hardware encryption safe mobile phone, and limited hardware is deposited
The degree that storage space carries out maximum is used, so that realize that limited memory space is applied into " unlimited " safety applications gets on,
The storage safety of data is effectively ensured.Sufficiently can be stored using the hardware encryption chip of high safety grade by using the present invention
Space, can push away more extensive according to actual conditions by range of application is encrypted again, there is stronger answering on actual products application
Use meaning.
Brief description of the drawings
Fig. 1 is the hardware architecture diagram for realizing each optional mobile terminal of embodiment one of the invention;
Fig. 2 is the structural principle block diagram of data safety storage device in the embodiment of the present invention;
Fig. 3 is the structural principle block diagram of data safety storage device in a specific embodiment of the invention;
Fig. 4 is the flow chart of secure storage method of data in the embodiment of the present invention;
Fig. 5 is the flow chart of secure storage method of data in a specific embodiment of the invention;
Fig. 6 is the flow chart of secure storage method of data in a specific embodiment of the invention.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The mobile terminal of each embodiment of the invention is realized referring now to Description of Drawings.In follow-up description, use
For represent element such as " module ", " part " or " unit " suffix only for being conducive to explanation of the invention, itself
Not specific meaning.Therefore, " module " can be used mixedly with " part ".
Mobile terminal can be implemented in a variety of manners.For example, the terminal described in the present invention can include such as moving
Phone, smart phone, notebook computer, digit broadcasting receiver, PDA (personal digital assistant), PAD (panel computer), PMP
The mobile terminal of (portable media player), guider etc. and such as numeral TV, desktop computer etc. are consolidated
Determine terminal.Hereinafter it is assumed that terminal is mobile terminal.However, it will be understood by those skilled in the art that, except being used in particular for movement
Outside the element of purpose, construction according to the embodiment of the present invention can also apply to the terminal of fixed type.
Fig. 1 is the hardware architecture diagram for realizing each optional mobile terminal of embodiment one of the invention.
Mobile terminal 1 00 can include user input unit 130, sensing unit 140, output unit 150, memory 160,
Interface unit 170, controller 180 and power subsystem 190 etc..Fig. 1 shows the mobile terminal with various assemblies, but should
What is understood is, it is not required that implement all components for showing.More or less component can alternatively be implemented.To be detailed below
The element of thin description mobile terminal.
Wireless communication unit 110 generally includes one or more assemblies, and it allows mobile terminal 1 00 and wireless communication system
Or the radio communication between network.For example, wireless communication unit can include broadcasting reception module 111, mobile communication module
112nd, at least one of wireless Internet module 113, short range communication module 114 and location information module 115.
Broadcasting reception module 111 receives broadcast singal and/or broadcast via broadcast channel from external broadcast management server
Relevant information.Broadcast channel can include satellite channel and/or terrestrial channel.Broadcast management server can be generated and sent
The broadcast singal and/or broadcast related information generated before the server or reception of broadcast singal and/or broadcast related information
And send it to the server of terminal.Broadcast singal can include TV broadcast singals, radio signals, data broadcasting
Signal etc..And, broadcast singal may further include the broadcast singal combined with TV or radio signals.Broadcast phase
Pass information can also be provided via mobile communications network, and in this case, broadcast related information can be by mobile communication mould
Block 112 is received.Broadcast singal can exist in a variety of manners, for example, it can be with the electronics of DMB (DMB)
The form of program guide (EPG), the electronic service guidebooks (ESG) of digital video broadcast-handheld (DVB-H) etc. and exist.Broadcast
Receiver module 111 can receive signal and broadcast by using various types of broadcast systems.Especially, broadcasting reception module 111
Can be wide by using such as multimedia broadcasting-ground (DMB-T), DMB-satellite (DMB-S), digital video
Broadcast-hand-held (DVB-H), Radio Data System, the received terrestrial digital broadcasting integrated service of forward link media (MediaFLO@)
Etc. (ISDB-T) digit broadcasting system receives digital broadcasting.Broadcasting reception module 111 may be constructed such that and be adapted to provide for extensively
Broadcast the various broadcast systems and above-mentioned digit broadcasting system of signal.Via broadcasting reception module 111 receive broadcast singal and/
Or broadcast related information can be stored in memory 160 (or other types of storage medium).
Mobile communication module 112 sends radio signals to base station (for example, access point, node B etc.), exterior terminal
And at least one of server and/or receive from it radio signal.Such radio signal can be logical including voice
Words signal, video calling signal or the various types of data for sending and/or receiving according to text and/or Multimedia Message.
Wireless Internet module 113 supports the Wi-Fi (Wireless Internet Access) of mobile terminal.The module can be internally or externally
It is couple to terminal.Wi-Fi (Wireless Internet Access) technology involved by the module can include WLAN (WLAN) (Wi-Fi), Wibro
(WiMAX), Wimax (worldwide interoperability for microwave accesses), HSDPA (high-speed downlink packet access) etc..
Short range communication module 114 is the module for supporting junction service.Some examples of short-range communication technology include indigo plant
ToothTM, radio frequency identification (RFID), Infrared Data Association (IrDA), ultra wide band (UWB), purple honeybeeTMEtc..
Location information module 115 is the module for checking or obtaining the positional information of mobile terminal.Location information module
Typical case be GPS (global positioning system).According to current technology, GPS module 115 is calculated and comes from three or more satellites
Range information and correct time information and the Information application triangulation for calculating, so as to according to longitude, latitude
Highly accurately calculate three-dimensional current location information.Currently, defended using three for calculating the method for position and temporal information
Star and the position that is calculated by using other satellite correction and the error of temporal information.Additionally, GPS module 115
Can be by Continuous plus current location information in real time come calculating speed information.
A/V input blocks 120 are used to receive audio or video signal.A/V input blocks 120 can include the He of camera 121
Microphone 122, the static images that 121 pairs, camera is obtained in Video Capture pattern or image capture mode by image capture apparatus
Or the view data of video is processed.Picture frame after treatment may be displayed on display unit 151.Processed through camera 121
Picture frame afterwards can be stored in memory 160 (or other storage mediums) or sent out via wireless communication unit 110
Send, two or more cameras 121 can be provided according to the construction of mobile terminal.Microphone 122 can be in telephone calling model, note
Sound (voice data) is received via microphone in record pattern, speech recognition mode etc. operational mode, and can be by so
Acoustic processing be voice data.Audio (voice) data after treatment can be converted in the case of telephone calling model can
The form for being sent to mobile communication base station via mobile communication module 112 is exported.Microphone 122 can implement various types of making an uproar
Sound eliminates (or suppression) algorithm to eliminate the noise or dry that (or suppression) produces during reception and transmission audio signal
Disturb.
User input unit 130 can generate key input data to control each of mobile terminal according to the order of user input
Plant operation.User input unit 130 allows the various types of information of user input, and can include keyboard, metal dome, touch
Plate (for example, detection due to being touched caused by resistance, pressure, electric capacity etc. change sensitive component), roller, rocking bar etc.
Deng.Especially, when touch pad is superimposed upon on display unit 151 in the form of layer, touch-screen can be formed.
Sensing unit 140 detects the current state of mobile terminal 1 00, (for example, mobile terminal 1 00 opens or closes shape
State), the presence or absence of the contact (that is, touch input) of the position of mobile terminal 1 00, user for mobile terminal 1 00, mobile terminal
The acceleration or deceleration movement of 100 orientation, mobile terminal 1 00 and direction etc., and generate for controlling mobile terminal 1 00
The order of operation or signal.For example, when mobile terminal 1 00 is embodied as sliding-type mobile phone, sensing unit 140 can be sensed
The sliding-type phone is opened or closed.In addition, sensing unit 140 can detect power subsystem 190 whether provide electric power or
Whether person's interface unit 170 couples with external device (ED).
Interface unit 170 is connected the interface that can pass through with mobile terminal 1 00 as at least one external device (ED).For example,
External device (ED) can include wired or wireless head-band earphone port, external power source (or battery charger) port, wired or nothing
Line FPDP, memory card port, the port for connecting the device with identification module, audio input/output (I/O) end
Mouth, video i/o port, ear port etc..Identification module can be that storage uses each of mobile terminal 1 00 for verifying user
Kind of information and subscriber identification module (UIM), client identification module (SIM), Universal Subscriber identification module (USIM) can be included
Etc..In addition, the device (hereinafter referred to as " identifying device ") with identification module can take the form of smart card, therefore, know
Other device can be connected via port or other attachment means with mobile terminal 1 00.Interface unit 170 can be used for reception and come from
The input (for example, data message, electric power etc.) of the external device (ED) and input that will be received is transferred in mobile terminal 1 00
One or more elements can be used for transmitting data between mobile terminal and external device (ED).
In addition, when mobile terminal 1 00 is connected with external base, interface unit 170 can serve as allowing by it by electricity
Power provides to the path of mobile terminal 1 00 from base or can serve as allowing the various command signals being input into from base to pass through it
It is transferred to the path of mobile terminal.Be can serve as recognizing that mobile terminal is from the various command signals or electric power of base input
The no signal being accurately fitted within base.Output unit 150 is configured to provide defeated with vision, audio and/or tactile manner
Go out signal (for example, audio signal, vision signal, alarm signal, vibration signal etc.).Output unit 150 can include display
Unit 151, dio Output Modules 152, alarm unit 153 etc..
Display unit 151 may be displayed on the information processed in mobile terminal 1 00.For example, when mobile terminal 1 00 is in electricity
During words call mode, display unit 151 can show and converse or other communicate (for example, text messaging, multimedia file
Download etc.) related user interface (UI) or graphic user interface (GUI).When mobile terminal 1 00 is in video calling pattern
Or during image capture mode, display unit 151 can show the image of capture and/or the image of reception, show video or figure
UI or GUI of picture and correlation function etc..
Meanwhile, when display unit 151 and touch pad in the form of layer it is superposed on one another to form touch-screen when, display unit
151 can serve as input unit and output device.Display unit 151 can include liquid crystal display (LCD), thin film transistor (TFT)
In LCD (TFT-LCD), Organic Light Emitting Diode (OLED) display, flexible display, three-dimensional (3D) display etc. at least
It is a kind of.Some in these displays may be constructed such that transparence to allow user to be watched from outside, and this is properly termed as transparent
Display, typical transparent display can be, for example, TOLED (transparent organic light emitting diode) display etc..According to specific
Desired implementation method, mobile terminal 1 00 can include two or more display units (or other display devices), for example, moving
Dynamic terminal can include outernal display unit (not shown) and inner display unit (not shown).Touch-screen can be used to detect touch
Input pressure and touch input position and touch input area.
Dio Output Modules 152 can mobile terminal be in call signal reception pattern, call mode, logging mode,
It is that wireless communication unit 110 is received or in memory 160 when under the isotypes such as speech recognition mode, broadcast reception mode
The voice data transducing audio signal of middle storage and it is output as sound.And, dio Output Modules 152 can be provided and movement
The audio output (for example, call signal receives sound, message sink sound etc.) of the specific function correlation that terminal 100 is performed.
Dio Output Modules 152 can include loudspeaker, buzzer etc..
Alarm unit 153 can provide output and be notified to mobile terminal 1 00 with by event.Typical event can be with
Including calling reception, message sink, key signals input, touch input etc..In addition to audio or video is exported, alarm unit
153 can in a different manner provide output with the generation of notification event.For example, alarm unit 153 can be in the form of vibrating
Output is provided, when calling, message or some other entrance communication (incomingcommunication) are received, alarm list
Unit 153 can provide tactile output (that is, vibrating) to notify to user.Exported by providing such tactile, even if
When in pocket of the mobile phone of user in user, user also can recognize that the generation of various events.Alarm unit 153
The output of the generation of notification event can be provided via display unit 151 or dio Output Modules 152.
Memory 160 can store software program for the treatment and control operation performed by controller 180 etc., Huo Zheke
Temporarily to store oneself data (for example, telephone directory, message, still image, video etc.) through exporting or will export.And
And, memory 160 can store the vibration of various modes on being exported when touching and being applied to touch-screen and audio signal
Data.
Memory 160 can include the storage medium of at least one type, and storage medium includes flash memory, hard disk, multimedia
Card, card-type memory (for example, SD or DX memories etc.), random access storage device (RAM), static random-access memory
(SRAM), read-only storage (ROM), Electrically Erasable Read Only Memory (EEPROM), programmable read only memory
(PROM), magnetic storage, disk, CD etc..And, mobile terminal 1 00 can perform memory with by network connection
The network storage device cooperation of 160 store function.
The overall operation of the generally control mobile terminal of controller 180.For example, controller 180 is performed and voice call, data
Communication, video calling etc. related control and treatment.In addition, controller 180 can be included for reproducing (or playback) many matchmakers
The multi-media module 181 of volume data, multi-media module 181 can be constructed in controller 180, or can be structured as and control
Device 180 is separated.Controller 180 can be with execution pattern identifying processing, the handwriting input that will be performed on the touchscreen or picture
Draw input and be identified as character or image.
Power subsystem 190 receives external power or internal power under the control of controller 180 and provides operation each unit
Appropriate electric power needed for part and component.
Various implementation methods described herein can be with use such as computer software, hardware or its any combination of calculating
Machine computer-readable recording medium is implemented.Implement for hardware, implementation method described herein can be by using application-specific IC
(ASIC), digital signal processor (DSP), digital signal processing device (DSPD), programmable logic device (PLD), scene can
Programming gate array (FPGA), processor, controller, microcontroller, microprocessor, it is designed to perform function described herein
At least one in electronic unit is implemented, and in some cases, such implementation method can be implemented in controller 180.
For software implementation, the implementation method of such as process or function can with allow to perform the single of at least one function or operation
Software module is implemented.Software code can be come by the software application (or program) write with any appropriate programming language
Implement, software code can be stored in memory 160 and performed by controller 180.
So far, oneself according to its function through describing mobile terminal.Below, for the sake of brevity, will description such as folded form,
Slide type mobile terminal in various types of mobile terminals of board-type, oscillating-type, slide type mobile terminal etc. is used as showing
Example.Therefore, the present invention can be applied to any kind of mobile terminal, and be not limited to slide type mobile terminal.
Mobile terminal 1 00 as shown in Figure 1 may be constructed such that using via frame or packet transmission data it is all if any
Line and wireless communication system and satellite-based communication system are operated.
Based on above-mentioned mobile terminal hardware configuration, mobile terminal of the present invention and method each embodiment are proposed.
Thinking of the invention is by way of software and hardware is combined, to set multiple storage regions and multiple safety
Grade.Specifically, three kinds of environment, including REE (common secure execution environments), TEE (credible execution ring are designed in the present invention
Border), hardware encryption chip (SE).In every kind of performing environment, increase certain controlling mechanism, so that the utilization rate of storage region
It is maximum optimal, it is ensured that secure data is effectively stored, solve the problems, such as that hardware memory space is not enough.Data of the invention are pacified below
Full storage device describes in detail, as shown in Fig. 2 specifically including as follows:
Dispensing unit 31, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life
The life cycle;
First determining unit 32, for when being stored to secure data, being determined according to size of data and safe class
Secure data is stored in credible performing environment TEE or hardware encryption chip;
Second determining unit 33, for determining for secure data to be stored in credible execution according to safe class and life cycle
The solid-state storage region of environment/hardware encryption chip or dynamic storage zone.
Data safety storage device proposed by the invention, by way of software and hardware is combined, effectively improve hardware
The storage efficiency of encryption safe mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so that realize will be limited
Memory space be applied to " unlimited " safety applications and get on, the storage safety of data is effectively ensured.
Technical scheme is described in detail with reference to specific embodiment.
Dispensing unit 31, the attribute information for configuring secure data;Wherein, attribute information includes safe class and life
The life cycle.
Wherein, all properties information of secure data is configured in common secure execution environments REE.Specifically, such as Fig. 3 institutes
Show, common secure execution environments REE includes storage granted unit, data storage generation unit, safe class generation unit, life
Cycle generation unit;Wherein,
Storage granted unit, can carry out application or the data of safe storage, for example for setting in the terminal
Safe storage can be carried out to QQ applications, or safe storage can be carried out to finger print data.By configure can authorizing secure deposit
The application of storage or the title of data extract the specific data message to be encrypted.
Data storage generation unit, will need to carry out for the application according to storage granted unit mandate or data name
The data of safety storage are extracted.
Safe class generation unit, the safe class for setting secure data.Here, in setting, it is necessary to meet shifting
Dynamic terminal itself rule, that is, institute of mobile terminal manufacturer restrictive rule.It is of course also possible to be that user sets and meets shifting
Dynamic manufacturer terminal institute restrictive rule.Optionally, the safe class of setting includes highest hardware, hardware store level, TEE highests
Level, TEE storage levels.Wherein, multiple ranks can also be set for storage level.
Life cycle generation unit, the life cycle for setting secure data.Here life cycle is broadly divided into two
Kind:One kind is permanent;Another kind is non-permanent, for example, set storage time (such as 1 year) or set using secondary
Number (such as 5 times).
First determining unit 32, for when being stored to secure data, being determined according to size of data and safe class
Secure data is stored in credible performing environment TEE or hardware encryption chip.
First determining unit 32 is located in credible performing environment TEE, after incoming secure data is received, obtains safety
The size of data of data and the corresponding attribute information of configuration.
Wherein, the first determining unit 32 is it is determined that secure data is stored in credible performing environment TEE or hardware encryption core
During piece, specifically for:
Judge the size of size of data and the memory space of hardware encryption chip;
When size of data is more than memory space, then the insufficient memory of hardware encryption chip is illustrated, directly by safety number
According to being stored in credible performing environment TEE;
When size of data is less than or equal to memory space, then need further judge it is storage according to security level information
In credible performing environment TEE or hardware encryption chip.
The above-mentioned security level information for referring to understands to be divided into two kinds of TEE ranks and hardware-level, therefore when judgement safe level
Not Wei TEE ranks, secure data is stored in credible performing environment TEE;When level of security is judged as hardware-level, then will peace
Total evidence is stored in hardware encryption chip.
Understand, by according to size of data and level of security can accurate distinguishes data deposit position, it is ensured that memory block
The reasonable utilization in domain.
Second determining unit 33, for determining for secure data to be stored in credible execution according to safe class and life cycle
The solid-state storage region of environment/hardware encryption chip or dynamic storage zone.
Understood based on Fig. 3, solid-state storage is respectively provided with credible performing environment and hardware encryption chip in the present invention
Region and dynamic storage zone.After it is determined that secure data is stored in credible performing environment or hardware encryption chip, need
Further discriminate between secure data and deposit in solid-state storage region or dynamic storage zone.
Specifically, the second determining unit 33 deposits in solid-state storage region or dynamic area in judgement secure data
, it is necessary to determine with reference to two factors of safe class and life cycle during domain.
The above-mentioned safe class for referring to includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels, also
It is that to need in credible performing environment or hardware encryption chip to distinguish secure data be highest and storage level.And life cycle point
To permanently store and impermanent storage.Therefore, the second determining unit 33, is judging that depositing in solid-state storage region or dynamic deposits
During storage area domain, specifically for:
When safe class for highest or life cycle is when permanently storing, then secure data to be stored in into solid-state storage
In region;
When safe class is storage level and life cycle is impermanent storage, then secure data is stored in dynamic area
In domain.
Understand, in the present embodiment, solid-state storage region meets condition as optimum condition, when safe class and Life Cycle
When phase one of them any one meets, then directly secure data is stored in solid-state storage region, it is ensured that the safety of data
Property.And when two conditions are all unsatisfactory for, then illustrate that the storage environment security of data demand is not high, then by secure data dynamic
State storage region is stored.
Optionally, in an embodiment, dynamic administrative unit is provided with credible performing environment/hardware encryption chip, is used
In:
The secure data of the dynamic storage zone of real-time monitoring is credible performing environment/hardware encryption chip;
When secure data meets preset data using rule or receives operational order to secure data, then to safety
Data carry out dynamic memory management.
By setting dynamic administrative unit in credible performing environment/hardware encryption chip, can be used according to default
Data in dynamic storage zone are effectively integrated.For example, as periodically not high to frequency of use or frequency of use gradually drops
Low secure data reduce the treatment of safe class, or receives the corresponding data security attribute change of mobile terminal transmission
Request more, changing request according to attribute can be degraded and delete processing to data.Understand, deposited by dynamic in the present invention
Storage area domain is monitored treatment, it is ensured that the space utilisation in credible performing environment and hardware encryption chip, it is ensured that hardware
Memory space can be utilized effectively.
The embodiment of the present invention provides a kind of secure storage method of data, as shown in figure 4, specifically including following steps:
Step 501, configures the attribute information of secure data;Wherein, attribute information includes safe class and life cycle.
Wherein, all properties information of secure data is configured in common secure execution environments REE.Specifically,
Setting in the terminal can carry out application or the data of safe storage, for example, QQ applications can be pacified
Full storage, or safe storage can be carried out to finger print data.Can the application that stores of authorizing secure or data by configuring
Title extracts the specific data message to be encrypted.
Application or data name according to mandate is deposited will need the data for carrying out safe storage to extract.
Set the safe class of secure data.Here, setting when, it is necessary to meet mobile terminal itself rule, that is,
Institute of mobile terminal manufacturer restrictive rule.It is of course also possible to be that user sets and meets institute of mobile terminal manufacturer restrictive rule.
Optionally, the safe class of setting includes highest hardware, hardware store level, the TEE superlative degrees, TEE storage levels.
Set the life cycle of secure data.Here life cycle is broadly divided into two kinds:One kind is permanent;It is another
It is non-permanent to plant, for example, set storage time (such as 1 year) or setting access times (such as 5 times).
Step 502, when being stored to secure data, determines that secure data is stored according to size of data and safe class
In credible performing environment TEE or hardware encryption chip.
After TEE receives REE incoming secure datas, obtain secure data size of data and configuration it is corresponding
Attribute information.
Wherein, when it is determined that secure data is stored in credible performing environment TEE or hardware encryption chip, specifically include:
Judge the size of size of data and the memory space of hardware encryption chip;
When size of data is more than memory space, then the insufficient memory of hardware encryption chip is illustrated, directly by safety number
According to being stored in credible performing environment TEE;
When size of data is less than or equal to memory space, then need further judge it is storage according to security level information
In credible performing environment TEE or hardware encryption chip.
The above-mentioned security level information for referring to understands to be divided into two kinds of TEE ranks and hardware-level, therefore when judgement safe level
Not Wei TEE ranks, secure data is stored in credible performing environment TEE;When level of security is judged as hardware-level, then will peace
Total evidence is stored in hardware encryption chip.Understand, by can accurate distinguishes data according to size of data and level of security
Deposit position, it is ensured that the reasonable utilization of storage region.
Step 503, determines that secure data is stored in into credible performing environment/hardware adds according to safe class and life cycle
The solid-state storage region of close chip or dynamic storage zone.
Determine secure data after storage in credible performing environment or hardware encryption chip, it is necessary to further discriminate between peace
Total evidence deposits in solid-state storage region or dynamic storage zone.
Specifically, judge secure data deposit in solid-state storage region or dynamic storage zone when, it is necessary to reference to
Safe class and life cycle two factors determine, specifically include:
When safe class for highest or life cycle is when permanently storing, then secure data to be stored in into solid-state storage
In region;
When safe class is storage level and life cycle is impermanent storage, then secure data is stored in dynamic area
In domain.
Understand, in the present embodiment, solid-state storage region meets condition as optimum condition, when safe class and Life Cycle
When phase one of them any one meets, then directly secure data is stored in solid-state storage region, it is ensured that the safety of data
Property.And when two conditions are all unsatisfactory for, then illustrate that the storage environment security of data demand is not high, then by secure data dynamic
State storage region is stored.
Optionally, in an embodiment, the method also includes:
The secure data of the dynamic storage zone of real-time monitoring is credible performing environment/hardware encryption chip;
When secure data meets preset data using rule or receives operational order to secure data, then to safety
Data carry out dynamic memory management.
Preset data can have various using rule, and for example periodically not high to frequency of use or frequency of use is gradually reduced
Secure data reduce the treatment of safe class, and the attribute of data is modified according to data service condition mainly.Or
The request of the corresponding data security attribute change of mobile terminal transmission is received, changing request according to attribute can drop to data
Level and delete processing.Understand, by being monitored treatment to dynamic storage zone in the present invention, it is ensured that credible performing environment
With the space utilisation in hardware encryption chip, it is ensured that hardware memory space can be utilized effectively.
A specific embodiment of the invention provides a kind of secure storage method of data, as shown in figure 5, specifically including
Step 601, user configures fingerprint application for secure data in the common secure execution environments REE of mobile terminal,
Finger print data needed for title is extracted according to needed for user;
Step 602, level of security and safety period are set to finger print data.Here, it is TEE highest to set level of security
And safety period is to permanently store;
Step 603, after credible performing environment TEE obtains secure data, judges size of data less than hardware security chip
Memory space, then further obtain level of security.
Step 604, level of security is that TEE is highest, permanently stores, then secure data is stored in into credible performing environment
In the solid-state storage region of TEE.
Understood based on above-mentioned, it is of the invention by the way of software and hardware combination, by the safe level for setting finger print data
Other and safety period, effectively increase mobile terminal data storage efficiency, it is ensured that limited SE memory headrooms.
A specific embodiment of the invention provides a kind of secure storage method of data, as shown in fig. 6, specifically including following step
Suddenly:
Step 701, the data that user configures QQ applications in the common secure execution environments REE of mobile terminal are safe number
According to the data message according to included by Apply Names extracts application;
Step 702, level of security and safety period are set to QQ application datas.Here, level of security is set for hardware is deposited
3 grades of level of storage and safety period are 3 years.Wherein, in the embodiment, storage level include 3 grades, and 3 rank storage levels the superlative degree.
Step 703, after credible performing environment TEE obtains secure data, judges size of data less than hardware security chip
Memory space, then further obtain level of security.
Step 704, level of security be hardware store level and safety period for impermanent, then secure data is stored in firmly
In the dynamic storage zone of part encryption chip.
Step 705, detects the service condition of QQ application datas in the dynamic storage zone of hardware encryption chip, when QQ applications
When the frequency of use of data is half a year one time, then hardware store level is reduced to 2 grades.
Step 706, when detecting user QQ applications being set into non-secure data, then applies from hardware encryption chip QQ
Deleted in dynamic storage zone.
Understood based on above-mentioned, the secure storage method of data that the embodiment of the present invention is provided, effectively improve hardware encryption peace
The storage efficiency of full mobile phone, the degree that maximum is carried out to limited hardware memory space is used, so as to realize limited storage
Space application gets on to " unlimited " safety applications, and the storage safety of data is effectively ensured.
It should be noted that herein, term " including ", "comprising" or its any other variant be intended to non-row
His property is included, so that process, method, article or device including a series of key elements not only include those key elements, and
And also include other key elements being not expressly set out, or also include for this process, method, article or device institute are intrinsic
Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including this
Also there is other identical element in the process of key element, method, article or device.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases
The former is more preferably implementation method.Based on such understanding, technical scheme is substantially done to prior art in other words
The part for going out contribution can be embodied in the form of software product, and the computer software product is stored in a storage medium
In (such as ROM/RAM, magnetic disc, CD), including some instructions are used to so that a station terminal equipment (can be mobile phone, computer, clothes
Business device, air-conditioner, or network equipment etc.) method that performs each embodiment of the invention.
The preferred embodiments of the present invention are these are only, the scope of the claims of the invention is not thereby limited, it is every to utilize this hair
Equivalent structure or equivalent flow conversion that bright specification and accompanying drawing content are made, or directly or indirectly it is used in other related skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of data safety storage device, it is characterised in that including:
Dispensing unit, the attribute information for configuring secure data;Wherein, the attribute information includes safe class and life
Cycle;
First determining unit, it is true according to size of data and the safe class for when being stored to the secure data
The fixed secure data is stored in the credible performing environment TEE or hardware encryption chip;
Second determining unit, for determining for the secure data to be stored in institute according to the safe class and the life cycle
State solid-state storage region or the dynamic storage zone of credible performing environment/hardware encryption chip.
2. device as claimed in claim 1, it is characterised in that the dispensing unit, specifically for:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
3. device as claimed in claim 1, it is characterised in that first determining unit, specifically for;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment TEE
In;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE ranks, and
When TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the secure data
It is stored in the hardware encryption chip.
4. device as claimed in claim 1, it is characterised in that the safe class include highest hardware, hardware store level,
TEE is highest, TEE storage levels;The life cycle is divided into and permanently storing and impermanent storage;
Second determining unit, specifically for:
When the safe class for highest or described life cycle is when permanently storing, to be then stored in the secure data
In the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data is stored in institute
In stating dynamic storage zone.
5. device as claimed in claim 1, it is characterised in that the dynamic administrative unit, is used for:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
It is when the secure data meets preset data using rule or receives operational order to the secure data, then right
The secure data carries out dynamic memory management.
6. a kind of secure storage method of data, it is characterised in that including:
Configure the attribute information of secure data;Wherein, the attribute information includes safe class and life cycle;
When being stored to the secure data, the secure data storage is determined according to size of data and the safe class
In the credible performing environment TEE or hardware encryption chip;
Determined for the secure data to be stored in the credible performing environment/hard according to the safe class and the life cycle
The solid-state storage region of part encryption chip or dynamic storage zone.
7. method as claimed in claim 6, it is characterised in that the attribute information of the configuration secure data, specifically includes:
Obtain application or the data name of setting;
The secure data to be stored is extracted according to the application or data name;
Safe class and life cycle needed for the secure data is set.
8. method as claimed in claim 6, it is characterised in that described according to size of data and the safe class determine
Secure data is stored in the credible performing environment TEE or hardware encryption chip;
Judge the size of the size of data and the memory space of hardware encryption chip;
When the size of data is more than the memory space, then the secure data is stored in the credible performing environment TEE
In;
When the size of data is less than or equal to the memory space, then judge whether the level of security is TEE ranks, and
When TEE ranks are judged to, the secure data is stored in the credible performing environment TEE, otherwise by the secure data
It is stored in the hardware encryption chip.
9. method as claimed in claim 6, it is characterised in that the safe class include highest hardware, hardware store level,
TEE is highest, TEE storage levels;The life cycle is divided into and permanently storing and impermanent storage;
Determined for the secure data to be stored in the credible performing environment/hard according to the safe class and the life cycle
The solid-state storage region of part encryption chip or dynamic storage zone, specifically include:
When the safe class for highest or described life cycle is when permanently storing, to be then stored in the secure data
In the solid-state storage region;
When the safe class is storage level and the life cycle is impermanent storage, then the secure data is stored in institute
In stating dynamic storage zone.
10. method as claimed in claim 6, it is characterised in that methods described also includes:
The secure data of the dynamic storage zone of credible performing environment/hardware encryption chip described in real-time monitoring;
It is when the secure data meets preset data using rule or receives operational order to the secure data, then right
The secure data carries out dynamic memory management.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710106872.XA CN106909851A (en) | 2017-02-27 | 2017-02-27 | A kind of secure storage method of data and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710106872.XA CN106909851A (en) | 2017-02-27 | 2017-02-27 | A kind of secure storage method of data and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106909851A true CN106909851A (en) | 2017-06-30 |
Family
ID=59207912
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710106872.XA Pending CN106909851A (en) | 2017-02-27 | 2017-02-27 | A kind of secure storage method of data and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106909851A (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108614977A (en) * | 2018-04-28 | 2018-10-02 | 惠州市德赛西威汽车电子股份有限公司 | A kind of vehicle-mounted sensitive data method for secure storing and its system for supporting HSM |
CN109933994A (en) * | 2017-12-18 | 2019-06-25 | 北京三快在线科技有限公司 | Data classification storage and device and calculating equipment |
WO2019148397A1 (en) * | 2018-01-31 | 2019-08-08 | 华为技术有限公司 | Storage of decomposed sensitive data in different application environments |
US11200325B2 (en) | 2018-04-09 | 2021-12-14 | International Business Machines Corporation | Dynamic data asset security using cognitive data analysis |
US11321471B2 (en) | 2017-12-18 | 2022-05-03 | Beijing Sankuai Online Technology Co., Ltd | Encrypted storage of data |
WO2022099468A1 (en) * | 2020-11-10 | 2022-05-19 | 深圳市大疆创新科技有限公司 | Radar, radar data processing method, mobile platform, and storage medium |
CN115618328A (en) * | 2022-12-16 | 2023-01-17 | 飞腾信息技术有限公司 | Security architecture system, security management method, computing device, and readable storage medium |
CN116663020A (en) * | 2023-07-21 | 2023-08-29 | 江苏华存电子科技有限公司 | Data storage environment safety monitoring method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103136018A (en) * | 2011-12-05 | 2013-06-05 | 联想(北京)有限公司 | Setting method and setting system of basic input/ output system (BIOS) |
CN104636666A (en) * | 2013-11-07 | 2015-05-20 | 中国移动通信集团公司 | Method and safety device for safely processing information of mobile terminal |
US20150331698A1 (en) * | 2013-01-03 | 2015-11-19 | Giesecke & Devrient Gmbh | Method for loading an application consisting of a plurality of components into a device consisting of a plurality of components |
CN105678191A (en) * | 2016-03-02 | 2016-06-15 | 上海瓶钵信息科技有限公司 | Method for improving system safety by utilizing SoC Internal memory, terminal and system |
CN106415564A (en) * | 2014-06-05 | 2017-02-15 | 索尼公司 | Dynamic configuration of trusted executed environment |
-
2017
- 2017-02-27 CN CN201710106872.XA patent/CN106909851A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103136018A (en) * | 2011-12-05 | 2013-06-05 | 联想(北京)有限公司 | Setting method and setting system of basic input/ output system (BIOS) |
US20150331698A1 (en) * | 2013-01-03 | 2015-11-19 | Giesecke & Devrient Gmbh | Method for loading an application consisting of a plurality of components into a device consisting of a plurality of components |
CN104636666A (en) * | 2013-11-07 | 2015-05-20 | 中国移动通信集团公司 | Method and safety device for safely processing information of mobile terminal |
CN106415564A (en) * | 2014-06-05 | 2017-02-15 | 索尼公司 | Dynamic configuration of trusted executed environment |
CN105678191A (en) * | 2016-03-02 | 2016-06-15 | 上海瓶钵信息科技有限公司 | Method for improving system safety by utilizing SoC Internal memory, terminal and system |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109933994A (en) * | 2017-12-18 | 2019-06-25 | 北京三快在线科技有限公司 | Data classification storage and device and calculating equipment |
US11321471B2 (en) | 2017-12-18 | 2022-05-03 | Beijing Sankuai Online Technology Co., Ltd | Encrypted storage of data |
WO2019148397A1 (en) * | 2018-01-31 | 2019-08-08 | 华为技术有限公司 | Storage of decomposed sensitive data in different application environments |
US11200325B2 (en) | 2018-04-09 | 2021-12-14 | International Business Machines Corporation | Dynamic data asset security using cognitive data analysis |
CN108614977A (en) * | 2018-04-28 | 2018-10-02 | 惠州市德赛西威汽车电子股份有限公司 | A kind of vehicle-mounted sensitive data method for secure storing and its system for supporting HSM |
WO2022099468A1 (en) * | 2020-11-10 | 2022-05-19 | 深圳市大疆创新科技有限公司 | Radar, radar data processing method, mobile platform, and storage medium |
CN115618328A (en) * | 2022-12-16 | 2023-01-17 | 飞腾信息技术有限公司 | Security architecture system, security management method, computing device, and readable storage medium |
CN116663020A (en) * | 2023-07-21 | 2023-08-29 | 江苏华存电子科技有限公司 | Data storage environment safety monitoring method and system |
CN116663020B (en) * | 2023-07-21 | 2023-11-14 | 江苏华存电子科技有限公司 | Data storage environment safety monitoring method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106909851A (en) | A kind of secure storage method of data and device | |
CN104915582B (en) | unlocking method and device | |
CN104618605B (en) | Mobile terminal locating method and device | |
CN104915119B (en) | Terminal desktop icon method of adjustment and device | |
CN106655358B (en) | Battery charge controller and method between a kind of mobile terminal | |
CN105141738B (en) | A kind of volume adjusting method and device | |
CN106941443A (en) | One population historical record checks terminal and method | |
CN106656660A (en) | Traffic monitoring device and method | |
CN106528298A (en) | Resource distribution method and device | |
CN106850080A (en) | The sending method and mobile terminal of a kind of associated person information | |
CN105095705B (en) | A kind of information processing method and device | |
CN106991014A (en) | A kind of method, device and mobile terminal for handling user's incoming event | |
CN106791195A (en) | A kind of operation processing method and device | |
CN106791149A (en) | A kind of method of mobile terminal and control screen | |
CN106648324A (en) | Hidden icon operating method, device and terminal | |
CN106488035A (en) | A kind of mobile terminal and control method | |
CN106406621B (en) | A kind of mobile terminal and its method for handling touch control operation | |
CN104636044B (en) | The method and mobile terminal of one-handed performance | |
CN104915103B (en) | The method and mobile terminal of arranging desktop icons | |
CN107071161A (en) | The aggregation display method and mobile terminal of icon in a kind of status bar | |
CN106792644A (en) | Mobile terminal, server and information processing method | |
CN106790126A (en) | A kind of method of the account mandate of application program, device and terminal | |
CN106534596A (en) | Anti-harassment call filtering method and filtering system thereof | |
CN106776240A (en) | A kind of Task Progress display terminal and method | |
CN106775381A (en) | The apparatus and method of adjustment screen touch area |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170630 |
|
RJ01 | Rejection of invention patent application after publication |