CN108256346A - Guard method, encipherment protection device and the embedded system device of critical data - Google Patents
Guard method, encipherment protection device and the embedded system device of critical data Download PDFInfo
- Publication number
- CN108256346A CN108256346A CN201611240729.1A CN201611240729A CN108256346A CN 108256346 A CN108256346 A CN 108256346A CN 201611240729 A CN201611240729 A CN 201611240729A CN 108256346 A CN108256346 A CN 108256346A
- Authority
- CN
- China
- Prior art keywords
- code
- encrypted
- decrypted
- data
- decrypted code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
Abstract
The invention discloses a kind of guard method of critical data, including:Obtain the public key that embedded system device is shared;Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and the first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt the ciphertext data;First decrypted code is encrypted according to the public key and the second encrypted code, obtains encrypted first decrypted code, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;The ciphertext data, encrypted first decrypted code and second decrypted code are sent to the embedded system device;The present invention also discloses the protection systems of a kind of encipherment protection device, embedded system device and critical data.
Description
Technical field
The present invention relates to embedded system data security fields more particularly to a kind of guard method of critical data, encryptions
Protective device and embedded system device.
Background technology
With information-based, intelligent, networking development, embedded system with its is easy to operate, small, low in energy consumption,
The advantages that reliability height and good transplantability, is widely used in the society such as family, industry, business, office, medical treatment
Various aspects occupy increasingly consequence;Critical data in embedded system, which is protected, also seems particularly heavy
It will.
At present, the guard method of critical data in embedded system is mainly included:Using flash memory Flash as configuration number
Preserve that the method for configuration data, to establish quick flashing NAND Flash in embedded systems embedding according to memory or using Flash piecemeals
Enter formula file system (Yet Another Flash File System, YAFFS2) and the side of subregion is carried out to NAND Flash
Method, using static RAM (Static Random Access Memory, SRAM) as Installed System Memory store number
According to and using battery back method, using dynamic random access memory (Dynamic Random Access Memory,
DRAM) the method for storing data as Installed System Memory and medium being preserved by the use of nonvolatile memory as permanent data;It uses
When these methods protect the critical data in embedded system, encryption and decryption code is easy to inversely be cracked, so as to lead
Critical data is caused to be obtained easily, safety is relatively low.
Invention content
In view of this, an embodiment of the present invention is intended to provide a kind of guard method of critical data, encipherment protection devices and embedding
Embedded system device to realize the protection to critical data in embedded system, improves the safety of data.
In order to achieve the above objectives, the technical proposal of the invention is realized in this way:
The present invention provides a kind of guard method of critical data, the method includes:
Obtain the public key that embedded system device is shared;
Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and according to described
One encrypted code obtains the first decrypted code;First decrypted code is used to decrypt the ciphertext data;
First decrypted code is encrypted according to the public key and the second encrypted code, obtains encrypted first
Decrypted code, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is described for decrypting
Encrypted first decrypted code;
The ciphertext data, encrypted first decrypted code and second decrypted code are sent to described embedding
Embedded system device.
In said program, second encrypted code is asymmetric encryption code;
The public key for obtaining embedded system device and sharing, including:
The public key that the embedded system device shares is obtained by serial ports;
It is described that the ciphertext data, encrypted first decrypted code and second decrypted code are sent to institute
Embedded system device is stated, including:
The ciphertext data, encrypted first decrypted code and second decrypted code are burned onto described embedding
In the flash memory Flash of embedded system device.
The present invention provides a kind of guard method of critical data, the method includes:
Private key is generated, and derive from the private key using unsymmetrical key method of formation according to the inherent feature identifier of itself
Go out corresponding public key;
The public key is shared into encipherment protection device;
Store ciphertext data, encrypted first decrypted code and the second decryption generation that the encipherment protection device is sent
Code;Second decrypted code is used to decrypt encrypted first decrypted code;First decrypted code is used to decrypt
The ciphertext data.
It is described to store ciphertext data, encrypted first solution that the encipherment protection device is sent in said program
After close code and the second decrypted code, the method further includes:
The ciphertext data are decrypted in memory, obtain critical data to be protected;
After the critical data to be protected is obtained, null clear operation is performed;
It is described that the ciphertext data are decrypted in memory, critical data to be protected is obtained, including:
Private key described in application programming interface api function dynamic access is called in memory;
Operation is decrypted to encrypted first decrypted code according to the private key and second decrypted code,
Obtain the first decrypted code;
Operation is decrypted to the ciphertext data using first decrypted code, obtains the crucial number to be protected
According to.
It is described that private key is generated according to the inherent feature identifier of itself in said program, including:
Private key is generated using hash algorithm according to the inherent feature identifier of itself;Wherein, the inherent feature identifier
Including:Vendor identity mark Vendor ID, sequence number SN;
It is described that the public key is shared into encipherment protection device, including:
The public key is shared to by the encipherment protection device by serial ports;
Ciphertext data, encrypted first decrypted code and the second solution that the storage encipherment protection device is sent
Close code, including:
The ciphertext data of the encipherment protection device burning, encrypted first decrypted code and the second decrypted code are deposited
Storage is in flash memory Flash.
The present invention provides a kind of encipherment protection device, and described device includes:
Acquisition module, for obtaining the public key that embedded system device is shared;
First encrypting module for critical data to be protected to be encrypted according to the first encrypted code, obtains ciphertext
Data, and the first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt the ciphertext
Data;
Second encrypting module, for being added according to the public key and the second encrypted code to first decrypted code
It is close, encrypted first decrypted code is obtained, and the second decrypted code is obtained according to second encrypted code;Second solution
Close code is used to decrypt encrypted first decrypted code;
Sending module, for the ciphertext data, encrypted first decrypted code and described second to be decrypted generation
Code is sent to the embedded system device.
In said program, second encrypted code is asymmetric encryption code;
The acquisition module, the public key for obtaining the embedded system device specifically for passing through serial ports and sharing;
The sending module, specifically for by the ciphertext data, encrypted first decrypted code and described
Two decrypted codes are burned onto in the flash memory Flash of the embedded system device.
The present invention provides a kind of embedded system device, and described device includes:
Generation module for generating private key according to the inherent feature identifier of itself, and utilizes unsymmetrical key method of formation
The private key is derived into corresponding public key;
Sharing module, for the public key to be shared to encipherment protection device;
Memory module, for storing ciphertext data, the encrypted first decryption generation that the encipherment protection device is sent
Code and the second decrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;First solution
Close code is used to decrypt the ciphertext data.
In said program, described device further includes:
Deciphering module for the ciphertext data to be decrypted in memory, obtains critical data to be protected;
Module is emptied, for after the critical data to be protected is obtained, performing null clear operation;
The deciphering module, is specifically used for:
Private key described in application programming interface api function dynamic access is called in memory;
Operation is decrypted to encrypted first decrypted code according to the private key and second decrypted code,
Obtain the first decrypted code;
Operation is decrypted to the ciphertext data using first decrypted code, obtains the crucial number to be protected
According to.
In said program, the generation module, specifically for utilizing hash algorithm according to the inherent feature identifier of itself
Generate private key;Wherein, the inherent feature identifier includes:Vendor identity mark Vendor ID, sequence number SN;
The public key is shared to the encipherment protection device by the sharing module specifically for passing through serial ports;
The memory module, specifically for the ciphertext data of the encipherment protection device burning, encrypted first are solved
Close code and the second decrypted code are stored in flash memory Flash.
The present invention provides a kind of protection system of critical data, which is characterized in that the system comprises in such as said program
The encipherment protection device and the embedded system device as described in said program.
Guard method, encipherment protection device and the embedded system device for the critical data that the embodiment of the present invention is provided,
The public key shared by obtaining embedded system device;Critical data to be protected is encrypted according to the first encrypted code,
Ciphertext data are obtained, and the first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt
The ciphertext data;First decrypted code is encrypted according to the public key and the second encrypted code, after obtaining encryption
The first decrypted code, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is used to solve
Close encrypted first decrypted code;By the ciphertext data, encrypted first decrypted code and described second
Decrypted code is sent to the embedded system device;The protection to critical data in embedded system is realized, improves number
According to safety.
Description of the drawings
Fig. 1 is the flow chart of the guard method embodiment one of critical data of the present invention;
Fig. 2 is the flow chart of the guard method embodiment two of critical data of the present invention;
Fig. 3 is the flow chart of the guard method embodiment three of critical data of the present invention;
Generating mode schematic diagrames of the Fig. 4 for key pair in the guard method of critical data of the present invention;
Fig. 5 is PC machine encipherment protection platform in the guard method embodiment of critical data of the present invention to crucial number to be protected
According to and data deciphering code the schematic diagram of operation is encrypted;
Storages of the Fig. 6 for data and code in embedded system device in the guard method embodiment of critical data of the present invention
Schematic diagram;
Fig. 7 be critical data of the present invention guard method embodiment in embedded system device memory to encrypted
The schematic diagram of operation is decrypted in data deciphering code and ciphertext data;
Fig. 8 is the structure diagram of encipherment protection device embodiment of the present invention;
Fig. 9 is the structure diagram of embedded system device embodiment of the present invention;
Figure 10 is the structure diagram of the protection system embodiment of critical data of the present invention.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes.
Embodiment one
Fig. 1 is the flow chart of the guard method embodiment one of critical data of the present invention;As shown in Figure 1, the embodiment of the present invention
The guard method of the critical data of offer is applied on encipherment protection device, may include steps of:
Step 101:Obtain the public key that embedded system device is shared.
Encipherment protection device connects embedded system device by serial ports, obtains the public affairs shared by embedded system device
Key.
Step 102:Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and root
The first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt the ciphertext data.
After encipherment protection device gets the public key that embedded system device is shared, first according to the first encrypted code pair
Operation is encrypted in critical data to be protected, obtains ciphertext data, and obtain the first decryption according to first encrypted code
Code;Wherein, first decrypted code is used to decrypt the ciphertext data.
For example, encipherment protection device is personal computer (Personal Computer, PC) encipherment protection platform, PC adds
After privacy protection platform gets the public key that embedded system device is shared, by the first encrypted code to crucial number to be protected
According to operation is encrypted, ciphertext data are obtained;Meanwhile obtained by first encrypted code for decrypt the ciphertext data first
Decrypted code.
Step 103:First decrypted code is encrypted according to the public key and the second encrypted code, is encrypted
The first decrypted code afterwards, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is used for
Decrypt encrypted first decrypted code.
The encipherment protection device for getting public key is encrypted to critical data to be protected, obtains ciphertext data, and
After obtaining the first decrypted code according to the first encrypted code, according to the public key got and the second encrypted code to obtain
Operation is encrypted in one decrypted code, obtains encrypted first decrypted code;Meanwhile the second solution is obtained by the second encrypted code
Close code;Wherein, the second decrypted code obtained is used to decrypt encrypted first decrypted code;Second encrypted code is
Asymmetric encryption code.
For example, the PC encipherment protections platform for getting public key is close to being used to decrypt according to the public key and asymmetric encryption code
Operation is encrypted in first decrypted code of literary data, obtains encrypted first decrypted code, and by asymmetric encryption code
Determine the second decrypted code, which is then used to decrypt encrypted first decrypted code.
Step 104:The ciphertext data, encrypted first decrypted code and second decrypted code are sent
To the embedded system device.
Encipherment protection device after ciphertext data, encrypted first decrypted code and the second decrypted code is got,
Obtained ciphertext data, encrypted first decrypted code and the second decrypted code are burned onto by embedded system by serial ports
In the flash memory Flash of device, ciphertext data, encrypted first decrypted code and the storage of the second decrypted code that will obtain
In the Flash of embedded system device.
The guard method of critical data provided in an embodiment of the present invention, encipherment protection device are filled by obtaining embedded system
Put shared public key;Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and according to institute
It states the first encrypted code and obtains the first decrypted code;First decrypted code is used to decrypt the ciphertext data;According to described
First decrypted code is encrypted in public key and the second encrypted code, obtains encrypted first decrypted code, and according to
Second encrypted code obtains the second decrypted code;Second decrypted code is decrypted for decrypting described encrypted first
Code;The ciphertext data, encrypted first decrypted code and second decrypted code are sent to the insertion
Formula system and device;Not only critical data to be protected is encrypted, but also the first decrypted code to decrypting ciphertext data
Encipherment protection has been carried out, has realized the duplicate protection to critical data in embedded system so that has cracked the difficulty of critical data
Higher improves the safety of data.
Embodiment two
Fig. 2 is the flow chart of the guard method embodiment two of critical data of the present invention;As shown in Fig. 2, the embodiment of the present invention
The guard method of the critical data of offer is applied on embedded system device, may include steps of:
Step 201:Private key is generated, and using unsymmetrical key method of formation by described according to the inherent feature identifier of itself
Private key derives corresponding public key.
Embedded system device is according to the inherent feature identifier of itself, such as vendor identity mark (Vendor ID), sequence
Row number (Serial Number, SN) etc. generates private key, and utilize asymmetric close using specific algorithm, such as Hash hash algorithm
The private key is derived corresponding public key by key method of formation.
For example, embedded system device is calculated by the use of hash algorithm according to itself intrinsic SN and obtains a value as private
Key, while the private key is derived into corresponding public key using unsymmetrical key method of formation.
Step 202:The public key is shared into encipherment protection device.
After embedded system device generates private key and corresponding public key, the public key of generation is shared to by encryption by serial ports and is protected
Protection unit enables encipherment protection device that the decrypted code for decrypting ciphertext data to be encrypted according to the public key.
Step 203:Store ciphertext data, encrypted first decrypted code and that the encipherment protection device is sent
Two decrypted codes;Second decrypted code is used to decrypt encrypted first decrypted code;First decrypted code
For decrypting the ciphertext data.
After public key is shared to encipherment protection device by embedded system device, by the ciphertext number of encipherment protection device burning
It is stored in Flash according to, encrypted first decrypted code and the second decrypted code;Wherein, the second decrypted code is used to solve
Close encrypted first decrypted code;First decrypted code is used to decrypt ciphertext data.
Embedded system device is by the ciphertext data of encipherment protection device burning, encrypted first decrypted code and second
Decrypted code storage is to after in Flash, in order to obtain critical data to be protected, then need in memory to ciphertext data into
Row decryption after obtaining critical data to be protected and having used the data, performs null clear operation.
Specifically, embedded system device calls in memory first when needing that operation is decrypted to ciphertext data
Application programming interface (Application Programming Interface, API) function dynamic access according to itself
The private key of inherent feature identifier generation, then according to the private key and the second decrypted code to encrypted first decrypted code into
Row decryption oprerations obtain the first decrypted code;It recycles the first obtained decrypted code that operation is decrypted to ciphertext data, obtains
To critical data to be protected;Null clear operation is performed after obtaining critical data to be protected and having used the data, is realized
Decryption oprerations to ciphertext data.
The guard method of critical data provided in an embodiment of the present invention, embedded system device pass through according to the intrinsic of itself
Characteristic identifier generates private key, and the private key is derived corresponding public key using unsymmetrical key method of formation;By the public affairs
Key shares to encipherment protection device;Store ciphertext data, the encrypted first decryption generation that the encipherment protection device is sent
Code and the second decrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;First solution
Close code is used to decrypt the ciphertext data;The protection to critical data in embedded system is realized, is used in decryption ciphertext
First decrypted code of data is stored in Flash in the form of ciphertext so that is cracked the difficulty higher of critical data, is improved
The safety of data.
Embodiment three
Fig. 3 is the flow chart of the guard method embodiment three of critical data of the present invention;Applied to encipherment protection device with it is embedding
The interaction of embedded system device, encipherment protection device are PC machine encipherment protection platform, wherein, PC machine encipherment protection platform and insertion
Formula system and device is mutual indepedent, and the two carries out data interaction by serial ports;The first encrypted code in the present embodiment adds for data
Close code, is shown with Code table;Critical data to be protected represents that ciphertext data are represented with EData with Data;First decrypted code
For data deciphering code, represented with DCode;Second encrypted code is asymmetric encryption code, is represented with EC;Encrypted data
Decrypted code is represented with EDCode;Second decrypted code is the decrypted code for decrypting EDCode, referred to as decrypted code, is used
DEC is represented;As shown in figure 3, the guard method of critical data provided in an embodiment of the present invention may include steps of:
Step 301:Embedded system device generates private key Skey according to the inherent feature identifier of itself, and utilization is non-right
Claim key method of formation that private key Skey is derived corresponding public key Pkey.
Each embedded system device have some be different from other equipment software and hardware identifiers, as supplier ID,
SN etc., embedded system device first according to these inherent feature identifiers of itself using specific algorithm, such as hash algorithm,
Private key is generated, and the private key is derived into corresponding public key using unsymmetrical key method of formation.
Generating mode schematic diagrames of the Fig. 4 for key pair in the guard method of critical data of the present invention;As shown in figure 4, embedding
In embedded system device, operating system passes through special algorithm, such as Hash using the inherent feature identifier of embedded system device
Algorithm calculates and obtains a value as the private key Skey in rivest, shamir, adelman;Then according to the generation side of unsymmetrical key
Method obtains the corresponding public key Pkey of Skey, completes the generation of key pair (i.e. Skey and Pkey).
Step 302:Public key Pkey is shared to PC machine encipherment protection platform by embedded system device.
Embedded system device generates private key Skey and after deriving public key Pkey using the inherent feature identifier of itself,
It is connect with PC machine encipherment protection platform by serial ports, the Pkey of generation is shared into PC machine encipherment protection platform, and generate
Skey is then stored directly in embedded system device.
Step 303:PC machine encipherment protection platform according to data encryption code Code to critical data Data to be protected into
Row encryption, obtains ciphertext data EData, and obtain data deciphering code DCode according to data encryption code Code.
The PC machine encipherment protection platform for getting Pkey is right according to data encryption code Code (the first encrypted code) first
Operation is encrypted in the critical data Data protected, obtains the critical data to be protected of ciphertext form, i.e. ciphertext
Data EData;Meanwhile PC machine encipherment protection platform determines the data for decrypting EData according to data encryption code Code
Decrypted code DCode (the first decrypted code).
Step 304:PC machine encipherment protection platform is according to public key Pkey and asymmetric encryption code EC to data decrypted code
DCode is encrypted, and obtains encrypted data deciphering code EDCode, and obtain decryption generation according to asymmetric encryption code EC
Code DEC.
The PC machine encipherment protection platform of Pkey is got using the Pkey, and (second adds according to asymmetric encryption code EC
Close code) operation is encrypted according to rivest, shamir, adelman to data decrypted code DCode (the first decrypted code), added
Data deciphering code EDCode after close;Meanwhile PC machine encipherment protection platform obtains solving according to asymmetric encryption code EC
The decrypted code DEC (the second decrypted code) of close EDCode.
Fig. 5 is PC machine encipherment protection platform in the guard method embodiment of critical data of the present invention to crucial number to be protected
According to and data deciphering code the schematic diagram of operation is encrypted;As shown in figure 5, on PC machine encipherment protection platform, first to needing
Operation is encrypted by data encryption code Code in critical data to be protected, i.e., critical data Data to be protected, obtains
The data of ciphertext form, i.e. ciphertext data EData;After critical data Data to be protected is encrypted, public key is obtained
The PC machine encipherment protection platform of Pkey uses the key, and using selected asymmetric encryption code EC to data decrypted code
Operation is encrypted in DCode, obtains encrypted data deciphering code EDCode, that is, utilizes selected rivest, shamir, adelman,
Such as operation is encrypted to data decrypted code DCode in RSA cryptographic algorithms, Elgamal algorithms, knapsack algorithm;Wherein, it is non-right
The corresponding decrypted codes of encrypted code EC are referred to as DEC.
Step 305:PC machine encipherment protection platform is by the ciphertext data EData of acquisition, encrypted data deciphering code
EDCode and decrypted code DEC are burned onto in the Flash of embedded system device.
Behaviour is being encrypted to critical data Data to be protected and data deciphering code DCode in PC machine encipherment protection platform
Make, after obtaining ciphertext data EData, encrypted data deciphering code EDCode and decrypted code DEC, by ciphertext data
EData, encrypted data deciphering code EDCode and decrypted code DEC are burned onto embedded system device by serial ports
In Flash, stored.
Step 306:Embedded system device API Function dynamic access private key Skey in memory.
PC machine encipherment protection platform by ciphertext data EData, encrypted data deciphering code EDCode and decryption generation
Code DEC is burned onto after embedded system device, in order to obtain original critical data, in order to obtain crucial number to be protected
According to Data, embedded system device carrys out dynamic access firstly the need of API Function in memory and is stored in embedded system dress
Private key Skey in putting.
Step 307:Embedded system device is according to private key Skey and decrypted code DEC to encrypted data deciphering code
Operation is decrypted in EDCode, obtains data deciphering code DCode.
Embedded system device calls decrypted code DEC and utilizes the private in memory after private key Skey is got
Operation is decrypted to encrypted data deciphering code EDCode in key Skey, the data deciphering code before being encrypted
DCode。
Step 308:Behaviour is decrypted to ciphertext data EData using data deciphering code DCode in embedded system device
Make, obtain critical data Data to be protected.
Embedded system device calls ciphertext data EData in memory after data deciphering code DCode is obtained,
And operation is decrypted to ciphertext data EData using data deciphering code DCode, obtain critical data to be protected
Data。
Step 309:Embedded system device performs null clear operation.
Embedded system device after critical data Data to be protected is obtained, hold immediately after having used Data by interior presence
Row null clear operation can't retain Data.
Storages of the Fig. 6 for data and code in embedded system device in the guard method embodiment of critical data of the present invention
Schematic diagram;As shown in fig. 6, there is two kinds of storage mediums of memory and Flash in embedded system device, inside there are embedded system dresses
The storage medium of file system can be used as in putting, it cannot keep legacy data constant in the case of power down, so being based on
The file system of memory can only be interim file system, for preserving interim file;The benefit of memory is to only exist memory
Among dynamic change, rubbish will not be generated by restarting system;Flash is also most common file system in embedded system device
Storage medium, unlike memory, it can keep file not lose when power down;Therefore, in the present invention, ciphertext
Data EData, encrypted data deciphering code EDCode and decrypted code DEC are maintained in Flash, when to code and number
According to be when being decrypted in memory operation complete, and run after be immediately performed null clear operation.
Fig. 7 be critical data of the present invention guard method embodiment in embedded system device memory to encrypted
The schematic diagram of operation is decrypted in data deciphering code and ciphertext data;As shown in fig. 7, to obtain original critical data, i.e.,
Critical data Data to be protected, first, first API Function obtains private key Skey in memory;Recall decrypted code
Simultaneously operation is decrypted to encrypted data deciphering code EDCode according to the private key Skey got in DEC, before being encrypted
Data deciphering code, that is, obtain DCode;Then, in memory by calling data deciphering code DCode to ciphertext data
Operation is decrypted in EData, obtains clear data, i.e., critical data Data to be protected;Using crucial number to be protected
After Data, memory will carry out null clear operation, and Data can't be retained.
In above process, PC machine encipherment protection platform has not only carried out critical data to be protected encipherment protection, and
And asymmetric encryption operation has been carried out to the data deciphering code (i.e. DCode) for decrypting ciphertext data, data deciphering code is made to exist
It is stored in the form of ciphertext in Flash;Meanwhile private key generation method used in asymmetric encryption operation is directly to exist
Generation is calculated according to certain algorithm by its specific software and hardware identifier in embedded system device, only in embedded system
Bulk cargo is put when needing that ciphertext data are decrypted in memory, just can be by calling relevant api function from embedded system
Bulk cargo realizes dynamic access in putting;Therefore, for attacker, the value for obtaining private key is not easy to, and the safety of key is protected
Close property is higher, increases the difficulty for cracking critical data.
The guard method of critical data provided in an embodiment of the present invention, by embedded system device according to the intrinsic of itself
Characteristic identifier generates private key Skey, and private key Skey is derived corresponding public key Pkey using unsymmetrical key method of formation;
Public key Pkey is shared to PC machine encipherment protection platform by embedded system device;PC machine encipherment protection platform is according to data encryption generation
Critical data Data to be protected is encrypted in code Code, obtains ciphertext data EData and data deciphering code DCode;PC
Machine encipherment protection platform is encrypted data decrypted code DCode according to public key Pkey and asymmetric encryption code EC, obtains
Encrypted data deciphering code EDCode and decrypted code DEC;PC machine encipherment protection platform is by the ciphertext data of acquisition
EData, encrypted data deciphering code EDCode and decrypted code DEC are burned onto in the Flash of embedded system device;It is embedding
Embedded system device API Function dynamic access private key Skey in memory;Embedded system device according to private key Skey and
Operation is decrypted to encrypted data deciphering code EDCode in decrypted code DEC, obtains data deciphering code DCode;It is embedding
Operation is decrypted to ciphertext data EData using data deciphering code DCode in embedded system device, obtains key to be protected
Data Data;Embedded system device performs null clear operation;Not only critical data to be protected is encrypted, but also to solution
The data deciphering code of ciphertext data is encrypted, and the double encipherment protection of data is realized by software mode, is improved
The safety of data, cost of implementation are lower compared with for hardware realization.
Example IV
Fig. 8 is the structure diagram of encipherment protection device embodiment of the present invention;As shown in figure 8, the embodiment of the present invention provides
Encipherment protection device 08 include:Acquisition module 81, the first encrypting module 82, the second encrypting module 83, sending module 84;Its
In,
The acquisition module 81, for obtaining the public key that embedded system device is shared;
First encrypting module 82, for critical data to be protected to be encrypted according to the first encrypted code, obtains
The first decrypted code is obtained to ciphertext data, and according to first encrypted code;First decrypted code is used to decrypt institute
State ciphertext data;
Second encrypting module 83, for according to the public key and the second encrypted code to first decrypted code into
Row encryption, obtains encrypted first decrypted code, and obtain the second decrypted code according to second encrypted code;Described
Two decrypted codes are used to decrypt encrypted first decrypted code;
The sending module 84, for by the ciphertext data, encrypted first decrypted code and described second
Decrypted code is sent to the embedded system device.
Further, second encrypted code is asymmetric encryption code;
The acquisition module 81, the public key for obtaining the embedded system device specifically for passing through serial ports and sharing;
The sending module 84, specifically for by the ciphertext data, encrypted first decrypted code and described
Second decrypted code is burned onto in the flash memory Flash of the embedded system device.
The encipherment protection device of the present embodiment can be used for performing the technical solution of above-mentioned shown embodiment of the method, in fact
Existing principle is similar with technique effect, and details are not described herein again.
In practical applications, the acquisition module 81 of the encipherment protection device 08, the first encrypting module 82, second encryption mould
Block 83, sending module 84 can be by central processing unit (the Central Processing that are located in encipherment protection device 08
Unit, CPU), microprocessor (Micro Processor Unit, MPU), digital signal processor (Digital Signal
Processor, DSP) or the realizations such as field programmable gate array (Field Programmable Gate Array, FPGA).
Embodiment five
Fig. 9 is the structure diagram of embedded system device embodiment of the present invention;As shown in figure 9, the embodiment of the present invention carries
The embedded system device 09 of confession includes:Generation module 91, sharing module 92, memory module 93;Wherein,
The generation module 91 for generating private key according to the inherent feature identifier of itself, and utilizes unsymmetrical key
The private key is derived corresponding public key by method of formation;
The sharing module 92, for the public key to be shared to encipherment protection device;
The memory module 93, for storing the ciphertext data, encrypted first that the encipherment protection device sends
Decrypted code and the second decrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;It is described
First decrypted code is used to decrypt the ciphertext data.
Further, described device 09 further includes:Deciphering module 94 empties module 95;Wherein,
The deciphering module 94 for the ciphertext data to be decrypted in memory, obtains crucial number to be protected
According to;
It is described to empty module 95, for after the critical data to be protected is obtained, performing null clear operation;
The deciphering module 94, is specifically used for:
Private key described in application programming interface api function dynamic access is called in memory;
Operation is decrypted to encrypted first decrypted code according to the private key and second decrypted code,
Obtain the first decrypted code;
Operation is decrypted to the ciphertext data using first decrypted code, obtains the crucial number to be protected
According to.
Further, the generation module 91, specifically for utilizing hash algorithm according to the inherent feature identifier of itself
Generate private key;Wherein, the inherent feature identifier includes:Vendor identity mark Vendor ID, sequence number SN;
The public key is shared to the encipherment protection device by the sharing module 92 specifically for passing through serial ports;
The memory module 93, specifically for by the ciphertext data of the encipherment protection device burning, encrypted first
Decrypted code and the second decrypted code are stored in flash memory Flash.
The embedded system device of the present embodiment can be used for performing the technical solution of above-mentioned shown embodiment of the method,
Implementing principle and technical effect are similar, and details are not described herein again.
In practical applications, the generation module 91 of the embedded system device 09, sharing module 92, memory module 93,
Deciphering module 94, empty module 95 can be by the central processing unit (Central that is located in embedded system device 09
Processing Unit, CPU), microprocessor (Micro Processor Unit, MPU), digital signal processor
(Digital Signal Processor, DSP) or field programmable gate array (Field Programmable Gate
Array, FPGA) etc. realizations.
Embodiment six
Figure 10 is the structure diagram of the protection system embodiment of critical data of the present invention;As shown in Figure 10, the present invention is real
The protection system 010 for applying the critical data of example offer includes:Encipherment protection device 0101, embedded system device 0102;Wherein,
The encipherment protection device 0101 is using the encipherment protection device as described in above-described embodiment;
The embedded system device 0102 is using the embedded system device as described in above-described embodiment.
The protection system of the critical data of the present embodiment can be used for performing the technical side of above-mentioned shown embodiment of the method
Case, implementing principle and technical effect are similar, and details are not described herein again.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, the shape of the embodiment in terms of hardware embodiment, software implementation or combination software and hardware can be used in the present invention
Formula.Moreover, the present invention can be used can use storage in one or more computers for wherein including computer usable program code
The form of computer program product that medium is implemented on (including but not limited to magnetic disk storage and optical memory etc.).
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
The processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices is generated for real
The device of function specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps are performed on calculation machine or other programmable devices to generate computer implemented processing, so as in computer or
The instruction offer performed on other programmable devices is used to implement in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.
Claims (11)
1. a kind of guard method of critical data, which is characterized in that the method includes:
Obtain the public key that embedded system device is shared;
Critical data to be protected is encrypted according to the first encrypted code, obtains ciphertext data, and add according to described first
Close code obtains the first decrypted code;First decrypted code is used to decrypt the ciphertext data;
First decrypted code is encrypted according to the public key and the second encrypted code, obtains encrypted first decryption
Code, and the second decrypted code is obtained according to second encrypted code;Second decrypted code is used to decrypt the encryption
The first decrypted code afterwards;
The ciphertext data, encrypted first decrypted code and second decrypted code are sent to described embedded
System and device.
2. according to the method described in claim 1, it is characterized in that, second encrypted code is asymmetric encryption code;
The public key for obtaining embedded system device and sharing, including:
The public key that the embedded system device shares is obtained by serial ports;
It is described the ciphertext data, encrypted first decrypted code and second decrypted code are sent to it is described embedding
Embedded system device, including:
The ciphertext data, encrypted first decrypted code and second decrypted code are burned onto described embedded
In the flash memory Flash of system and device.
3. a kind of guard method of critical data, which is characterized in that the method includes:
Private key is generated, and derive the private key pair using unsymmetrical key method of formation according to the inherent feature identifier of itself
The public key answered;
The public key is shared into encipherment protection device;
Store ciphertext data, encrypted first decrypted code and the second decrypted code that the encipherment protection device is sent;
Second decrypted code is used to decrypt encrypted first decrypted code;First decrypted code is described for decrypting
Ciphertext data.
4. according to the method described in claim 3, it is characterized in that, it is described store the encipherment protection device send it is close
After literary data, encrypted first decrypted code and the second decrypted code, the method further includes:
The ciphertext data are decrypted in memory, obtain critical data to be protected;
After the critical data to be protected is obtained, null clear operation is performed;
It is described that the ciphertext data are decrypted in memory, critical data to be protected is obtained, including:
Private key described in application programming interface api function dynamic access is called in memory;
Operation is decrypted to encrypted first decrypted code according to the private key and second decrypted code, is obtained
First decrypted code;
Operation is decrypted to the ciphertext data using first decrypted code, obtains the critical data to be protected.
5. according to the method described in claim 3, it is characterized in that, described generate private according to the inherent feature identifier of itself
Key, including:
Private key is generated using hash algorithm according to the inherent feature identifier of itself;Wherein, the inherent feature identifier includes:
Vendor identity mark Vendor ID, sequence number SN;
It is described that the public key is shared into encipherment protection device, including:
The public key is shared to by the encipherment protection device by serial ports;
Ciphertext data, encrypted first decrypted code and the second decryption generation that the storage encipherment protection device is sent
Code, including:
The ciphertext data of the encipherment protection device burning, encrypted first decrypted code and the second decrypted code are stored in
In flash memory Flash.
6. a kind of encipherment protection device, which is characterized in that described device includes:
Acquisition module, for obtaining the public key that embedded system device is shared;
First encrypting module for critical data to be protected to be encrypted according to the first encrypted code, obtains ciphertext data,
And the first decrypted code is obtained according to first encrypted code;First decrypted code is used to decrypt the ciphertext data;
Second encrypting module for first decrypted code to be encrypted according to the public key and the second encrypted code, obtains
The second decrypted code is obtained to encrypted first decrypted code, and according to second encrypted code;The second decryption generation
Code is used to decrypt encrypted first decrypted code;
Sending module, for the ciphertext data, encrypted first decrypted code and second decrypted code to be sent out
It send to the embedded system device.
7. device according to claim 6, which is characterized in that second encrypted code is asymmetric encryption code;
The acquisition module, the public key for obtaining the embedded system device specifically for passing through serial ports and sharing;
The sending module, specifically for the ciphertext data, encrypted first decrypted code and described second are solved
Close code is burned onto in the flash memory Flash of the embedded system device.
8. a kind of embedded system device, which is characterized in that described device includes:
Generation module for generating private key according to the inherent feature identifier of itself, and utilizes unsymmetrical key method of formation by institute
It states private key and derives corresponding public key;
Sharing module, for the public key to be shared to encipherment protection device;
Memory module, for store ciphertext data, encrypted first decrypted code that the encipherment protection device sends and
Second decrypted code;Second decrypted code is used to decrypt encrypted first decrypted code;The first decryption generation
Code is used to decrypt the ciphertext data.
9. device according to claim 8, which is characterized in that described device further includes:
Deciphering module for the ciphertext data to be decrypted in memory, obtains critical data to be protected;
Module is emptied, for after the critical data to be protected is obtained, performing null clear operation;
The deciphering module, is specifically used for:
Private key described in application programming interface api function dynamic access is called in memory;
Operation is decrypted to encrypted first decrypted code according to the private key and second decrypted code, is obtained
First decrypted code;
Operation is decrypted to the ciphertext data using first decrypted code, obtains the critical data to be protected.
10. device according to claim 8, which is characterized in that the generation module, specifically for according to the intrinsic of itself
Characteristic identifier generates private key using hash algorithm;Wherein, the inherent feature identifier includes:Vendor identity identifies
Vendor ID, sequence number SN;
The public key is shared to the encipherment protection device by the sharing module specifically for passing through serial ports;
The memory module, specifically for the ciphertext data of the encipherment protection device burning, encrypted first are decrypted generation
Code and the second decrypted code are stored in flash memory Flash.
11. the protection system of a kind of critical data, which is characterized in that the system comprises encryptions as claimed in claims 6 or 7
Protective device and such as claim 8 to 10 any one of them embedded system device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611240729.1A CN108256346B (en) | 2016-12-28 | 2016-12-28 | Key data protection method, encryption protection device and embedded system device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611240729.1A CN108256346B (en) | 2016-12-28 | 2016-12-28 | Key data protection method, encryption protection device and embedded system device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108256346A true CN108256346A (en) | 2018-07-06 |
| CN108256346B CN108256346B (en) | 2020-12-01 |
Family
ID=62719048
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611240729.1A Active CN108256346B (en) | 2016-12-28 | 2016-12-28 | Key data protection method, encryption protection device and embedded system device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108256346B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109753770A (en) * | 2019-01-07 | 2019-05-14 | 北京地平线机器人技术研发有限公司 | Determine method and device, method for burn-recording and device, the electronic equipment of burning data |
| CN113268717A (en) * | 2021-04-08 | 2021-08-17 | 东信和平科技股份有限公司 | SE-based code program protection method, device and storage medium |
| CN113326512A (en) * | 2021-05-21 | 2021-08-31 | 深圳矽递科技股份有限公司 | Electronic equipment and MCU firmware protection method thereof |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6643775B1 (en) * | 1997-12-05 | 2003-11-04 | Jamama, Llc | Use of code obfuscation to inhibit generation of non-use-restricted versions of copy protected software applications |
| CN1465008A (en) * | 2001-02-16 | 2003-12-31 | 索尼株式会社 | Data processing method and its apparatus |
| CN101320410A (en) * | 2008-05-20 | 2008-12-10 | 北京深思洛克数据保护中心 | Copyright protection method of embedded system |
| CN103678174A (en) * | 2012-09-11 | 2014-03-26 | 联想(北京)有限公司 | Data safety method, storage device and data safety system |
| CN104486355A (en) * | 2014-12-30 | 2015-04-01 | 大连楼兰科技股份有限公司 | Method and device for preventing malicious manipulation of codes |
| CN104866738A (en) * | 2014-02-25 | 2015-08-26 | 北京娜迦信息科技发展有限公司 | Program code protection method and device |
| CN105164693A (en) * | 2013-04-25 | 2015-12-16 | 瑞保企业 | Method and system for exchanging encrypted messages between computing devices in a communication network |
-
2016
- 2016-12-28 CN CN201611240729.1A patent/CN108256346B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6643775B1 (en) * | 1997-12-05 | 2003-11-04 | Jamama, Llc | Use of code obfuscation to inhibit generation of non-use-restricted versions of copy protected software applications |
| CN1465008A (en) * | 2001-02-16 | 2003-12-31 | 索尼株式会社 | Data processing method and its apparatus |
| CN101320410A (en) * | 2008-05-20 | 2008-12-10 | 北京深思洛克数据保护中心 | Copyright protection method of embedded system |
| CN103678174A (en) * | 2012-09-11 | 2014-03-26 | 联想(北京)有限公司 | Data safety method, storage device and data safety system |
| CN105164693A (en) * | 2013-04-25 | 2015-12-16 | 瑞保企业 | Method and system for exchanging encrypted messages between computing devices in a communication network |
| CN104866738A (en) * | 2014-02-25 | 2015-08-26 | 北京娜迦信息科技发展有限公司 | Program code protection method and device |
| CN104486355A (en) * | 2014-12-30 | 2015-04-01 | 大连楼兰科技股份有限公司 | Method and device for preventing malicious manipulation of codes |
Non-Patent Citations (1)
| Title |
|---|
| 王雄等: "MD5加密逆向破解及安全性改进", 《西安文理学院学报:自然科学版》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109753770A (en) * | 2019-01-07 | 2019-05-14 | 北京地平线机器人技术研发有限公司 | Determine method and device, method for burn-recording and device, the electronic equipment of burning data |
| CN113268717A (en) * | 2021-04-08 | 2021-08-17 | 东信和平科技股份有限公司 | SE-based code program protection method, device and storage medium |
| CN113326512A (en) * | 2021-05-21 | 2021-08-31 | 深圳矽递科技股份有限公司 | Electronic equipment and MCU firmware protection method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108256346B (en) | 2020-12-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3574622B1 (en) | Addressing a trusted execution environment | |
| CN108881314B (en) | Privacy protection method and system based on CP-ABE ciphertext under fog computing environment | |
| CN104486307B (en) | A kind of fraction key management method based on homomorphic cryptography | |
| CN103957109B (en) | A kind of cloud data-privacy protects safe re-encryption method | |
| US11316671B2 (en) | Accelerated encryption and decryption of files with shared secret and method therefor | |
| CN107453880B (en) | Cloud data secure storage method and system | |
| CN106063183A (en) | Method and apparatus for cloud-assisted cryptography | |
| CN105721485B (en) | Towards majority according to the safe nearest neighbor method of owner under outsourcing cloud environment | |
| CN102567688B (en) | File confidentiality keeping system and file confidentiality keeping method on Android operating system | |
| CN111275202A (en) | Machine learning prediction method and system for data privacy protection | |
| CN106411515B (en) | The method and system for promoting key safety are split to key using cipher machine | |
| JP2010220212A (en) | Securing communications sent by first user to second user | |
| US10404458B1 (en) | Multi-round key encapsulation process | |
| CN103414682A (en) | Method for cloud storage of data and system | |
| CN103955654A (en) | USB (Universal Serial Bus) flash disk secure storage method based on virtual file system | |
| Wu et al. | Poster: a certificateless proxy re-encryption scheme for cloud-based data sharing | |
| CN102236756A (en) | File encryption method based on TCM (trusted cryptography module) and USBkey | |
| CN103580855A (en) | Usbkey management plan based on sharing technology | |
| CN103152322A (en) | Method of data encryption protection and system thereof | |
| CN108810022A (en) | A kind of encryption method, decryption method and device | |
| CN108256346A (en) | Guard method, encipherment protection device and the embedded system device of critical data | |
| CN107391232A (en) | A kind of system level chip SOC and SOC systems | |
| TWI597960B (en) | Key splitting | |
| CN104993929B (en) | A kind of attribute-based encryption system that system property is supported to extend and method | |
| CN104980269A (en) | Secret key sharing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 310012 building A01, 1600 yuhangtang Road, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province Applicant after: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd. Applicant after: China Mobile Communications Corp. Address before: 310012, No. 14, building three, Chang Torch Hotel, No. 259, Wensanlu Road, Xihu District, Zhejiang, Hangzhou Applicant before: CHINA MOBILE (HANGZHOU) INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: China Mobile Communications Corp. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |