CN108629206A - A kind of safe encryption method, encryption equipment and terminal device - Google Patents

A kind of safe encryption method, encryption equipment and terminal device Download PDF

Info

Publication number
CN108629206A
CN108629206A CN201711331236.3A CN201711331236A CN108629206A CN 108629206 A CN108629206 A CN 108629206A CN 201711331236 A CN201711331236 A CN 201711331236A CN 108629206 A CN108629206 A CN 108629206A
Authority
CN
China
Prior art keywords
encryption
safe
key
sek
keys
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711331236.3A
Other languages
Chinese (zh)
Other versions
CN108629206B (en
Inventor
李坚强
郑任持
刘绍海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PAX Computer Technology Shenzhen Co Ltd
Original Assignee
PAX Computer Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PAX Computer Technology Shenzhen Co Ltd filed Critical PAX Computer Technology Shenzhen Co Ltd
Priority to CN201711331236.3A priority Critical patent/CN108629206B/en
Publication of CN108629206A publication Critical patent/CN108629206A/en
Application granted granted Critical
Publication of CN108629206B publication Critical patent/CN108629206B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention is suitable for field of information security technology, provides a kind of safe encryption method, encryption equipment and terminal device, and the safe encryption method is applied to encryption equipment, and the encryption equipment includes:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method includes encryption equipment firmware safety detection method:By the sensor inside detection safe processor CPU and external circumstances;If detecting situation exception, issue warning signal;By the pre-warning signal, directly notifies or notify battery back area BBL Area to destroy backup area content by trigger circuit;The safe encryption method further includes:Software security starts the method for secure storing of method and key.The hardware and structure design for realizing low cost through the invention, save purchase machine expense;The software model of stratification is provided, and provides the control mode of clean boot, realizes the key safety management in complete period.

Description

A kind of safe encryption method, encryption equipment and terminal device
Technical field
The invention belongs to a kind of field of information security technology more particularly to safe encryption method, encryption equipment and terminal devices.
Background technology
With the continuous development of information technology, internet it is universal, more and more data are needed in transmission over networks, packet Include interactive information, Email, identity information, Transaction Information and business data etc..However, illegal to the carry out of data at present It the unlawful activities such as monitors, steal and distorts to be on the increase, therefore the safety of data is also increasingly paid attention to by people.
Data are encrypted using cryptographic algorithm and are transmitted again, are to guarantee data security and effective hand of data integrity Section, therefore, many IT vendors have developed many encryption devices or encryption software, by encryption device or software, generate encryption Key, realization are encrypted clear data and are digitally signed to file.
Existing encryption technology is generally divided into example, in hardware and software form.Software form commonly relies in host system The enciphering and deciphering algorithm write realizes encryption, by providing software tool or network system for users to use, but is added due to this There are very big security risks for close software and encryption system, the rogue attacks by hacker are easy, to the O&M of software systems Management needs to construct the safety of increasingly complex software systems deprotection card key, needs to establish high standard, meets associated safety The computer room of certification ensures to store the Host Security of key, it is also necessary to design effective mechanism and carry out authentication and power to user The certification etc. of limit, therefore by existing technology, enterprise cannot be satisfied higher software development and O&M pipe in Software for Design Reason requires, and corresponding expense cost is also higher.The encryption device form of diverse of example, in hardware, most common made with unique host For encryption equipment, network interface is externally only provided and provides encryption and decryption service by specifically ordering, or uses the plug-in shapes such as USB flash disk Formula is chiefly used in the specific field such as digital certificate or authentication, it is difficult to realize and provide general encryption and decryption service;And it is existing Hardware device job stability and reliability it is poor, need additional very more protection Design or hardware circuit to ensure The stability and reliability of its work.Therefore, it in the encryption technology of existing example, in hardware and software form, cannot be satisfied The requirement for the stability, safety and reliability that higher software development works with operation management requirement and equipment, and The higher requirement of hardware configuration and software development etc., general enterprises can not also complete designing and developing for encryption device.
Invention content
In view of this, an embodiment of the present invention provides a kind of safe encryption method, encryption equipment and terminal device, it is existing to solve Have cannot be satisfied higher software development and operation management requirement in technology and equipment work higher stability, safety and The problem of reliability requirement.
The first aspect of the embodiment of the present invention provides a kind of safe encryption method, is applied to encryption equipment, the encryption equipment Firmware include:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method Including encryption equipment firmware safety detection method:
By the sensor inside detection safe processor CPU and external circumstances;
If detecting situation exception, issue warning signal;
By the pre-warning signal, directly notifies or notify battery back area BBL Area in backup area by trigger circuit Appearance is destroyed.
The safe encryption method further includes that software security starts method, is included the following steps:
Start the safe processor CPU internal securities bootstrap Security Boot Loader;
It loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot firmwares;
If verification has exception, start failure;
If verifying successfully, verifies and start encryption equipment firmware.
The software security further includes System self-test after starting, and the System self-test includes the following steps:
System starts, encryption equipment firmware self-test;
If there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read;
Verify the correctness of system encryption keys SEK;
If the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption keys SEK is correct, Then read key to be checked;
Judge the key to be detected using system encryption keys SEK and encrypts the consistency of storage key;
If inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start subsequent software module.
The safe encryption method further includes the method for secure storing of key, is included the following steps:
The system encryption keys SEK is defined, and the system encryption keys SEK is stored in the battery back area BBL Area;
All keys are encrypted using the system encryption keys SEK and encrypted key is stored in external sudden strain of a muscle It deposits in External Flash;
All keys are read out using system encryption keys SEK.
The second aspect of the embodiment of the present invention provides a kind of encryption equipment, including:Hardware configuration and software module, it is described soft Part module is based on hardware configuration and realizes function load;The hardware configuration includes safe processor CPU, sensor, trigger circuit; The sensor includes internal sensor and external trigger inductor Tamper Sensors, and the internal sensor is set to institute It states inside safe processor CPU, the external trigger inductor Tamper Sensors pass through the trigger circuit and the peace Full processor CPU connections;The safe processor CPU includes battery back area BBL Area;
The software module includes:Software security start unit and key handling unit, the software security start unit For the clean boot of software level, the key handling unit is for the encryption, decryption and storage to key.
The third aspect of the embodiment of the present invention provides a kind of safe ciphering terminal equipment, including:Memory, processor with And it is stored in the computer program that can be run in the memory and on the processor, the processor executes the calculating The step of safe encryption method being realized when machine program.
The fourth aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage Media storage has computer program, which is characterized in that the computer program realizes the safety encryption when being executed by processor The step of method.
Existing advantageous effect is the embodiment of the present invention compared with prior art:The embodiment of the present invention by hardware configuration with The safety encryption for being implemented in combination with encryption equipment of software module, using hardware sensor, mating trigger circuit and safe handling The characteristic of device CPU itself ensure that the physical security of encryption equipment well;Based on physical security, safe processor is utilized The characteristic of battery back area BBL Area inside CPU and the protection of sensor, trigger circuit, ensure that the content of core Safety realizes the stronger safe encryption function of encryption equipment, further meets in secret machine work to stability, safety The higher requirement of property and reliability.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description be only the present invention some Embodiment for those of ordinary skill in the art without having to pay creative labor, can also be according to these Attached drawing obtains other attached drawings.
Fig. 1 is the implementation process schematic diagram of encryption equipment firmware safety detection method provided in an embodiment of the present invention;
Fig. 2 is the implementation process schematic diagram that encryption equipment software security provided in an embodiment of the present invention starts method;
Fig. 3 is the implementation process schematic diagram of encryption equipment system self checking method provided in an embodiment of the present invention;
Fig. 4 is the implementation process schematic diagram of the method for secure storing of key provided in an embodiment of the present invention;
Fig. 5 is the logical schematic of key storage provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of encryption equipment hardware configuration provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of encryption equipment software module provided in an embodiment of the present invention;
Fig. 8 is encryption equipment software level structural schematic diagram provided in an embodiment of the present invention;
Fig. 9 is the schematic diagram of encryption equipment overall workflow provided in an embodiment of the present invention;
Figure 10 is the schematic diagram of encryption equipment function module provided in an embodiment of the present invention;
Figure 11 is the flow diagram that encryption equipment administrator provided in an embodiment of the present invention logs in;
Figure 12 is encryption equipment key dispersion schematic diagram provided in an embodiment of the present invention;
Figure 13 is the schematic diagram of the encrypted terminal device of safety provided in an embodiment of the present invention.
Specific implementation mode
In being described below, for illustration and not for limitation, it is proposed that such as tool of particular system structure, technology etc Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific The present invention can also be realized in the other embodiments of details.In other situations, it omits to well-known system, device, electricity The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
It is the implementation process schematic diagram of encryption equipment firmware safety detection method provided in an embodiment of the present invention referring to Fig. 1, it should Method is applied to encryption equipment, and the encryption equipment is point-of-sale terminal POS machine, cloud server or background server;Described adds Close machine includes:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit, encryption equipment firmware as shown in the figure Safety detection method may comprise steps of:
Step S101, by the sensor inside detection safe processor CPU and external circumstances.
In embodiments of the present invention, the sensor includes internal sensor and external trigger Tamper Sensors;Internal sensor is located inside safe processor CPU, is responsible for the temperature inside detection safe processor CPU and frequency Situations such as rate;External trigger Tamper Sensors are set on the printed circuit pcb board except safe processor CPU, are led to It crosses special mating trigger circuit to connect with safe processor CPU, external sensor further includes shell tamper sensor, keyboard region Whether the sensor etc. in domain, detection device are opened, if having drilling, whether have the external circumstances such as chemical attack product.
In addition, the encryption equipment, which can be point-of-sale terminal POS, the point-of-sale terminal POS, is also combined with shell mechanism On breaking-proof switch, also have security grid computing mesh inside the described safe processor CPU, with simultaneous with multiple sensors examine Survey the inside and outside security situations of safe processor CPU.
Step S102 is issued warning signal if detecting situation exception.
In embodiments of the present invention, the abnormal conditions include internal abnormality situation and external abnormal conditions;Described is interior Portion's abnormal conditions include that internal sensor temperature, the frequency etc. that detect reach threshold value, then it is assumed that equipment occurs abnormal;Described External abnormal conditions include that the front and rear casing for the equipment that external sensor detects is opened, and equipment is drilled, is corroded by chemicals Deng external rogue attacks phenomenon, will issue warning signal.
Optionally, the pre-warning signal can be carried out voice-control alarm by alarm or pass through early-warning lamp into line flicker report It is alert.
The pre-warning signal is directly notified or is passed through trigger circuit notice battery back area BBL Area by step S103 Backup area key data is destroyed.
In embodiments of the present invention, the pre-warning signal includes internal pre-warning signal and external pre-warning signal;Described Internal pre-warning signal can be sent directly to the battery back area BBL Area inside safe processor CPU, notify battery back Area is destroyed or wiped by the key data that inside preserves;The external pre-warning signal can then be touched by external special mating Power Generation Road transmits warning information, and key data that notice battery back area BBL Area preserve inside or other data are into marketing It ruins or wipes.
It should be noted that the inside of encryption equipment is provided with the hardware device continued power that button cell is encryption equipment, make Even if obtain encryption equipment may also detect that abnormal phenomenon in off-mode.
Through the embodiment of the present invention, hardware based safety detection may be implemented, using hardware sensor, mating triggering The characteristic of circuit and safe processor CPU itself, ensure that the physical security of encryption equipment;Hardware based protection ensures The safety of encryption equipment core data realizes the secret function of the stronger safety of encryption equipment.
It is the flow diagram that encryption equipment software security provided in an embodiment of the present invention starts that method is realized, such as referring to Fig. 2 This method may comprise steps of shown in figure:
Step S201 starts the safe processor CPU internal securities bootstrap Security Boot Loader.
In embodiments of the present invention, the safe bootstrap Security Boot Loader have and can not be replaced Property, the content that the clean boot loads Boot Loader includes the code Resident ROM resided in read-only memory Code;The code Resident ROM Code resided in read-only memory can be an identity ID number or Person is burst of data, is solidificated in internal storage ROM Space when safe processor CPU dispatches from the factory.
It should be noted that safe processor CPU internal storages are once written in the identity ID number or burst of data ROM can will be changed never, it is therefore prevented that criminal uses the possibility of other manufacturer's firmwares.
Step S202 loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot and consolidates Part.
In embodiments of the present invention, the verification and start guiding boot firmwares need and meanwhile digital signature skill is added Art, the digital signature are exactly others the hop count word string that can not forge that the sender of only information could generate, this section Numeric string is also simultaneously the valid certificates that information authenticity is sent to the sender of information, so utilizing digital signature skill Art, by clean boot load Security Boot Loader can not being replaced property, be further ensured that entire software architecture Safety.
In addition, if digital signature verification success, continues the startup of next software level, operation guides Boot programs, It guides in Boot firmware start-up courses, while can also check the state of each sensor, it is ensured that without ability in the case of exception Continue the clean boot of next step encryption equipment firmware.
Step S203 starts failure if verification has exception.
In embodiments of the present invention, it includes that digital signature is wrong or reside in read-only memory that the verification, which exists abnormal, Code Resident ROM Code check digit signature results mismatch, then verify failure, the startup of software can also stop, Then system starts failure, to ensure the safety of entire software architecture.
Step S204 is verified if verifying successfully and is started encryption equipment firmware.
In embodiments of the present invention, encryption equipment firmware is verified while guiding Boot programs are loaded, including To the trigger circuit of encryption equipment, sensor, the firmwares such as internal storage, verifying it, whether complete and function is intact etc..
In addition, the check results show that an encryption equipment firmware part has exception, such as:The accuracy of detection of sensor And there is inaccurate problem in the setting of threshold value, the circuit of trigger circuit, which breaks down, to be led to not realize asking for information transmission Topic etc., then stop the startup of software level, while encrypted firmware can also start failure;If check results indicate encryption equipment firmware State is all gone well, then starts to start operation encryption equipment firmware.
Through the embodiment of the present invention, security control and system work(are taken into account by software hierarchy in software security start-up course The control of energy ensure that the legitimacy and integrality of firmware using digital signature technology;It can also be examined in software layer start-up course Look into the state of each sensor and other firmwares, it is ensured that the startup of encryption equipment firmware could be realized in the case of without exception, The safety of the entire software architecture of guarantee step by step, to ensure that the safety of encryption equipment.
It is the implementation process schematic diagram of encryption equipment system self checking method provided in an embodiment of the present invention referring to Fig. 3, as schemed institute Show, this approach includes the following steps:
Step S301, system start, encryption equipment firmware self-test.
In embodiments of the present invention, system start after, after encryption equipment firmware is verified, it is also necessary to encryption equipment firmware from Whether function is normal etc. for inspection, the including whether self-test of sensor normal, trigger circuit and other firmwares.Pass through self-test, encryption Machine is able to detect that in hardware or structure either with or without security risk, either with or without wrecking or eavesdropping, is able to verify that system The legitimacy and integrality of firmware are to ensure one of the important means of encryption equipment and key safety.
Step S302, if there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read.
In embodiments of the present invention, if encryption equipment firmware has exception after carrying out self-test, such as:Encryption equipment hardware configuration is sent out Raw abnormal either inner parameter is more than threshold value or imperfect etc. by rogue attacks structure, then system can propose error information, And it exits simultaneously.
If encryption equipment firmware self-test is normal, reading system encryption keys SEK, the system encryption keys SEK can be It is generated by the True Random Number Generator device in safe processor CPU when encryption equipment initializes, length can be 24 bytes.Cause To be true random number, therefore it can ensure that system encryption keys SEK's is unpredictable, it is also ensured that system encryption keys SEK Uniqueness;The reading system encryption keys SEK is specially that encryption equipment firmware is read from the regions battery back BBL Area System encryption keys SEK.
Step S303 verifies the correctness of the system encryption keys SEK.
In the present invention is embodiment, encryption equipment firmware reads system encryption keys from the regions battery back BBL Area SEK, if the result read is 0 entirely, then it represents that encryption equipment firmware is triggered, and the battery back regions BBL Area are by content-data Self-destruction erasing is carried out, and prompt system encryption key malfunctions;If the system encryption keys result obtained is not all 0, further Computation key check value KCV, the keycheck value KCV are the cyclic redundancy CRC check values of key, by the key verification Value KCV is compared with the keycheck value KCV values that battery back area BBL Area are stored, if the two is consistent.It then indicates to read The system encryption keys SEK taken is correct.
Step S304, if the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption is close Key SEK is correct, then reads key to be checked.
In embodiments of the present invention, when the result of the system encryption keys of reading is all 0, then it represents that triggering self-destruction, and carry Show error message, system encryption keys SEK is incorrect, then system, which reports an error, exits.
When the result of the system encryption keys of reading is not all 0, and the keycheck value KCV of system encryption keys and electricity The keycheck value of pond backup area BBL Area storages is consistent, then it represents that system encryption keys SEK is correct, then continues In next step, key to be detected is read.
In addition, the key to be detected can be the key generated inside encryption equipment, or it is injected into encryption equipment Key can also be the password of encryption equipment administrator.
Step S305 judges the key to be detected using the system encryption keys SEK and has encrypted storage key Consistency.
In embodiments of the present invention, judge key to be detected using system encryption keys SEK and encrypt the key of storage Consistency, mainly judge storage key whether be encrypted by system encryption keys SEK;The specific steps are:It uses System encryption keys SEK treats detection key and is decrypted to obtain in plain text, and calculates the keycheck value KCV of plaintext, will obtain Keycheck value KCV and battery back area BBL Area in the keycheck value that stores be compared, according to the comparison of the two As a result judge the consistency of key to be detected and encryption key.
Step S306, if inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start follow-up soft Part module.
In embodiments of the present invention, by calculating, as the keycheck value KCV and battery back area BBL of key to be detected When the keycheck value stored in Area is equal, then it represents that the key to be detected be it is consistent with the data for encrypting storage originally, And then show the self-detection result of whole flow process, continue to start subsequent software module;Being indicated if the two is unequal should Key to be detected is inconsistent with the data for encrypting storage originally, and system then shows to report an error and exit.
Through the embodiment of the present invention, by the startup self-detection of encryption equipment, not only detect in hardware or structure either with or without It there are risk or wrecks or eavesdrops, additionally it is possible to which the legitimacy and integrality for verifying encryption equipment firmware ensure that encryption equipment And the safety of key.
It is the implementation process schematic diagram of the method for secure storing of key provided in an embodiment of the present invention, this method referring to Fig. 4 Including step once:
Step S401 defines the system encryption keys SEK, and the system encryption keys SEK is stored in the electricity Pond backup area BBL Area.
In embodiments of the present invention, encryption equipment define a system encryption keys SEK, when encryption equipment initializes by True Random Number Generator in safe processor CPU generates, and length is 24 bytes, and stored in clear is in battery back area BBL Area Subsidiary internal stationary memory SRAM because internal stationary memory SRAM can only legal firmware read, and have hardware components Safety protective circuit protection, therefore stored in clear does not have security risk in battery back area BBL Area;Because of system Encryption key is true random number, therefore can ensure that system encryption keys SEK's is unpredictable, it is also ensured that system encryption is close The uniqueness of key SEK.
It should be noted that encryption equipment can only initialize once, system encryption keys are then generated, it later again can be not initial Change.
All keys are encrypted using the system encryption keys SEK and protect encrypted key by step S402 There are in external flash External Flash.
In embodiments of the present invention, system encryption keys SEK needs keys to be protected for encrypting all, the step for have Body further includes:
The system encryption keys SEK is read, clear data is encrypted to obtain pair using the system encryption keys SEK The ciphertext is stored in external flash External Flash by the ciphertext answered.
In embodiments of the present invention, all keys include but not limited to the key generated inside encryption equipment, external Inject the key of encryption equipment and the key of encryption equipment administrator login.Since system encryption keys SEK is also burst of data, make With system encryption keys SEK to all keys be encrypted the result is that in the form of ciphertext, and be stored in safe handling In flash memory External Flash outside device outer CPU.
Wherein, key is encrypted using system encryption keys SEK, used Encryption Algorithm is triple data encryptions Standard TDES algorithms.
Step S403 is read out all keys using system encryption keys SEK.
In embodiments of the present invention, it could also be used by system encryption keys SEK when encryption equipment reads key close Key further includes specifically in this step:
The system encryption keys SEK is read, the ciphertext of external flash External Flash is stored in described in reading, is made The ciphertext is decrypted with the system encryption keys, obtained corresponding plaintext is supplied to subsequent software flow.
In embodiments of the present invention, it when encryption equipment reads key, also needs to use system encryption keys SEK, Ciphertext to being stored in external flash External Flash is decrypted to obtain the original text of ciphertext, could use key, be adopted Decipherment algorithm is similarly the algorithm of triple DES TDES.
In addition, system encryption keys SEK can also equally protect the password of encryption equipment administrator.
It should be noted that since battery back area BBL Area are protected by hardware protection circuit, encryption equipment once by Attack, internal all data, which will include system encryption keys SEK, to be wiped free of, and be owned using system encryption keys SEK is encrypted Key cannot be decrypted, to ensure that the safety of key.
The logical schematic of key storage provided in an embodiment of the present invention as shown in Figure 5, when encryption equipment initializes The system encryption keys SEK of definition is stored in battery back area BBL Area, and stored in clear is in battery back area BBL Area In subsidiary static memory SRAM.The system encryption keys SEK is used to carry out triple data encryption marks to all keys The encryption of quasi- TDES algorithms, obtains encrypted key data, and the obtained key data includes unsymmetrical key data And symmetric key data, and be respectively stored in external flash Flash.
Through the embodiment of the present invention, the effect of system encryption keys SEK is to need key to be protected for encrypting all, than Such as the key generated inside encryption equipment, the key etc. of outside injection.Since all keys are added by system encryption keys SEK Close, so encryption equipment only needs to protect the safety of system encryption keys SEK, so that it may to ensure the safety of all keys, even if Someone illegally gets key data, and what is obtained is all ciphertext form, and from the angle of cryptography, these data are also all safety 's.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit It is fixed.
It is that the schematic diagram of encryption equipment hardware configuration provided in an embodiment of the present invention only shows for convenience of description referring to Fig. 6 Go out and the relevant part of the embodiment of the present invention.The secret machine of safety provided in an embodiment of the present invention includes hardware configuration and software mould Group, wherein software module realizes the load of function based on hardware configuration.
As shown in fig. 6, the hardware configuration includes safe processor CPU 601, and sensor, trigger circuit;Sensor Including internal sensor and external trigger inductor Tamper Sensors 602, internal sensor is set to safe processor Inside CPU, external trigger inductor Tamper Sensors are connect by trigger circuit with safe processor CPU;Safe handling Device CPU includes battery back area BBL Area 603;
Including read only memory ROM 604 and internal stationary memory I nternal SRAM 605, read only memory ROM It is set to inside safe processor CPU with internal stationary memory I nternal SRAM, read-only deposit is stored in read-only memory Code Resident ROM code in reservoir;
Further include liquid crystal display LCD 606, keyboard 607, smart card reader 608, external memory 609, external storage Device 610, battery 611, serial ports (universal serial bus) 612, mfp printer, card reader for magnetic strip cards 614 one or more and with Safe processor CPU 601 is connected;
It further include ethernet network interface 615 and/or normal serial module network interface 616, and ethernet network interface 615 and/or normal serial module network interface 616 be connected with the safe processor CPU.
As shown in fig. 7, being the schematic diagram of encryption equipment software module 7 provided in an embodiment of the present invention, the software module Including:
Software security start unit 71 and key handling unit 72, software security start unit are used for the safety of software level Start, key handling unit is for the encryption, decryption and storage to key;Data communication unit 73, the data communication unit Reception and transmission for data.
Wherein, software security start unit realizes the peace of software Booting sequence by structural representation Fig. 8 of software level All risk insurance is demonstrate,proved, as shown in figure 8, according to the code check in the read-only memory inside safe processor CPU and starting guiding Boot Firmware, while also by means of signature technology, guiding Boot firmwares verify and are started in loading process encryption equipment firmware, ensure that The legitimacy and integrality of encryption equipment firmware.
The external interface that the data communication unit of encryption equipment is supported includes:The serial data interface of proposed standard RS-232 and Several mouthfuls at full speed of general-purpose serial bus USB 2.0;Wherein, the serial data interface of proposed standard RS-232 supports highest 115200 Baud rate, and be equipped in host side and drive journey with the general-purpose serial bus USB of 2.0 interface kit of general-purpose serial bus USB Sequence.
Secret machine is connected to by serial ports or universal serial bus on host, and the data packet that receiving host issues carries out it Encryption;The format of wherein host data packet is as shown in Table 1, and bebinning character, packet serial number, check word occupy a byte, rises Beginning character representation is 0x02, and check word is the exclusive or value of other data in addition to bebinning character;Command word occupies two with length Byte further includes that order classification (being expressed as 0x90) and subcommand code correspond to a byte respectively in command word, in length packet First character section is length divided by 256 round numbers of data packet, and second byte is that the length of data packet divided by 256 take the remainder. After encryption equipment receives the data packet of host, it can correspond to and generate a response bag, the format for the data packet that secret machine is responded is such as Shown in table 2, in addition to return code more than data packet, other are identical as the format of table 1, and wherein return code is to notify host Every order as a result, its definition is as shown in Table 3.
Table 1
Table 2
It is macro Value Meaning
PCI_OK 0x00 Correctly
PCI_UNSPT_CMD 0xff Illegal command
Table 3
After encryption equipment is communicated with host, after both sides obtain backspace code, fault-tolerant processing can be according to circumstances carried out, than Such as:Length is not right, then reexamines data format;Key is not present, and suggests that query key etc..
It is the workflow schematic diagram of encryption equipment provided in an embodiment of the present invention entirety referring to Fig. 9, as shown, encryption After machine powers on booting, administrator log in, after administrator logins successfully, start to select corresponding feature operation, it can be achieved that function Including:Private key, Digital signature service, system administrator functions are injected, asymmetric arithmetic key, wherein system administrator functions packet are dissipated It includes:Change login password, switching language and upload journal file etc..Encryption equipment high-level schematic functional block diagram packet as shown in Figure 10 It includes:System management module generates key and distribution module, key injection module, encryption and decryption service module.
Wherein, system management module includes:Admin Administration, password modification management, multilingual support, log management are System self-test.
Admin Administration, the embodiment of the present invention are that encryption sets two administrators, and each administrator holds respective close Code, only there are two administrator's respective passwords of input on the scene could enter system management module, real for the present invention as shown in figure 11 The flow diagram that the encryption equipment administrator of example offer logs in is applied, after encryption equipment powers on booting, long-press enters "enter" key" entrance Administrator's login step;System prompt inputs administrator's password;Password is inputted by administrator A first;System authentic administrator A's Whether password is correct, if incorrect, system exits, if correctly, entering in next step;Password, verification pipe are inputted by administrator B Whether the password of reason person B is correct, if mistake, system exits, the entered function menu if correct.
In addition, the password of administrator is stored in after being encrypted by system encryption keys SEK in file system.
Password modification management, after administrator enters system management module, allows the password for changing oneself, modified Xinmi City Code after system encryption keys SEK encryptions equally by storing.
Chinese and English bilingual are supported in multilingual support, in embodiments of the present invention, encryption equipment.
Log management, including management event there is administrator to log in ADMIN LOGON, upload daily record UPLOAD LOG, cut Language SWITCH LANG is changed, private key INJECT PVK FROM ICC is injected from card, signature SIGNATURE is carried out to file FILE, administrator exit ADMIN LOGOFF, modification login password MODIFY LOGON PWD etc..Event described above is being encrypted It can be included in daily record log files in machine, as shown in Table 4;The data structure recorded in corresponding daily record log files includes rope Draw Index, data/time Data/Time, event Event, result Result, ending End and corresponding byte number and tool The information format of body, daily record log files as shown in Table 5 summarize the data structure of every record.
Table 4
Table 5
Key and distribution module are generated, the generation and distribution of system key are used for.
In embodiments of the present invention, encryption equipment realizes the public and private key of unsymmetrical key by function RSAKeyPairGen To generation, wherein RSAKeyPairGen be RSA algorithm realize.
After asymmetric public private key pair generates, in order to ensure the validity of the public and private key generated, encryption equipment will be public and private to every group Key completes the verification of public and private key, RSAKeyPairVerify algorithms by function RSAKeyPairVerify to verifying Core concept be that encryption obtains key in plain text by using one section of public key pair, reuse corresponding private key and key be decrypted Another section of plaintext is obtained, if two sections of plaintexts are identical, can be determined that the public key and private key are a pair of of RSA keys.
In embodiments of the present invention, the principle of key dispersion is to first pass through nonce generation function to obtain random number, is passed through Multiple recursive call generates a string length and is greater than or equal to private key structure size (size of private key data structure is 1163 bytes) Random data, take preceding 1162 byte (size of i.e. one private key structure) of this section of random number to be used as dispersion factor, then use this The data of private key structure carry out exclusive or in the public private key pair that one dispersion factor is generated with encryption equipment, obtain another 1162 byte The dispersion results of (size of i.e. one private key structure).
Finally dispersion factor and dispersion results are respectively stored into two IC card, two IC card become A cards and B cards, such as Shown in Figure 12, A cards store key components A, B card storage key components B.
In embodiments of the present invention, the algorithm that encryption equipment is supported includes:The symmetrical enciphering and deciphering algorithm data of data symmetrically add Decryption uses:DES Cipher algorithm, triple DES 3DES algorithms, Advanced Encryption Standard aes algorithm;Number Word signature, sign test use:Public key encryption RSA Algorithm (including 1024/2048/4096 bit);The protection of personal identification code uses:Number According to encryption standard DES algorithms, triple DES 3DES algorithms, Advanced Encryption Standard aes algorithm, the close SM1 algorithms of state and The close SM4 algorithms of state;Message integrity protection uses:Message authentication code MAC is calculated and verification, DES Cipher algorithm, and three Weight data encryption standards 3DES algorithms, Advanced Encryption Standard aes algorithm;Eap-message digest includes:Hash SHA1 algorithms, Hash SHA- The 256 MD5 algorithms of algorithm eap-message digest the 5th edition.
Through the embodiment of the present invention, inexpensive hardware and structure design save purchase machine expense;On hardware, using tactile Send out inductor tamper sensor and mating hardware circuit, the battery back area BBL Area of processor CPU safe to use To store sensitive data (key etc.);On software, since the code ROM CODE in read-only memory, utilization step by step Digital signature technology ensures that firmware is safe, and encryption equipment firmware itself has self-checking function etc., by hardware above circuit and Software hierarchical structure, Booting sequence design, digital signature etc. provide the physics and surface structure design of safety and stability, related Safe design can pass through the requirement of payment card industry PCI highest safety certifications;The software model of stratification is provided, and is carried A kind of safe startup control mode is supplied;Additionally provide the Life cycle such as key generation, preservation, distribution, injection and destruction Key security management system.
In addition, through the embodiment of the present invention, system mean time between failures can pass through Payment Card row up to 2400 hours The verification of industry PCI 4.x standards, it is 12 seconds to generate a pair of of public key encryption algorithm RSA 1024bits key longests and take, RSA It is 38 seconds that 2048bits key longests, which take, and highest can support 115200 serial port baud rate and common serial bus USB The communication of full rate.
Figure 13 is the schematic diagram for the encrypted terminal device of safety that one embodiment of the invention provides.As shown in figure 13, the reality The encrypted terminal device of safety 13 for applying example includes:It processor 130, memory 131 and is stored in the memory 131 simultaneously The computer program 132 that can be run on the processor 130, for example, the data structure program of key asymmetric arithmetic key or The generation program of public and private key key pair.The processor 130 realizes that above-mentioned each safety adds when executing the computer program 132 Step in decryption method embodiment, such as step 101 shown in FIG. 1 is to 103.Alternatively, the processor 130 executes the calculating The function of each module/unit in above-mentioned each device embodiment is realized when machine program 132.
Illustratively, the computer program 132 can be divided into one or more module/units, it is one or Multiple module/the units of person are stored in the memory 131, and are executed by the processor 130, to complete the present invention.Institute It can be the series of computation machine program instruction section that can complete specific function, the instruction segment to state one or more module/units For describing implementation procedure of the computer program 62 in the encrypted terminal device of the safety 13.For example, the calculating Machine program 132 can be divided into synchronization module, summarizing module, acquisition module, return module (module in virtual bench) etc..
The encrypted terminal device of the safety 13 can be desktop PC, notebook, palm PC and cloud service The computing devices such as device.The encrypted terminal device of safety may include, but be not limited only to, processor 130, memory 131.Ability Field technique personnel are appreciated that Figure 13 is only the example of safe encrypted terminal device 13, do not constitute encrypted to safety The restriction of terminal device 13 may include either combining certain components or different portions than illustrating more or fewer components Part, such as the encrypted terminal device of the safety can also include input-output equipment, network access equipment, bus etc..
Alleged processor 130 can be central processing unit (Central Processing Unit, CPU), can also be Other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor Deng.
The memory 131 can be the internal storage unit of the encrypted terminal device of the safety 13, for example, safety plus The hard disk or memory of close terminal device 13.The memory 131 can also be the outer of the encrypted terminal device of the safety 13 The plug-in type hard disk being equipped in portion's storage device, such as the encrypted terminal device of the safety 13, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further, The memory 131 can also both include the internal storage unit of the encrypted terminal device of the safety 13 or including external storage Equipment.The memory 131 is used to store other needed for the computer program and the encrypted terminal device of the safety Program and data.The memory 131 can be also used for temporarily storing the data that has exported or will export.
Yet another embodiment of the invention additionally provides a kind of computer readable storage medium, which can To be computer readable storage medium included in the memory in above-described embodiment;Can also be individualism, it is unassembled Enter the computer readable storage medium in terminal.There are one the computer-readable recording medium storages or more than one journey Sequence, the one or more programs are used for executing an information processing side by one or more than one processor Method.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each work( Can unit, module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different Functional unit, module are completed, i.e., the internal structure of described device are divided into different functional units or module, more than completion The all or part of function of description.Each functional unit, module in embodiment can be integrated in a processing unit, also may be used It, can also be above-mentioned integrated during two or more units are integrated in one unit to be that each unit physically exists alone The form that hardware had both may be used in unit is realized, can also be realized in the form of SFU software functional unit.In addition, each function list Member, the specific name of module are also only to facilitate mutually distinguish, the protection domain being not intended to limit this application.Above system The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may realize that lists described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, depends on the specific application and design constraint of technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute The division of module or unit is stated, only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as Multiple units or component can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be by some interfaces, device Or INDIRECT COUPLING or the communication connection of unit, can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or In use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention realizes above-mentioned implementation All or part of flow in example method, can also instruct relevant hardware to complete, the meter by computer program Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program generation Code can be source code form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium May include:Any entity or device, recording medium, USB flash disk, mobile hard disk, magnetic of the computer program code can be carried Dish, CD, computer storage, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that described The content that computer-readable medium includes can carry out increasing appropriate according to legislation in jurisdiction and the requirement of patent practice Subtract, such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium do not include be electric carrier signal and Telecommunication signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although with reference to aforementioned reality Applying example, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to aforementioned each Technical solution recorded in embodiment is modified or equivalent replacement of some of the technical features;And these are changed Or replace, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution should all It is included within protection scope of the present invention.

Claims (10)

1. a kind of safe encryption method, it is applied to encryption equipment, which is characterized in that the firmware of the encryption equipment includes:Safe handling Device CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method includes encryption equipment firmware safety Detection method:
By the sensor inside detection safe processor CPU and external circumstances;
If detecting situation exception, issue warning signal;
By the pre-warning signal, directly notice or by trigger circuit notify battery back area BBL Area to backup area content into Marketing is ruined.
2. safe encryption method as described in claim 1, which is characterized in that the safe encryption method further includes software security Startup method, includes the following steps:
Start the safe processor CPU internal securities bootstrap Security Boot Loader;
It loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot firmwares;
If verification has exception, start failure;
If verifying successfully, verifies and start encryption equipment firmware.
3. safe encryption method as claimed in claim 2, which is characterized in that it further includes system that the software security, which starts later, Self-test, the System self-test include the following steps:
System starts, encryption equipment firmware self-test;
If there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read;
Verify the correctness of the system encryption keys SEK;
If the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption keys SEK is correct, read Take key to be checked;
Judge the key to be detected using the system encryption keys SEK and encrypts the consistency of storage key;
If inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start subsequent software module.
4. safe encryption method as claimed in claim 3, which is characterized in that the encryption equipment further includes:External flash External Flash, the safe encryption method further include the method for secure storing of key, are included the following steps:
The system encryption keys SEK is defined, and the system encryption keys SEK is stored in the battery back area BBL Area;
All keys are encrypted using the system encryption keys SEK and encrypted key is stored in external flash In External Flash;
All keys are read out using system encryption keys SEK.
5. safe encryption method as claimed in claim 4, which is characterized in that described pair of all keys use the system encryption Key SEK is encrypted and encrypted key is stored in external flash External Flash:
The system encryption keys SEK is read, clear data is encrypted to obtain using the system encryption keys SEK corresponding The ciphertext is stored in external flash External Flash by ciphertext.
6. safe encryption method as claimed in claim 5, which is characterized in that described pair of all keys use system encryption keys SEK be read out including:
The system encryption keys SEK is read, the ciphertext of external flash External Flash is stored in described in reading, uses institute It states system encryption keys the ciphertext is decrypted, obtained corresponding plaintext is supplied to subsequent software flow.
7. a kind of encryption equipment, which is characterized in that including:Hardware configuration and software module, the software module are based on hardware configuration Realize function load;The hardware configuration includes safe processor CPU, sensor, trigger circuit;The sensor includes inside Sensor and external trigger inductor Tamper Sensors, the internal sensor are set in the safe processor CPU Portion, the excessively described trigger circuits of external trigger inductor Tamper Sensors are connect with the safe processor CPU;It is described Safe processor CPU includes battery back area BBL Area;
The software module includes:Software security start unit and key handling unit, the software security start unit are used for The clean boot of software level, the key handling unit is for the encryption, decryption and storage to key.
8. encryption equipment as claimed in claim 7, which is characterized in that the hardware configuration further includes:
Read only memory ROM and internal stationary memory I nternal SRAM, the read only memory ROM and the inside are quiet State memory I nternal SRAM are set to inside the safe processor CPU, and read-only deposit is stored in the read-only memory Code Resident ROM code in reservoir;
Liquid crystal display LCD, keyboard, smart card reader, external memory, external memory, battery, serial ports, printer, magnetic stripe Card reader one or more and it is connected with safe processor CPU;
Ethernet network interface and/or normal serial module network interface, and ethernet network interface and/or normal serial module Network interface is connected with the safe processor CPU;
The software module further includes:Data communication unit, the data communication unit are used for the reception and transmission of data.
9. a kind of encrypted terminal device of safety, including memory, processor and it is stored in the memory and can be in institute State the computer program run on processor, which is characterized in that the processor is realized when executing the computer program as weighed Profit requires the step of any one of 1 to 6 the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist In when the computer program is executed by processor the step of any one of such as claim 1 to 6 of realization the method.
CN201711331236.3A 2017-12-13 2017-12-13 Secure encryption method, encryption machine and terminal equipment Active CN108629206B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711331236.3A CN108629206B (en) 2017-12-13 2017-12-13 Secure encryption method, encryption machine and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711331236.3A CN108629206B (en) 2017-12-13 2017-12-13 Secure encryption method, encryption machine and terminal equipment

Publications (2)

Publication Number Publication Date
CN108629206A true CN108629206A (en) 2018-10-09
CN108629206B CN108629206B (en) 2020-11-03

Family

ID=63705871

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711331236.3A Active CN108629206B (en) 2017-12-13 2017-12-13 Secure encryption method, encryption machine and terminal equipment

Country Status (1)

Country Link
CN (1) CN108629206B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505048A (en) * 2019-08-16 2019-11-26 兆讯恒达微电子技术(北京)有限公司 A kind of method of data encryption standards coprocessor self-test
CN110502379A (en) * 2019-08-16 2019-11-26 兆讯恒达微电子技术(北京)有限公司 A kind of method of elliptic curve encryption algorithm coprocessor self-test
CN110688660A (en) * 2019-09-27 2020-01-14 深圳市共进电子股份有限公司 Method and device for safely starting terminal and storage medium
CN111008392A (en) * 2019-12-25 2020-04-14 中电科航空电子有限公司 Self-destruction control method of positioning equipment and related device
CN111563280A (en) * 2020-05-06 2020-08-21 杭州锘崴信息科技有限公司 Secure computing system and method of operating the same
CN113282950A (en) * 2021-07-26 2021-08-20 阿里云计算有限公司 Operation and maintenance method, device, equipment and system of encryption machine
CN114924808A (en) * 2022-05-12 2022-08-19 中国电子科技集团公司第二十九研究所 SRAM type FPGA on-orbit reliable loading method based on duplicate storage program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059771A (en) * 2016-05-06 2016-10-26 上海动联信息技术股份有限公司 Intelligent POS machine secret key management system and method
CN107341085A (en) * 2017-06-14 2017-11-10 北京多思技术服务有限公司 A kind of control device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106059771A (en) * 2016-05-06 2016-10-26 上海动联信息技术股份有限公司 Intelligent POS machine secret key management system and method
CN107341085A (en) * 2017-06-14 2017-11-10 北京多思技术服务有限公司 A kind of control device

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110505048A (en) * 2019-08-16 2019-11-26 兆讯恒达微电子技术(北京)有限公司 A kind of method of data encryption standards coprocessor self-test
CN110502379A (en) * 2019-08-16 2019-11-26 兆讯恒达微电子技术(北京)有限公司 A kind of method of elliptic curve encryption algorithm coprocessor self-test
CN110505048B (en) * 2019-08-16 2022-04-15 兆讯恒达科技股份有限公司 Self-checking method for data encryption standard coprocessor
CN110502379B (en) * 2019-08-16 2022-11-22 兆讯恒达科技股份有限公司 Self-checking method for coprocessor of elliptic encryption algorithm
CN110688660A (en) * 2019-09-27 2020-01-14 深圳市共进电子股份有限公司 Method and device for safely starting terminal and storage medium
CN110688660B (en) * 2019-09-27 2021-08-24 深圳市共进电子股份有限公司 Method and device for safely starting terminal and storage medium
CN111008392A (en) * 2019-12-25 2020-04-14 中电科航空电子有限公司 Self-destruction control method of positioning equipment and related device
CN111563280A (en) * 2020-05-06 2020-08-21 杭州锘崴信息科技有限公司 Secure computing system and method of operating the same
CN111563280B (en) * 2020-05-06 2023-12-05 杭州锘崴信息科技有限公司 Secure computing system and method of operating the same
CN113282950A (en) * 2021-07-26 2021-08-20 阿里云计算有限公司 Operation and maintenance method, device, equipment and system of encryption machine
CN113282950B (en) * 2021-07-26 2021-12-21 阿里云计算有限公司 Operation and maintenance method, device, equipment and system of encryption machine
CN114924808A (en) * 2022-05-12 2022-08-19 中国电子科技集团公司第二十九研究所 SRAM type FPGA on-orbit reliable loading method based on duplicate storage program

Also Published As

Publication number Publication date
CN108629206B (en) 2020-11-03

Similar Documents

Publication Publication Date Title
CN108629206A (en) A kind of safe encryption method, encryption equipment and terminal device
Cooper et al. Computer and communications security
US10733291B1 (en) Bi-directional communication protocol based device security
CN104217327B (en) A kind of financial IC card internet terminal and its method of commerce
US20030009687A1 (en) Method and apparatus for validating integrity of software
US20050283826A1 (en) Systems and methods for performing secure communications between an authorized computing platform and a hardware component
Longley et al. Data And Computer Security: A Dictionary Of Terms And Concepts
JP2015154491A (en) System and method for remote access and remote digital signature
CN103065102A (en) Data encryption mobile storage management method based on virtual disk
TW200405963A (en) Sleep protection
JP2008269610A (en) Protecting sensitive data intended for remote application
CN101739622A (en) Trusted payment computer system
CN108694122B (en) Method for symbol execution of restricted devices
Mavrovouniotis et al. Hardware security modules
CN107133512A (en) POS terminal control method and device
CN200993803Y (en) Internet banking system safety terminal
Götzfried et al. Mutual authentication and trust bootstrapping towards secure disk encryption
CN1331015C (en) Computer security startup method
CN101206779A (en) Online banking system safety terminal and data safety processing method thereof
WO2024011812A1 (en) Blockchain-based supervision system and method, device, and medium
Müller et al. Stark: Tamperproof Authentication to Resist Keylogging
CN112825093B (en) Security baseline checking method, host, server, electronic device and storage medium
US20210111870A1 (en) Authorizing and validating removable storage for use with critical infrastrcture computing systems
CN101739623A (en) Trusted payment computer system
Bulut Secure hardware cryptocurrency wallet within common criteria framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant