CN106953728B - Data transmission method and electronic equipment - Google Patents

Data transmission method and electronic equipment Download PDF

Info

Publication number
CN106953728B
CN106953728B CN201710192933.9A CN201710192933A CN106953728B CN 106953728 B CN106953728 B CN 106953728B CN 201710192933 A CN201710192933 A CN 201710192933A CN 106953728 B CN106953728 B CN 106953728B
Authority
CN
China
Prior art keywords
data
data request
request information
hardware module
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710192933.9A
Other languages
Chinese (zh)
Other versions
CN106953728A (en
Inventor
刘晶晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Beijing Ltd
Original Assignee
Lenovo Beijing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo Beijing Ltd filed Critical Lenovo Beijing Ltd
Priority to CN201710192933.9A priority Critical patent/CN106953728B/en
Publication of CN106953728A publication Critical patent/CN106953728A/en
Application granted granted Critical
Publication of CN106953728B publication Critical patent/CN106953728B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Abstract

The invention provides a data transmission method and electronic equipment, wherein the method comprises the following steps: generating first data request information regarding a request to transmit data; judging whether the first data request information is valid or not and judging whether an application program generating the first data request information is safe or not by using a safety hardware module; when the first data request message is valid and the application generating the first data request message is secure, the secure hardware module permits transmission of the first data requested for transmission by the first data request message. The invention has the characteristics of no damage and high safety.

Description

Data transmission method and electronic equipment
Technical Field
The present invention relates to the field of data transmission technologies, and in particular, to a data transmission method and an electronic device.
Background
As big data is applied more and more widely, data security of big data is also receiving attention gradually. During data transmission processes such as data import and export, data acquisition and the like, the safety of the data needs to be fully ensured.
In the existing data transmission scheme, data is usually encrypted by a well-agreed encryption algorithm, and the scheme has the defect that once a server where security data such as the encryption algorithm is located is broken, the data security is no longer guaranteed, namely the security is low.
Disclosure of Invention
The embodiment of the invention provides a data transmission method and electronic equipment which are high in data security and cannot be broken.
In order to solve the technical problems, the invention provides the following technical scheme:
an embodiment of the present invention provides a data transmission method, including:
generating first data request information regarding a request to transmit data;
judging whether the first data request information is valid or not and judging whether an application program generating the first data request information is safe or not by using a safety hardware module;
when the first data request message is valid and the application generating the first data request message is secure, the secure hardware module permits transmission of the first data requested for transmission by the first data request message.
As a preferred embodiment, the determining, by the secure hardware module, whether the first data request information is valid includes:
acquiring identification information about the application program in the first data request information;
verifying whether the identification information is correct; and is
And when the identification information is verified to be correct, judging that the first data request information is valid.
As a preferred embodiment, the determining, by the secure hardware module, whether the first data request information is valid includes:
acquiring identification information about the application program in the first data request information;
verifying whether the identification information is correct or not and verifying whether first data requested to be transmitted by the first data request information is safe or not;
and when the identification information is verified to be correct and the first data is safe, judging that the first data request information is valid.
As a preferred embodiment, the verifying whether the identification information is correct includes:
and inquiring the identification information in the stored data, and if the identification information is inquired, judging that the identification information is correct.
As a preferred embodiment, the determining, by the secure hardware module, whether the application program that generates the first data request information is secure includes:
inquiring and generating an application program of the first data request information according to the identification information in the first data request information;
obtaining a verification result of the application program in a BIOS stage;
and judging whether the application program generating the first data request information is safe or not according to the verification result.
As a preferred embodiment, the method further comprises the step of receiving other electronic device request data:
receiving second data request information about other electronic devices requesting data;
judging whether the second data request information is valid or not by using a safety hardware module, and judging whether second data requested by the second data request information is safe or not;
and when the second data request information is valid and the second data requested by the second request information is safe, sending the second data based on the second data request information.
As a preferred embodiment, when the received second data request information is valid and the second data corresponding to the second data request information is secure, the second data is encrypted, and the encrypted second data is sent to the data requester of the second data request information;
wherein the encrypting the second data comprises:
and carrying out encryption processing on the requested second data by using an encryption key and a corresponding encryption algorithm stored in the secure hardware module.
As a preferred embodiment, the encryption key is a private key, and the encryption algorithm includes RES algorithm or RS4 algorithm.
As a preferred embodiment, the method further comprises the step of requesting data from the other electronic device, comprising:
generating third data request information for requesting data from other electronic devices;
judging whether the third data request information is valid or not and judging whether an application program generating the third data request information is safe or not by using a safety hardware module;
the secure hardware module permits sending the third data request message when the third data request message is valid and an application generating the third data request message is secure.
As a preferred embodiment, the method further comprises:
judging whether the third data requested to be downloaded by the third data request information is safe or not by using a safety hardware module; and is
When the third data is secure, the secure hardware module permits an operation to be performed on the third data.
As a preferred embodiment, the method further comprises:
receiving third data requested by the third data request information;
performing decryption processing on the third data, the performing decryption processing including:
and executing decryption processing on the third data by using a decryption key and a corresponding encryption algorithm stored in the security hardware module.
In addition, the embodiment of the invention also provides an electronic device, which comprises a processor and a safety hardware module, wherein,
the processor is configured to send first data request information about transmission data to the secure hardware module, and transmit the first data based on permission of the secure hardware module to transmit first data corresponding to the first data request information or based on permission control of the secure hardware module to control an application program generating the first data request information;
the secure hardware module is configured to determine whether first data request information of the processor side is valid and whether an application program generating the first data request information is secure, and is configured to permit sending of first data corresponding to the first data request information when the first data request information is valid and the application program generating the first data request information is secure.
As a preferred embodiment, the secure hardware module is further configured to determine that the first data request information is valid when the identification information of the application program generating the first data request information in the first data request information is verified to be correct.
As a preferred embodiment, the secure hardware module is further configured to obtain a verification result of the application program in the BIOS phase, and determine whether the application program generating the first data request information is secure based on the verification result.
As a preferred embodiment, the secure hardware module is further configured to determine whether first data requested to be transmitted by the first data request information is secure, and when the first data is secure, permit transmission of the first data corresponding to the first data request information.
As a preferred embodiment, the secure hardware module comprises a TCM module.
Through the disclosure of the above embodiments, it can be known that the beneficial effects of the embodiments of the present invention are:
1. the embodiment of the invention can detect the safety of the application program and the request information generated in the data transmission process, and can execute the transmission or downloading of the data only when the application program is effective and safe and the request information is effective, thereby further ensuring the safety of the data operation environment;
2. because the encryption key is stored through the safety hardware module, the encryption key cannot be broken through, and the safety is high.
Drawings
FIG. 1 is a schematic flow chart of a data transmission method in an embodiment of the present invention;
FIG. 2 is a schematic flow chart illustrating a method for determining whether a first data request message is valid using a security hardware module according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a principle of determining whether the first data request message is valid by using the security hardware module according to another embodiment of the present invention;
FIG. 4 is a schematic flow chart of the method for determining whether an application generating first data request messages is safe using a secure hardware module;
FIG. 5 is a schematic flow chart illustrating the use of the security hardware module to verify the second data request message in the embodiment of the present invention;
FIG. 6 is a schematic flow chart illustrating the verification of the third data request message by the security hardware module according to the embodiment of the present invention;
fig. 7 is a schematic block diagram of an electronic device in an embodiment of the present invention.
Detailed Description
The following detailed description of specific embodiments of the present invention is provided in connection with the accompanying drawings, which are not intended to limit the invention.
It will be understood that various modifications may be made to the embodiments disclosed herein. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Other modifications will occur to those skilled in the art within the scope and spirit of the disclosure.
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the disclosure and, together with a general description of the disclosure given above, and the detailed description of the embodiments given below, serve to explain the principles of the disclosure.
These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It should also be understood that, although the invention has been described with reference to some specific examples, a person of skill in the art shall certainly be able to achieve many other equivalent forms of the invention, having the characteristics as set forth in the claims and hence all coming within the field of protection defined thereby.
The above and other aspects, features and advantages of the present disclosure will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present disclosure are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely examples of the disclosure that may be embodied in various forms. Well-known and/or repeated functions and structures have not been described in detail so as not to obscure the present disclosure with unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present disclosure in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the disclosure.
The following describes embodiments of the present invention in detail with reference to the accompanying drawings. The embodiment of the invention provides a data transmission method, which is applied to electronic equipment comprising a safety hardware module, and carries out safety detection on various request information for transmitting data or requesting data and received data or application programs through the safety hardware module so as to realize data safety and application system safety, thereby realizing the safety of the electronic equipment.
As shown in fig. 1, which is a schematic block diagram of a data transmission method in an embodiment of the present invention, the method may include:
generating first data request information regarding a request to transmit data; judging whether the first data request information is valid or not and judging whether an application program generating the first data request information is safe or not by using a safety hardware module; and when the first data request message is valid and the application program generating the first data request message is safe, the secure hardware module permits transmission of the first data requested to be transmitted by the first data request message.
In the embodiment of the present invention, when the electronic device needs to transmit data to another electronic device or a server, or transmit data between applications in the electronic device, transmission request information for transmitting data, that is, the first data request information, may be generated. For example, when an application program in the electronic device transmits an instruction or data to another application program, another electronic device, or a server, the first data request information may be generated accordingly. And the security hardware module in the electronic device can check the first data request message to determine whether the first data request message is valid. In addition, the security hardware module may further determine whether the application program generating the first data request information is secure, and grant the sending of the first data request information only when the first data request information is determined to be valid and the application program sending the first data request information is secure. Through the configuration, the information can be permitted to be sent only when the application program running in the electronic equipment is safe, and meanwhile, the safety of the sent information can be judged, so that the safety of the electronic equipment is integrally guaranteed.
The following describes a process for verifying the security of application and data request information by way of specific embodiments.
As shown in fig. 2, a schematic flow chart of determining whether the first data request message is valid by using the secure hardware module in the embodiment of the present invention includes:
acquiring identification information about the application program in the first data request information; verifying whether the identification information is correct; and when the identification information is verified to be correct, determining that the first data request information is valid.
In the embodiment of the invention, the unique and corresponding identification information can be respectively associated with each application program in the electronic equipment, and the application program can be correspondingly searched through the identification information. The above-mentioned identification information may be stored in the memory or may also be stored in the secure hardware module. When the application program performs data transmission or requests data, for example, in the process of generating the first data request information, the identification information of the application program and the related information of the requested data may be included in the transmission request information, so that other application programs, the secure hardware module, or other electronic devices and servers can identify the application program generating the first data request information. The security hardware module can check the identification information in the first data request information generated by the application program, and judge whether the identification information is correct, so as to judge the validity of the first data request information.
In addition, in the embodiment of the present invention, the verifying that the identification information in the first data request information is correct may include checking whether the verified identification information exists in the stored identification information, and if so, the identification information is correct. Meanwhile, in order to better ensure the effectiveness and the safety of the verification step, the identification information may be a character string composed of a plurality of different or identical characters.
In addition, as shown in fig. 3, a schematic flow chart illustrating the method for determining whether the transmission request information is valid by using the secure hardware module according to another embodiment of the present invention includes:
acquiring identification information about the application program in the first data request information; verifying whether the identification information is correct or not and verifying whether first data requested to be transmitted by the first data request information is safe or not; and when the identification information is verified to be correct and the first data is safe, judging that the first data request information is valid.
The security hardware module in the embodiment of the present invention may verify the first data requested to be transmitted by the data request information, in addition to checking the identification information in the transmission request information generated when the application requests to transmit data. The secure hardware module may correspondingly acquire the first data and check whether the first data is secure based on the related information about the requested first data in the first data request information, and may determine that the first data request information is secure and valid only if the first data is secure and the identification information is accurate. The security of the electronic device can be guaranteed only when the first data requested to be transmitted by the data request information is transmitted.
The method for verifying the security of the first data in the embodiment of the present invention may be to check whether the first data is complete and accurate. The security hardware module in the electronic device in this embodiment may check an application program, hardware, and stored data in the electronic device. Specifically, the secure hardware module may store check parameters of all data or important data in the electronic device, and the check parameters may check whether the application program, the hardware, and the stored data in the electronic device are tampered, replaced, or unsafe factors exist, so as to determine the security of each program or data in the electronic device. The verification process described above may be performed at the BIOS stage.
That is to say, in the BIOS stage, the secure hardware module may verify the security of the first data, and correspondingly store the verification result. When the security of the first data requested to be transmitted by the first data request information is judged, the check result can be directly checked, and when the check result shows that the first data is complete and accurate (or safe), the first data is safe.
Correspondingly, as shown in fig. 4, a schematic flow chart of determining whether an application program generating first data request information is safe by using a secure hardware module in the embodiment of the present invention includes:
inquiring and generating an application program of the first data request information according to the identification information in the first data request information; obtaining a verification result of the application program in a BIOS stage; and judging whether the application program generating the first data request information is safe or not according to the verification result.
As described above, the secure hardware module in the embodiment of the present invention may check the security of the application program that generates the first data request message. The specific secure hardware module or memory may have stored therein the results of the verification for each application, hardware device, and data. When the application program of the first data request information is verified, the corresponding application program may be found based on the identification information about the application program included in the first data request information, and the verification result thereof may be queried. A corresponding data transmission or other authentication process can only be performed if the authentication result of the application is secure.
In addition, when the secure hardware module verifies that the application program generating the first data request information or the first data request information is unsafe, the secure hardware module stops the program for data transmission and gives an alarm through the operating system or gives an alarm to a remote server, a control device, or the like. Meanwhile, if complete and accurate corresponding data are stored in the safety hardware module or in other storage paths (network paths or local paths) in a backup mode, the safety data can be updated to the electronic equipment, so that the safe operation of the electronic equipment is guaranteed.
In addition, the first data request information generated by the application program may further include identification information about the application program or the electronic device that received the first data. When the first data request message is transmitted in the electronic device, that is, when data is transmitted between an application program and another application program in the electronic device, the secure hardware module may further check whether the application program receiving the first data is secure, and only when the application program transmitting the first data, the application program receiving the first data, and the first data request message are both secure and valid, the first data is permitted to be transmitted to the application program serving as the receiving party.
In addition, in a preferred embodiment, the secure hardware module or the application program generating the first data request message may perform encryption processing on the first data requested to be transmitted by the first data request message, and then transmit the encrypted first data. The secure hardware module in the embodiment of the present invention may store an encryption key used for encryption processing and a decryption key used for decryption processing, and the secure hardware module or an application program that generates the first data request information may perform encryption processing on the first data by using the encryption key and a corresponding encryption algorithm, thereby ensuring security of data transmission.
In addition, when the receiver receiving the first data is another application program in the electronic device, the application program may further read a decryption key stored in the secure hardware module, and perform decryption processing using the decryption key to obtain the first data. When reading the decryption key, the secure hardware module may also verify the security of the application, and the specific verification process is as described above.
The safety hardware module in the embodiment of the invention has extremely high safety on the data stored in the safety hardware module, can ensure that an encryption key and a decryption key for encrypting and decrypting the data are not broken, can monitor the integrality of an application program, an operating system, hardware and data in the electronic device, and ensures the safety of the operating environment of the electronic device. In addition, in the embodiment of the present invention, the encryption key stored in the secure hardware module is a private key, and the encryption algorithm includes RES algorithm or RS4 algorithm. And the secure hardware module may comprise a TCM module.
The above process is an explanation of security protection for data transmission request in the embodiment of the present invention, the embodiment of the present invention may further receive second data request information for requesting data, which is sent by other electronic devices or servers or other application programs in the electronic devices, and the security hardware module may further monitor the data request and transmission process.
Fig. 5 is a schematic flow chart illustrating the verification of the second data request information by the secure hardware module according to the embodiment of the present invention. The electronic device in the embodiment of the present invention may receive data requests from other electronic devices or server devices, or an application program in the electronic device may receive data requests of other application programs, and the secure hardware module may verify the data requests and control data transmission between the two. The method specifically comprises the following steps:
receiving second data request information about other electronic equipment or application program request data; judging whether the second data request information is valid or not by using a safety hardware module, and judging whether second data requested by the second data request information is safe or not; and when the second data request information is valid and the second data requested by the second request information is safe, sending the second data based on the second data request information.
That is, in the embodiment of the present invention, the secure hardware module can verify data request information generated by an application program in the electronic device and request information received from other external electronic devices.
The secure hardware module may receive second data request information, which is generated by another electronic device or an application program in the electronic device and requests to acquire second data, and meanwhile, the secure hardware module may verify identification information, which is included in the second data request information and is related to the application program or the electronic device as a requester, and if the identification information is queried, it indicates that the second data request information is valid. In the above embodiment, the identification information may be an identification corresponding to an application program that generates the second data request information, or may include identification information uniquely corresponding to the electronic device, such as an IP address of the electronic device that transmits the second data request information. Only when the identification information is verified to be correct, the second data request information is indicated to be valid. The way of verifying the identification information to be accurate is the same as the above embodiment, i.e. the identification information is correct if the identification information is queried in the stored data.
The secure hardware module in the embodiment of the present invention may further verify the second data requested by the second data request information, that is, verify whether the data content of the second data is complete and accurate, and when the data content of the second data is complete and accurate, the secure hardware module indicates that the second data is secure data, and may be transmitted or sent.
Similarly, in a preferred embodiment, the secure hardware module or the application program generating the second data request message may encrypt the requested second data and transmit the encrypted second data. The secure hardware module in the embodiment of the present invention may store an encryption key used for encryption processing and a decryption key used for decryption processing, and the application program that generates the second data request information or the secure hardware module in the electronic device may perform encryption processing on the second data by using the encryption key and a corresponding encryption algorithm, thereby ensuring security of data transmission. In addition, when receiving the returned second data, the decryption key in the secure hardware module may be used to perform decryption processing on the second data to obtain the second data. In addition, in the embodiment of the present invention, the encryption key stored in the secure hardware module is a private key, and the encryption algorithm includes RES algorithm or RS4 algorithm. And the secure hardware module may comprise a TCM module.
In addition, in another embodiment of the present invention, the application program in the electronic device may also request other electronic devices or servers to download data, and correspondingly generate third data request information requesting to download data, and the secure hardware module may perform security verification on the request information and the data requested to be downloaded, so as to ensure the security of the electronic device.
Fig. 6 is a schematic flow chart illustrating the verification of the third data request information by the secure hardware module according to the embodiment of the present invention. Which may include:
generating third data request information for requesting data from other electronic devices; judging whether the third data request information is valid or not and judging whether an application program generating the third data request information is safe or not by using a safety hardware module; the secure hardware module permits sending the third data request message when the third data request message is valid and an application generating the third data request message is secure.
In the embodiment of the present invention, the third data request message generated by the application program may be verified, and the application program generating the third data request message may also be verified, and only when both are secure, the secure hardware module permits to send the third data request message to the corresponding electronic device or server.
Similarly, the third data request message includes an identifier of the application program that generated the request message, and by checking whether the identifier is correct, it is possible to verify whether the third data request message is valid. Further, when the identification exists in the stored identification information, the identification is verified to be correct.
Similarly, the authentication of the application program generating the third data request information may be based on the result of the authentication of the application program in the electronic device by the secure hardware module, and if the result of the authentication indicates security, the application program generating the third data request information may be determined to be secure.
In a preferred embodiment of the present invention, the secure hardware module may further verify third data requested to be downloaded by the third data request information, and the specific process may include:
judging whether the third data requested to be downloaded by the third data request information is safe or not by using a safety hardware module; and when the third data is secure, the secure hardware module permits execution of an operation on the third data.
In an embodiment of the present invention, the secure hardware module may obtain a verification parameter of the third data requested to be downloaded, and the third data, and perform a check on the third data based on the verification parameter. The electronic device responding to the third data request message may return the third data corresponding to the request, and the secure hardware module may first ping the third data. Specifically, the secure hardware module or the storage device may also store a verification parameter of the requested third data, verify whether the data content of the third data is complete and accurate based on the verification parameter, and allow each application program in the electronic device to operate and process the data only when the content of the third data is complete and accurate. Thereby preventing data with trojan and virus from running in the electronic equipment.
In addition, when the received third data is data subjected to encryption processing, the data may be subjected to decryption processing. The secure hardware module stores a decryption key. The secure hardware module or the application may receive third data requested by the third data request information, and perform decryption processing on the third data, where the performing decryption processing includes: and executing decryption processing on the third data by using a decryption key and a corresponding encryption algorithm stored in the security hardware module.
In summary, the data transmission method in the embodiment of the present invention detects the security of the application program and the request information generated during the data transmission process, and performs data transmission or downloading only when the application program is valid and safe and the request information is valid, thereby further ensuring the security of the data operation environment; because the encryption key is stored through the safety hardware module, the encryption key cannot be broken through, and the safety is high.
In addition, an embodiment of the present invention further provides an electronic device, where the electronic device may apply the data transmission method provided in the foregoing embodiment, and the electronic device may further include the above-mentioned secure hardware module and the application program.
Specifically, fig. 7 is a schematic block diagram of an electronic device according to an embodiment of the present invention, where the electronic device according to an embodiment of the present invention may include a processor 100, a secure hardware module 200, and a memory 300 for storing data. The processor 100 according to the embodiment of the present invention may manage application programs in the electronic device, the secure hardware module 200 may perform security detection on data interaction between the application programs, and the processor 100 may execute control on each application program based on a monitoring result or a control instruction of the secure hardware module 200, thereby ensuring security of an operating environment of the electronic device.
In one embodiment of the present invention, the processor 100 may generate or receive first data request information regarding transmission of first data from an application program, and transmit the first data request information to the secure module 200, and may transmit the first data corresponding to the generated first data request information based on a permission of the secure hardware module 200 or control transmission of the first data by the application program generating the first data request information based on the permission. The secure hardware module 200 may determine whether the first data request message sent by the processor 100 is valid and whether an application of the applications generating the first data request message is secure, and grant the processor 100 or the application generating the first data request message to send the first data requested to be transmitted by the first data request message when the first data request message is valid and the application generating the first data request message is secure.
In the embodiment of the present invention, when the electronic device needs to transmit data to another electronic device or a server, or transmit data between applications in the electronic device, transmission request information for transmitting data, that is, the first data request information, may be generated. For example, when an application program in the electronic device transmits an instruction or data to another application program, another electronic device, or a server, the first data request information may be generated correspondingly, and the processor 100 may also monitor the request information for transmitting data. The security hardware module 200 in the electronic device may check the first data request message to determine whether it is valid. In addition, the secure hardware module 200 may further determine whether the application program generating the first data request information is secure, and grant the sending processor or the application program generating the first data request information to send the first data corresponding to the first data request information only when the first data request information is determined to be valid and the application program sending the first data request information is secure. Through the configuration, the information can be permitted to be sent only when the application program running in the electronic equipment is safe, and meanwhile, the safety of the sent information can be judged, so that the safety of the electronic equipment is integrally guaranteed.
Specifically, the secure hardware module 200 may be further configured to determine that the first data request information is valid when the identification information of the application program generating the first data request information in the first data request information is verified to be correct.
In the embodiment of the invention, the unique and corresponding identification information can be respectively associated with each application program in the electronic equipment, and the application program can be correspondingly searched through the identification information. The above-mentioned identification information may be stored in the memory 300 or may also be stored in the secure hardware module 200. When the application program performs data transmission or requests data, for example, during the process of generating the first data request message, the identification information of the application program and the related information of the requested data may be included in the transmission request message, so that other application programs, the secure hardware module 200, or other electronic devices and servers can identify the application program that generated the first data request message. The security hardware module 200 may check the identification information in the first data request information generated by the application program, and determine whether the identification information is correct, thereby determining the validity of the first data request information. The method for verifying that the identification information in the first data request information is correct by the security hardware module 200 in the embodiment of the present invention may include checking whether the verified identification information exists in the stored identification information, and if so, determining that the identification information is correct. Meanwhile, in order to better ensure the effectiveness and the safety of the verification step, the identification information may be a character string composed of a plurality of different or identical characters.
In addition, the security hardware module can also check the security of the first data requested to be transmitted by the first data request information. That is, the secure hardware module 200 may also determine that the first data request information is valid when the identification information in the first data request information is verified to be correct and the first data is secure.
The security hardware module 200 in the embodiment of the present invention may verify the first data requested to be transmitted by the data request information, in addition to checking the identification information in the transmission request information generated when the application requests to transmit data. The secure hardware module 200 may correspondingly find and obtain the first data and check whether the first data is secure based on the relevant information about the requested first data in the first data request information, and only if the first data is secure and the identification information is accurate, it may be determined that the first data request information is secure and valid. The security of the electronic device can be guaranteed only when the first data requested to be transmitted by the data request information is transmitted.
The method for verifying the security of the first data in the embodiment of the present invention may be to check whether the first data is complete and accurate. The secure hardware module 200 in the electronic device in this embodiment may check an application program, hardware, and stored data in the electronic device. Specifically, the secure hardware module 200 or the memory 300 may store verification parameters of all data or important data in the electronic device, and the verification parameters may check whether the application program, the hardware, and the stored data in the electronic device are tampered, replaced, or unsafe factors exist, so as to determine the security of each program or data in the electronic device.
The verification process described above may be performed at the BIOS stage. That is, in the BIOS stage, the secure hardware module 200 may verify the security of the first data, and store the verification result correspondingly. When the security of the first data requested to be transmitted by the first data request information is judged, the check result can be directly checked, and when the check result shows that the first data is complete and accurate (or safe), the first data is safe.
Similarly, the secure hardware module 200 may also query, according to the identification information in the first data request information, the application program that generates the first data request information, and obtain a verification result of the application program that generates the first data request information at the BIOS stage; and judging whether the application program generating the first data request information is safe or not according to the verification result.
As described above, the secure hardware module 200 in the embodiment of the present invention may check the security of the application program that generates the first data request message. The specific secure hardware module 200 or the memory 300 may store the verification results for each application, hardware device, and data. When the application program of the first data request information is verified, the corresponding application program may be found based on the identification information about the application program included in the first data request information, and the verification result thereof may be queried. A corresponding data transmission or other authentication process can only be performed if the authentication result of the application is secure.
In addition, when the secure hardware module 200 verifies that the application program generating the first data request information or the first data request information is not secure, the secure hardware module 200 stops the program for data transmission and gives an alarm through the operating system or gives an alarm to a remote server, a control device, or the like. Meanwhile, if complete and accurate corresponding data are stored in the safety hardware module or in other storage paths (network paths or local paths) in a backup mode, the safety data can be updated to the electronic equipment, so that the safe operation of the electronic equipment is guaranteed.
In addition, the first data request information sent by the processor 100 may further include identification information about the application or the electronic device that receives the first data. When the first data request message is transmitted in the electronic device, that is, when data is transmitted between an application program and another application program in the electronic device, the secure hardware module 200 may further check whether the application program receiving the first data is safe, and only when the application program transmitting the first data, the application program receiving the first data, and the first data request message are all safe and valid, the first data is permitted to be transmitted to the application program serving as the receiving party.
In addition, in a preferred embodiment, the secure hardware module 200 or the application program generating the first data request message may perform encryption processing on the first data requested to be transmitted by the first data request message, and then transmit the encrypted first data. The secure hardware module in the embodiment of the present invention may store an encryption key used for encryption processing and a decryption key used for decryption processing, and the secure hardware module or an application program that generates the first data request information may perform encryption processing on the first data by using the encryption key and a corresponding encryption algorithm, thereby ensuring security of data transmission.
In addition, when the receiver receiving the first data is another application program in the electronic device, the application program may further read a decryption key stored in the secure hardware module, and perform decryption processing using the decryption key to obtain the first data.
The safety hardware module in the embodiment of the invention has extremely high safety on the data stored in the safety hardware module, can ensure that an encryption key and a decryption key for encrypting and decrypting the data are not broken, can monitor the integrality of an application program, an operating system, hardware and data in the electronic device, and ensures the safety of the operating environment of the electronic device. In addition, in the embodiment of the present invention, the encryption key stored in the secure hardware module is a private key, and the encryption algorithm includes RES algorithm or RS4 algorithm. And the secure hardware module may comprise a TCM module.
The above process is an explanation of security protection for data transmission request in the embodiment of the present invention, and in another embodiment of the present invention, second data request information for requesting data sent by another electronic device or a server or another application program in the electronic device may also be received, and the security hardware module may also monitor the data request and transmission process.
The electronic device in the embodiment of the present invention may receive a data request from another electronic device or a server device, or the processor 100 in the electronic device may also receive a data request for requesting data from another application or the electronic device, and the secure hardware module 200 may verify the data request and control data transmission between the two.
Specifically, the secure hardware module 200 may receive second data request information regarding data requested by other electronic devices or applications; judging whether the second data request information is valid or not, and judging whether second data requested by the second data request information is safe or not; when the second data request information is valid and the second data requested by the second request information is secure, the control processor 100 sends the second data based on the second data request information to the requester requesting the data.
That is, in the embodiment of the present invention, whether the second request information is generated by an application program in the electronic device or received from another external electronic device, the secure hardware module 200 may verify the request information and the requested data.
The secure hardware module 200 may receive second data request information, which is generated by another electronic device or an application in the electronic device and requests to acquire second data, and the secure hardware module 200 may verify identification information, included in the second data request information, about the application or the electronic device that is a requester, and if the identification information is queried, it indicates that the second data request information is valid. In the above embodiment, the identification information may be an identification corresponding to an application program that generates the second data request information, or may include identification information uniquely corresponding to the electronic device, such as an IP address of the electronic device that transmits the second data request information. Only when the identification information is verified to be correct, the second data request information is indicated to be valid. The way of verifying the identification information to be accurate is the same as the above embodiment, i.e. the identification information is correct if the identification information is queried in the stored data.
The secure hardware module 200 in the embodiment of the present invention may further verify the second data requested by the second data request information, that is, verify whether the data content of the second data is complete and accurate, and when the data content is complete and accurate, that means the second data is secure data, may be transmitted or sent. The verification of the security of the second data is the same as the above embodiment, and the secure hardware module may generate a corresponding verification result at the BIOS stage or when verifying the security of all data of the electronic device, and store the verification result in the memory 300 or the secure hardware module 200.
Similarly, in a preferred embodiment, the secure hardware module 200 or the application program generating the second data request message may encrypt the requested second data and transmit the encrypted second data. The secure hardware module 200 in the embodiment of the present invention may store an encryption key for encryption processing and a decryption key for decryption processing, and an application program generating the second data request information or a secure hardware module in the electronic device may perform encryption processing on the second data by using the encryption key and a corresponding encryption algorithm, thereby ensuring security of data transmission. In addition, the processor 100 may also read the encryption key in the secure hardware module 200, and encrypt the second data with a preset encryption algorithm, and then send the encrypted second data to the application or the electronic device that generates the second data request. In addition, when the application program or the electronic device that generates the second data request receives the returned second data, the decryption key in the secure hardware module may be used to perform decryption processing on the second data to obtain the second data. Similarly, the decryption operation may be performed by the processor 100, which decrypts the encrypted second data by reading the decryption key in the secure hardware module 200 and the predetermined decryption algorithm. In addition, in the embodiment of the present invention, the encryption key stored in the secure hardware module 200 is a private key, and the encryption algorithm includes RES algorithm or RS4 algorithm. And the secure hardware module in embodiments of the present invention may comprise a TCM module.
In addition, in another embodiment of the present invention, an application program or a processor in the electronic device may also request other electronic devices or servers to download data, and correspondingly generate third data request information requesting to download the data, and the secure hardware module may perform security verification on the request information and the data requested to be downloaded, so as to ensure the security of the electronic device.
That is, the processor 100 may generate third data request information requesting data from other electronic devices; the secure hardware module 200 may determine whether the third data request information is valid and determine whether an application generating the third data request information is secure; the secure hardware module permits sending the third data request message when the third data request message is valid and an application generating the third data request message is secure.
In the embodiment of the present invention, the secure hardware module 200 may verify the third data request message generated by the processor 100, and may also verify the application program generating the third data request message, and only when both are secure, the secure hardware module permits to send the third data request message to the corresponding electronic device or server.
Similarly, the third data request message includes an identifier of the application program that generated the request message, and by checking whether the identifier is correct, it is possible to verify whether the third data request message is valid. Further, when the identification exists in the stored identification information, the identification is verified to be correct.
Similarly, the authentication of the application program generating the third data request information may be based on the result of the authentication of the application program in the electronic device by the secure hardware module, and if the result of the authentication indicates security, the application program generating the third data request information may be determined to be secure.
In a preferred embodiment of the present invention, the secure hardware module 200 may further verify the third data requested to be downloaded by the third data request message. The secure hardware module 200 may determine whether the third data requested to be downloaded by the third data request information is secure; and when the third data is secure, the secure hardware module 200 permits an operation to be performed on the third data.
In an embodiment of the present invention, the secure hardware module 200 may obtain the verification parameter of the third data requested to be downloaded and the third data, and check the third data based on the verification parameter. The electronic device responding to the third data request message may return the third data corresponding to the request, and the secure hardware module may first ping the third data. Specifically, the secure hardware module or the storage device may also store a verification parameter of the requested third data, verify whether the data content of the third data is complete and accurate based on the verification parameter, and allow each application program in the electronic device to operate and process the data only when the content of the third data is complete and accurate. Thereby preventing data with trojan and virus from running in the electronic equipment.
In addition, when the received third data is data subjected to encryption processing, the data may be subjected to decryption processing. The secure hardware module stores a decryption key. The secure hardware module or the application may receive third data requested by the third data request information, and perform decryption processing on the third data, where the performing decryption processing includes: and executing decryption processing on the third data by using a decryption key and a corresponding encryption algorithm stored in the security hardware module.
In addition, the electronic device in the embodiment of the present invention may include any computer device, handheld terminal device such as a mobile phone, and may also be a server device, and the like.
In summary, the secure hardware module in the electronic device in the embodiment of the present invention may detect the security of the application program and the request information generated during the data transmission process, and perform data transmission or downloading only when the application program is valid and safe and the request information is valid, so as to further ensure the security of the data operation environment; because the encryption key is stored through the safety hardware module, the encryption key cannot be broken through, and the safety is high.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the electronic device to which the data processing method described above is applied may refer to the corresponding description in the foregoing product embodiments, and details are not repeated herein.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.

Claims (8)

1. A method of data transmission, comprising:
generating first data request information regarding a request to transmit data;
judging whether the first data request information is valid or not and judging whether an application program generating the first data request information is safe or not by using a safety hardware module;
when the first data request message is valid and an application program generating the first data request message is safe, the secure hardware module permits transmission of first data requested to be transmitted by the first data request message;
wherein, the determining, by the secure hardware module, whether the application program that generates the first data request information is secure comprises:
inquiring and generating an application program of the first data request information according to the identification information in the first data request information;
obtaining a verification result of the application program in a BIOS stage;
and judging whether the application program generating the first data request information is safe or not according to the verification result.
2. The method of claim 1, wherein said determining, with a secure hardware module, whether the first data request message is valid comprises:
acquiring identification information about the application program in the first data request information;
verifying whether the identification information is correct; and is
And when the identification information is verified to be correct, judging that the first data request information is valid.
3. The method of claim 1, wherein said determining, with a secure hardware module, whether the first data request message is valid comprises:
acquiring identification information about the application program in the first data request information;
verifying whether the identification information is correct or not and verifying whether first data requested to be transmitted by the first data request information is safe or not;
and when the identification information is verified to be correct and the first data is safe, judging that the first data request information is valid.
4. The method of claim 2 or 3, wherein the verifying whether the identification information is correct comprises:
and inquiring the identification information in the stored data, and if the identification information is inquired, judging that the identification information is correct.
5. An electronic device comprising a secure hardware module and a processor, wherein,
the processor is configured to send first data request information about transmission data to the secure hardware module, and transmit the first data based on permission of the secure hardware module to transmit first data corresponding to the first data request information or based on permission control of the secure hardware module to control an application program generating the first data request information;
the secure hardware module is configured to determine whether first data request information sent by the processor is valid and whether the application program generating the first data request information is secure, and is configured to permit sending of first data corresponding to the first data request information when the first data request information is valid and the application program generating the first data request information is secure;
the secure hardware module is further configured to obtain a verification result of the application program in the BIOS stage, and determine whether the application program generating the first data request information is secure based on the verification result.
6. The electronic device of claim 5, wherein the secure hardware module is further configured to determine that the first data request information is valid upon verifying that the identification information in the first data request information about the application that generated the first data request information is correct.
7. The electronic device of claim 5, wherein the secure hardware module is further configured to determine whether first data requested to be transmitted by the first data request information is secure, and to permit transmission of the first data corresponding to the first data request information when the first data is secure.
8. The electronic device of any of claims 5-7, wherein the secure hardware module comprises a TCM module.
CN201710192933.9A 2017-03-28 2017-03-28 Data transmission method and electronic equipment Active CN106953728B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710192933.9A CN106953728B (en) 2017-03-28 2017-03-28 Data transmission method and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710192933.9A CN106953728B (en) 2017-03-28 2017-03-28 Data transmission method and electronic equipment

Publications (2)

Publication Number Publication Date
CN106953728A CN106953728A (en) 2017-07-14
CN106953728B true CN106953728B (en) 2020-08-25

Family

ID=59473933

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710192933.9A Active CN106953728B (en) 2017-03-28 2017-03-28 Data transmission method and electronic equipment

Country Status (1)

Country Link
CN (1) CN106953728B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114070603A (en) * 2021-11-11 2022-02-18 上汽通用五菱汽车股份有限公司 Vehicle information encryption method and device, vehicle and computer readable storage medium

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8225093B2 (en) * 2006-12-05 2012-07-17 Qualcomm Incorporated Providing secure inter-application communication for a mobile operating environment
CN102801688B (en) * 2011-05-23 2015-11-25 联想(北京)有限公司 The terminal of a kind of method of data access, device and supported data access
CN103164659A (en) * 2011-12-13 2013-06-19 联想(北京)有限公司 Method for realizing data storage safety and electronic device
CN104023013B (en) * 2014-05-30 2017-04-12 上海帝联信息科技股份有限公司 Data transmission method, server side and client
CN106384042B (en) * 2016-09-13 2019-06-04 北京豆荚科技有限公司 A kind of electronic equipment and security system

Also Published As

Publication number Publication date
CN106953728A (en) 2017-07-14

Similar Documents

Publication Publication Date Title
CN110968743B (en) Data storage and data reading method and device for private data
CN108322461B (en) Method, system, device, equipment and medium for automatically logging in application program
KR102193644B1 (en) Facility verification method and device
JP6463269B2 (en) Method, system, and computer program product for determining the geographical location of a virtual disk image running on a data center server in a data center
CN110519309B (en) Data transmission method, device, terminal, server and storage medium
US20170134354A1 (en) Hardware-Based Credential Distribution
CN105260675B (en) Electronic data consistency verification method, device, system and deposit card verification platform
CN112887282B (en) Identity authentication method, device, system and electronic equipment
JP2005341552A (en) Method for distributed management of certificate revocation list
JP6967449B2 (en) Methods for security checks, devices, terminals and servers
EP1280312A2 (en) Methods, systems and computer program products for checking the validity of data
CN111666564B (en) Application program safe starting method and device, computer equipment and storage medium
CN112311769B (en) Method, system, electronic device and medium for security authentication
CN106302606A (en) A kind of across application access method and device
CN111460410A (en) Server login method, device and system and computer readable storage medium
US9548969B2 (en) Encryption/decryption method, system and device
CN106953728B (en) Data transmission method and electronic equipment
CN112272089A (en) Cloud host login method, device, equipment and computer readable storage medium
CN108429621B (en) Identity verification method and device
CN107241341B (en) Access control method and device
CN111338841A (en) Data processing method, device, equipment and storage medium
KR102228744B1 (en) Data message authentication based on random numbers
CN106982210B (en) Data downloading method and electronic equipment
CN111090850B (en) Authentication system, method and device
CN113505353A (en) Authentication method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant