CN108629206A - A kind of safe encryption method, encryption equipment and terminal device - Google Patents
A kind of safe encryption method, encryption equipment and terminal device Download PDFInfo
- Publication number
- CN108629206A CN108629206A CN201711331236.3A CN201711331236A CN108629206A CN 108629206 A CN108629206 A CN 108629206A CN 201711331236 A CN201711331236 A CN 201711331236A CN 108629206 A CN108629206 A CN 108629206A
- Authority
- CN
- China
- Prior art keywords
- encryption
- safe
- key
- sek
- keys
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention is suitable for field of information security technology, provides a kind of safe encryption method, encryption equipment and terminal device, and the safe encryption method is applied to encryption equipment, and the encryption equipment includes:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method includes encryption equipment firmware safety detection method:By the sensor inside detection safe processor CPU and external circumstances;If detecting situation exception, issue warning signal;By the pre-warning signal, directly notifies or notify battery back area BBL Area to destroy backup area content by trigger circuit;The safe encryption method further includes:Software security starts the method for secure storing of method and key.The hardware and structure design for realizing low cost through the invention, save purchase machine expense;The software model of stratification is provided, and provides the control mode of clean boot, realizes the key safety management in complete period.
Description
Technical field
The invention belongs to a kind of field of information security technology more particularly to safe encryption method, encryption equipment and terminal devices.
Background technology
With the continuous development of information technology, internet it is universal, more and more data are needed in transmission over networks, packet
Include interactive information, Email, identity information, Transaction Information and business data etc..However, illegal to the carry out of data at present
It the unlawful activities such as monitors, steal and distorts to be on the increase, therefore the safety of data is also increasingly paid attention to by people.
Data are encrypted using cryptographic algorithm and are transmitted again, are to guarantee data security and effective hand of data integrity
Section, therefore, many IT vendors have developed many encryption devices or encryption software, by encryption device or software, generate encryption
Key, realization are encrypted clear data and are digitally signed to file.
Existing encryption technology is generally divided into example, in hardware and software form.Software form commonly relies in host system
The enciphering and deciphering algorithm write realizes encryption, by providing software tool or network system for users to use, but is added due to this
There are very big security risks for close software and encryption system, the rogue attacks by hacker are easy, to the O&M of software systems
Management needs to construct the safety of increasingly complex software systems deprotection card key, needs to establish high standard, meets associated safety
The computer room of certification ensures to store the Host Security of key, it is also necessary to design effective mechanism and carry out authentication and power to user
The certification etc. of limit, therefore by existing technology, enterprise cannot be satisfied higher software development and O&M pipe in Software for Design
Reason requires, and corresponding expense cost is also higher.The encryption device form of diverse of example, in hardware, most common made with unique host
For encryption equipment, network interface is externally only provided and provides encryption and decryption service by specifically ordering, or uses the plug-in shapes such as USB flash disk
Formula is chiefly used in the specific field such as digital certificate or authentication, it is difficult to realize and provide general encryption and decryption service;And it is existing
Hardware device job stability and reliability it is poor, need additional very more protection Design or hardware circuit to ensure
The stability and reliability of its work.Therefore, it in the encryption technology of existing example, in hardware and software form, cannot be satisfied
The requirement for the stability, safety and reliability that higher software development works with operation management requirement and equipment, and
The higher requirement of hardware configuration and software development etc., general enterprises can not also complete designing and developing for encryption device.
Invention content
In view of this, an embodiment of the present invention provides a kind of safe encryption method, encryption equipment and terminal device, it is existing to solve
Have cannot be satisfied higher software development and operation management requirement in technology and equipment work higher stability, safety and
The problem of reliability requirement.
The first aspect of the embodiment of the present invention provides a kind of safe encryption method, is applied to encryption equipment, the encryption equipment
Firmware include:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method
Including encryption equipment firmware safety detection method:
By the sensor inside detection safe processor CPU and external circumstances;
If detecting situation exception, issue warning signal;
By the pre-warning signal, directly notifies or notify battery back area BBL Area in backup area by trigger circuit
Appearance is destroyed.
The safe encryption method further includes that software security starts method, is included the following steps:
Start the safe processor CPU internal securities bootstrap Security Boot Loader;
It loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot firmwares;
If verification has exception, start failure;
If verifying successfully, verifies and start encryption equipment firmware.
The software security further includes System self-test after starting, and the System self-test includes the following steps:
System starts, encryption equipment firmware self-test;
If there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read;
Verify the correctness of system encryption keys SEK;
If the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption keys SEK is correct,
Then read key to be checked;
Judge the key to be detected using system encryption keys SEK and encrypts the consistency of storage key;
If inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start subsequent software module.
The safe encryption method further includes the method for secure storing of key, is included the following steps:
The system encryption keys SEK is defined, and the system encryption keys SEK is stored in the battery back area
BBL Area;
All keys are encrypted using the system encryption keys SEK and encrypted key is stored in external sudden strain of a muscle
It deposits in External Flash;
All keys are read out using system encryption keys SEK.
The second aspect of the embodiment of the present invention provides a kind of encryption equipment, including:Hardware configuration and software module, it is described soft
Part module is based on hardware configuration and realizes function load;The hardware configuration includes safe processor CPU, sensor, trigger circuit;
The sensor includes internal sensor and external trigger inductor Tamper Sensors, and the internal sensor is set to institute
It states inside safe processor CPU, the external trigger inductor Tamper Sensors pass through the trigger circuit and the peace
Full processor CPU connections;The safe processor CPU includes battery back area BBL Area;
The software module includes:Software security start unit and key handling unit, the software security start unit
For the clean boot of software level, the key handling unit is for the encryption, decryption and storage to key.
The third aspect of the embodiment of the present invention provides a kind of safe ciphering terminal equipment, including:Memory, processor with
And it is stored in the computer program that can be run in the memory and on the processor, the processor executes the calculating
The step of safe encryption method being realized when machine program.
The fourth aspect of the embodiment of the present invention provides a kind of computer readable storage medium, the computer-readable storage
Media storage has computer program, which is characterized in that the computer program realizes the safety encryption when being executed by processor
The step of method.
Existing advantageous effect is the embodiment of the present invention compared with prior art:The embodiment of the present invention by hardware configuration with
The safety encryption for being implemented in combination with encryption equipment of software module, using hardware sensor, mating trigger circuit and safe handling
The characteristic of device CPU itself ensure that the physical security of encryption equipment well;Based on physical security, safe processor is utilized
The characteristic of battery back area BBL Area inside CPU and the protection of sensor, trigger circuit, ensure that the content of core
Safety realizes the stronger safe encryption function of encryption equipment, further meets in secret machine work to stability, safety
The higher requirement of property and reliability.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description be only the present invention some
Embodiment for those of ordinary skill in the art without having to pay creative labor, can also be according to these
Attached drawing obtains other attached drawings.
Fig. 1 is the implementation process schematic diagram of encryption equipment firmware safety detection method provided in an embodiment of the present invention;
Fig. 2 is the implementation process schematic diagram that encryption equipment software security provided in an embodiment of the present invention starts method;
Fig. 3 is the implementation process schematic diagram of encryption equipment system self checking method provided in an embodiment of the present invention;
Fig. 4 is the implementation process schematic diagram of the method for secure storing of key provided in an embodiment of the present invention;
Fig. 5 is the logical schematic of key storage provided in an embodiment of the present invention;
Fig. 6 is the schematic diagram of encryption equipment hardware configuration provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of encryption equipment software module provided in an embodiment of the present invention;
Fig. 8 is encryption equipment software level structural schematic diagram provided in an embodiment of the present invention;
Fig. 9 is the schematic diagram of encryption equipment overall workflow provided in an embodiment of the present invention;
Figure 10 is the schematic diagram of encryption equipment function module provided in an embodiment of the present invention;
Figure 11 is the flow diagram that encryption equipment administrator provided in an embodiment of the present invention logs in;
Figure 12 is encryption equipment key dispersion schematic diagram provided in an embodiment of the present invention;
Figure 13 is the schematic diagram of the encrypted terminal device of safety provided in an embodiment of the present invention.
Specific implementation mode
In being described below, for illustration and not for limitation, it is proposed that such as tool of particular system structure, technology etc
Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific
The present invention can also be realized in the other embodiments of details.In other situations, it omits to well-known system, device, electricity
The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
It is the implementation process schematic diagram of encryption equipment firmware safety detection method provided in an embodiment of the present invention referring to Fig. 1, it should
Method is applied to encryption equipment, and the encryption equipment is point-of-sale terminal POS machine, cloud server or background server;Described adds
Close machine includes:Safe processor CPU, sensor, battery back area BBL Area and trigger circuit, encryption equipment firmware as shown in the figure
Safety detection method may comprise steps of:
Step S101, by the sensor inside detection safe processor CPU and external circumstances.
In embodiments of the present invention, the sensor includes internal sensor and external trigger Tamper
Sensors;Internal sensor is located inside safe processor CPU, is responsible for the temperature inside detection safe processor CPU and frequency
Situations such as rate;External trigger Tamper Sensors are set on the printed circuit pcb board except safe processor CPU, are led to
It crosses special mating trigger circuit to connect with safe processor CPU, external sensor further includes shell tamper sensor, keyboard region
Whether the sensor etc. in domain, detection device are opened, if having drilling, whether have the external circumstances such as chemical attack product.
In addition, the encryption equipment, which can be point-of-sale terminal POS, the point-of-sale terminal POS, is also combined with shell mechanism
On breaking-proof switch, also have security grid computing mesh inside the described safe processor CPU, with simultaneous with multiple sensors examine
Survey the inside and outside security situations of safe processor CPU.
Step S102 is issued warning signal if detecting situation exception.
In embodiments of the present invention, the abnormal conditions include internal abnormality situation and external abnormal conditions;Described is interior
Portion's abnormal conditions include that internal sensor temperature, the frequency etc. that detect reach threshold value, then it is assumed that equipment occurs abnormal;Described
External abnormal conditions include that the front and rear casing for the equipment that external sensor detects is opened, and equipment is drilled, is corroded by chemicals
Deng external rogue attacks phenomenon, will issue warning signal.
Optionally, the pre-warning signal can be carried out voice-control alarm by alarm or pass through early-warning lamp into line flicker report
It is alert.
The pre-warning signal is directly notified or is passed through trigger circuit notice battery back area BBL Area by step S103
Backup area key data is destroyed.
In embodiments of the present invention, the pre-warning signal includes internal pre-warning signal and external pre-warning signal;Described
Internal pre-warning signal can be sent directly to the battery back area BBL Area inside safe processor CPU, notify battery back
Area is destroyed or wiped by the key data that inside preserves;The external pre-warning signal can then be touched by external special mating
Power Generation Road transmits warning information, and key data that notice battery back area BBL Area preserve inside or other data are into marketing
It ruins or wipes.
It should be noted that the inside of encryption equipment is provided with the hardware device continued power that button cell is encryption equipment, make
Even if obtain encryption equipment may also detect that abnormal phenomenon in off-mode.
Through the embodiment of the present invention, hardware based safety detection may be implemented, using hardware sensor, mating triggering
The characteristic of circuit and safe processor CPU itself, ensure that the physical security of encryption equipment;Hardware based protection ensures
The safety of encryption equipment core data realizes the secret function of the stronger safety of encryption equipment.
It is the flow diagram that encryption equipment software security provided in an embodiment of the present invention starts that method is realized, such as referring to Fig. 2
This method may comprise steps of shown in figure:
Step S201 starts the safe processor CPU internal securities bootstrap Security Boot Loader.
In embodiments of the present invention, the safe bootstrap Security Boot Loader have and can not be replaced
Property, the content that the clean boot loads Boot Loader includes the code Resident ROM resided in read-only memory
Code;The code Resident ROM Code resided in read-only memory can be an identity ID number or
Person is burst of data, is solidificated in internal storage ROM Space when safe processor CPU dispatches from the factory.
It should be noted that safe processor CPU internal storages are once written in the identity ID number or burst of data
ROM can will be changed never, it is therefore prevented that criminal uses the possibility of other manufacturer's firmwares.
Step S202 loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot and consolidates
Part.
In embodiments of the present invention, the verification and start guiding boot firmwares need and meanwhile digital signature skill is added
Art, the digital signature are exactly others the hop count word string that can not forge that the sender of only information could generate, this section
Numeric string is also simultaneously the valid certificates that information authenticity is sent to the sender of information, so utilizing digital signature skill
Art, by clean boot load Security Boot Loader can not being replaced property, be further ensured that entire software architecture
Safety.
In addition, if digital signature verification success, continues the startup of next software level, operation guides Boot programs,
It guides in Boot firmware start-up courses, while can also check the state of each sensor, it is ensured that without ability in the case of exception
Continue the clean boot of next step encryption equipment firmware.
Step S203 starts failure if verification has exception.
In embodiments of the present invention, it includes that digital signature is wrong or reside in read-only memory that the verification, which exists abnormal,
Code Resident ROM Code check digit signature results mismatch, then verify failure, the startup of software can also stop,
Then system starts failure, to ensure the safety of entire software architecture.
Step S204 is verified if verifying successfully and is started encryption equipment firmware.
In embodiments of the present invention, encryption equipment firmware is verified while guiding Boot programs are loaded, including
To the trigger circuit of encryption equipment, sensor, the firmwares such as internal storage, verifying it, whether complete and function is intact etc..
In addition, the check results show that an encryption equipment firmware part has exception, such as:The accuracy of detection of sensor
And there is inaccurate problem in the setting of threshold value, the circuit of trigger circuit, which breaks down, to be led to not realize asking for information transmission
Topic etc., then stop the startup of software level, while encrypted firmware can also start failure;If check results indicate encryption equipment firmware
State is all gone well, then starts to start operation encryption equipment firmware.
Through the embodiment of the present invention, security control and system work(are taken into account by software hierarchy in software security start-up course
The control of energy ensure that the legitimacy and integrality of firmware using digital signature technology;It can also be examined in software layer start-up course
Look into the state of each sensor and other firmwares, it is ensured that the startup of encryption equipment firmware could be realized in the case of without exception,
The safety of the entire software architecture of guarantee step by step, to ensure that the safety of encryption equipment.
It is the implementation process schematic diagram of encryption equipment system self checking method provided in an embodiment of the present invention referring to Fig. 3, as schemed institute
Show, this approach includes the following steps:
Step S301, system start, encryption equipment firmware self-test.
In embodiments of the present invention, system start after, after encryption equipment firmware is verified, it is also necessary to encryption equipment firmware from
Whether function is normal etc. for inspection, the including whether self-test of sensor normal, trigger circuit and other firmwares.Pass through self-test, encryption
Machine is able to detect that in hardware or structure either with or without security risk, either with or without wrecking or eavesdropping, is able to verify that system
The legitimacy and integrality of firmware are to ensure one of the important means of encryption equipment and key safety.
Step S302, if there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read.
In embodiments of the present invention, if encryption equipment firmware has exception after carrying out self-test, such as:Encryption equipment hardware configuration is sent out
Raw abnormal either inner parameter is more than threshold value or imperfect etc. by rogue attacks structure, then system can propose error information,
And it exits simultaneously.
If encryption equipment firmware self-test is normal, reading system encryption keys SEK, the system encryption keys SEK can be
It is generated by the True Random Number Generator device in safe processor CPU when encryption equipment initializes, length can be 24 bytes.Cause
To be true random number, therefore it can ensure that system encryption keys SEK's is unpredictable, it is also ensured that system encryption keys SEK
Uniqueness;The reading system encryption keys SEK is specially that encryption equipment firmware is read from the regions battery back BBL Area
System encryption keys SEK.
Step S303 verifies the correctness of the system encryption keys SEK.
In the present invention is embodiment, encryption equipment firmware reads system encryption keys from the regions battery back BBL Area
SEK, if the result read is 0 entirely, then it represents that encryption equipment firmware is triggered, and the battery back regions BBL Area are by content-data
Self-destruction erasing is carried out, and prompt system encryption key malfunctions;If the system encryption keys result obtained is not all 0, further
Computation key check value KCV, the keycheck value KCV are the cyclic redundancy CRC check values of key, by the key verification
Value KCV is compared with the keycheck value KCV values that battery back area BBL Area are stored, if the two is consistent.It then indicates to read
The system encryption keys SEK taken is correct.
Step S304, if the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption is close
Key SEK is correct, then reads key to be checked.
In embodiments of the present invention, when the result of the system encryption keys of reading is all 0, then it represents that triggering self-destruction, and carry
Show error message, system encryption keys SEK is incorrect, then system, which reports an error, exits.
When the result of the system encryption keys of reading is not all 0, and the keycheck value KCV of system encryption keys and electricity
The keycheck value of pond backup area BBL Area storages is consistent, then it represents that system encryption keys SEK is correct, then continues
In next step, key to be detected is read.
In addition, the key to be detected can be the key generated inside encryption equipment, or it is injected into encryption equipment
Key can also be the password of encryption equipment administrator.
Step S305 judges the key to be detected using the system encryption keys SEK and has encrypted storage key
Consistency.
In embodiments of the present invention, judge key to be detected using system encryption keys SEK and encrypt the key of storage
Consistency, mainly judge storage key whether be encrypted by system encryption keys SEK;The specific steps are:It uses
System encryption keys SEK treats detection key and is decrypted to obtain in plain text, and calculates the keycheck value KCV of plaintext, will obtain
Keycheck value KCV and battery back area BBL Area in the keycheck value that stores be compared, according to the comparison of the two
As a result judge the consistency of key to be detected and encryption key.
Step S306, if inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start follow-up soft
Part module.
In embodiments of the present invention, by calculating, as the keycheck value KCV and battery back area BBL of key to be detected
When the keycheck value stored in Area is equal, then it represents that the key to be detected be it is consistent with the data for encrypting storage originally,
And then show the self-detection result of whole flow process, continue to start subsequent software module;Being indicated if the two is unequal should
Key to be detected is inconsistent with the data for encrypting storage originally, and system then shows to report an error and exit.
Through the embodiment of the present invention, by the startup self-detection of encryption equipment, not only detect in hardware or structure either with or without
It there are risk or wrecks or eavesdrops, additionally it is possible to which the legitimacy and integrality for verifying encryption equipment firmware ensure that encryption equipment
And the safety of key.
It is the implementation process schematic diagram of the method for secure storing of key provided in an embodiment of the present invention, this method referring to Fig. 4
Including step once:
Step S401 defines the system encryption keys SEK, and the system encryption keys SEK is stored in the electricity
Pond backup area BBL Area.
In embodiments of the present invention, encryption equipment define a system encryption keys SEK, when encryption equipment initializes by
True Random Number Generator in safe processor CPU generates, and length is 24 bytes, and stored in clear is in battery back area BBL Area
Subsidiary internal stationary memory SRAM because internal stationary memory SRAM can only legal firmware read, and have hardware components
Safety protective circuit protection, therefore stored in clear does not have security risk in battery back area BBL Area;Because of system
Encryption key is true random number, therefore can ensure that system encryption keys SEK's is unpredictable, it is also ensured that system encryption is close
The uniqueness of key SEK.
It should be noted that encryption equipment can only initialize once, system encryption keys are then generated, it later again can be not initial
Change.
All keys are encrypted using the system encryption keys SEK and protect encrypted key by step S402
There are in external flash External Flash.
In embodiments of the present invention, system encryption keys SEK needs keys to be protected for encrypting all, the step for have
Body further includes:
The system encryption keys SEK is read, clear data is encrypted to obtain pair using the system encryption keys SEK
The ciphertext is stored in external flash External Flash by the ciphertext answered.
In embodiments of the present invention, all keys include but not limited to the key generated inside encryption equipment, external
Inject the key of encryption equipment and the key of encryption equipment administrator login.Since system encryption keys SEK is also burst of data, make
With system encryption keys SEK to all keys be encrypted the result is that in the form of ciphertext, and be stored in safe handling
In flash memory External Flash outside device outer CPU.
Wherein, key is encrypted using system encryption keys SEK, used Encryption Algorithm is triple data encryptions
Standard TDES algorithms.
Step S403 is read out all keys using system encryption keys SEK.
In embodiments of the present invention, it could also be used by system encryption keys SEK when encryption equipment reads key close
Key further includes specifically in this step:
The system encryption keys SEK is read, the ciphertext of external flash External Flash is stored in described in reading, is made
The ciphertext is decrypted with the system encryption keys, obtained corresponding plaintext is supplied to subsequent software flow.
In embodiments of the present invention, it when encryption equipment reads key, also needs to use system encryption keys SEK,
Ciphertext to being stored in external flash External Flash is decrypted to obtain the original text of ciphertext, could use key, be adopted
Decipherment algorithm is similarly the algorithm of triple DES TDES.
In addition, system encryption keys SEK can also equally protect the password of encryption equipment administrator.
It should be noted that since battery back area BBL Area are protected by hardware protection circuit, encryption equipment once by
Attack, internal all data, which will include system encryption keys SEK, to be wiped free of, and be owned using system encryption keys SEK is encrypted
Key cannot be decrypted, to ensure that the safety of key.
The logical schematic of key storage provided in an embodiment of the present invention as shown in Figure 5, when encryption equipment initializes
The system encryption keys SEK of definition is stored in battery back area BBL Area, and stored in clear is in battery back area BBL Area
In subsidiary static memory SRAM.The system encryption keys SEK is used to carry out triple data encryption marks to all keys
The encryption of quasi- TDES algorithms, obtains encrypted key data, and the obtained key data includes unsymmetrical key data
And symmetric key data, and be respectively stored in external flash Flash.
Through the embodiment of the present invention, the effect of system encryption keys SEK is to need key to be protected for encrypting all, than
Such as the key generated inside encryption equipment, the key etc. of outside injection.Since all keys are added by system encryption keys SEK
Close, so encryption equipment only needs to protect the safety of system encryption keys SEK, so that it may to ensure the safety of all keys, even if
Someone illegally gets key data, and what is obtained is all ciphertext form, and from the angle of cryptography, these data are also all safety
's.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
It is that the schematic diagram of encryption equipment hardware configuration provided in an embodiment of the present invention only shows for convenience of description referring to Fig. 6
Go out and the relevant part of the embodiment of the present invention.The secret machine of safety provided in an embodiment of the present invention includes hardware configuration and software mould
Group, wherein software module realizes the load of function based on hardware configuration.
As shown in fig. 6, the hardware configuration includes safe processor CPU 601, and sensor, trigger circuit;Sensor
Including internal sensor and external trigger inductor Tamper Sensors 602, internal sensor is set to safe processor
Inside CPU, external trigger inductor Tamper Sensors are connect by trigger circuit with safe processor CPU;Safe handling
Device CPU includes battery back area BBL Area 603;
Including read only memory ROM 604 and internal stationary memory I nternal SRAM 605, read only memory ROM
It is set to inside safe processor CPU with internal stationary memory I nternal SRAM, read-only deposit is stored in read-only memory
Code Resident ROM code in reservoir;
Further include liquid crystal display LCD 606, keyboard 607, smart card reader 608, external memory 609, external storage
Device 610, battery 611, serial ports (universal serial bus) 612, mfp printer, card reader for magnetic strip cards 614 one or more and with
Safe processor CPU 601 is connected;
It further include ethernet network interface 615 and/or normal serial module network interface 616, and ethernet network interface
615 and/or normal serial module network interface 616 be connected with the safe processor CPU.
As shown in fig. 7, being the schematic diagram of encryption equipment software module 7 provided in an embodiment of the present invention, the software module
Including:
Software security start unit 71 and key handling unit 72, software security start unit are used for the safety of software level
Start, key handling unit is for the encryption, decryption and storage to key;Data communication unit 73, the data communication unit
Reception and transmission for data.
Wherein, software security start unit realizes the peace of software Booting sequence by structural representation Fig. 8 of software level
All risk insurance is demonstrate,proved, as shown in figure 8, according to the code check in the read-only memory inside safe processor CPU and starting guiding Boot
Firmware, while also by means of signature technology, guiding Boot firmwares verify and are started in loading process encryption equipment firmware, ensure that
The legitimacy and integrality of encryption equipment firmware.
The external interface that the data communication unit of encryption equipment is supported includes:The serial data interface of proposed standard RS-232 and
Several mouthfuls at full speed of general-purpose serial bus USB 2.0;Wherein, the serial data interface of proposed standard RS-232 supports highest 115200
Baud rate, and be equipped in host side and drive journey with the general-purpose serial bus USB of 2.0 interface kit of general-purpose serial bus USB
Sequence.
Secret machine is connected to by serial ports or universal serial bus on host, and the data packet that receiving host issues carries out it
Encryption;The format of wherein host data packet is as shown in Table 1, and bebinning character, packet serial number, check word occupy a byte, rises
Beginning character representation is 0x02, and check word is the exclusive or value of other data in addition to bebinning character;Command word occupies two with length
Byte further includes that order classification (being expressed as 0x90) and subcommand code correspond to a byte respectively in command word, in length packet
First character section is length divided by 256 round numbers of data packet, and second byte is that the length of data packet divided by 256 take the remainder.
After encryption equipment receives the data packet of host, it can correspond to and generate a response bag, the format for the data packet that secret machine is responded is such as
Shown in table 2, in addition to return code more than data packet, other are identical as the format of table 1, and wherein return code is to notify host
Every order as a result, its definition is as shown in Table 3.
Table 1
Table 2
It is macro | Value | Meaning |
PCI_OK | 0x00 | Correctly |
PCI_UNSPT_CMD | 0xff | Illegal command |
Table 3
After encryption equipment is communicated with host, after both sides obtain backspace code, fault-tolerant processing can be according to circumstances carried out, than
Such as:Length is not right, then reexamines data format;Key is not present, and suggests that query key etc..
It is the workflow schematic diagram of encryption equipment provided in an embodiment of the present invention entirety referring to Fig. 9, as shown, encryption
After machine powers on booting, administrator log in, after administrator logins successfully, start to select corresponding feature operation, it can be achieved that function
Including:Private key, Digital signature service, system administrator functions are injected, asymmetric arithmetic key, wherein system administrator functions packet are dissipated
It includes:Change login password, switching language and upload journal file etc..Encryption equipment high-level schematic functional block diagram packet as shown in Figure 10
It includes:System management module generates key and distribution module, key injection module, encryption and decryption service module.
Wherein, system management module includes:Admin Administration, password modification management, multilingual support, log management are
System self-test.
Admin Administration, the embodiment of the present invention are that encryption sets two administrators, and each administrator holds respective close
Code, only there are two administrator's respective passwords of input on the scene could enter system management module, real for the present invention as shown in figure 11
The flow diagram that the encryption equipment administrator of example offer logs in is applied, after encryption equipment powers on booting, long-press enters "enter" key" entrance
Administrator's login step;System prompt inputs administrator's password;Password is inputted by administrator A first;System authentic administrator A's
Whether password is correct, if incorrect, system exits, if correctly, entering in next step;Password, verification pipe are inputted by administrator B
Whether the password of reason person B is correct, if mistake, system exits, the entered function menu if correct.
In addition, the password of administrator is stored in after being encrypted by system encryption keys SEK in file system.
Password modification management, after administrator enters system management module, allows the password for changing oneself, modified Xinmi City
Code after system encryption keys SEK encryptions equally by storing.
Chinese and English bilingual are supported in multilingual support, in embodiments of the present invention, encryption equipment.
Log management, including management event there is administrator to log in ADMIN LOGON, upload daily record UPLOAD LOG, cut
Language SWITCH LANG is changed, private key INJECT PVK FROM ICC is injected from card, signature SIGNATURE is carried out to file
FILE, administrator exit ADMIN LOGOFF, modification login password MODIFY LOGON PWD etc..Event described above is being encrypted
It can be included in daily record log files in machine, as shown in Table 4;The data structure recorded in corresponding daily record log files includes rope
Draw Index, data/time Data/Time, event Event, result Result, ending End and corresponding byte number and tool
The information format of body, daily record log files as shown in Table 5 summarize the data structure of every record.
Table 4
Table 5
Key and distribution module are generated, the generation and distribution of system key are used for.
In embodiments of the present invention, encryption equipment realizes the public and private key of unsymmetrical key by function RSAKeyPairGen
To generation, wherein RSAKeyPairGen be RSA algorithm realize.
After asymmetric public private key pair generates, in order to ensure the validity of the public and private key generated, encryption equipment will be public and private to every group
Key completes the verification of public and private key, RSAKeyPairVerify algorithms by function RSAKeyPairVerify to verifying
Core concept be that encryption obtains key in plain text by using one section of public key pair, reuse corresponding private key and key be decrypted
Another section of plaintext is obtained, if two sections of plaintexts are identical, can be determined that the public key and private key are a pair of of RSA keys.
In embodiments of the present invention, the principle of key dispersion is to first pass through nonce generation function to obtain random number, is passed through
Multiple recursive call generates a string length and is greater than or equal to private key structure size (size of private key data structure is 1163 bytes)
Random data, take preceding 1162 byte (size of i.e. one private key structure) of this section of random number to be used as dispersion factor, then use this
The data of private key structure carry out exclusive or in the public private key pair that one dispersion factor is generated with encryption equipment, obtain another 1162 byte
The dispersion results of (size of i.e. one private key structure).
Finally dispersion factor and dispersion results are respectively stored into two IC card, two IC card become A cards and B cards, such as
Shown in Figure 12, A cards store key components A, B card storage key components B.
In embodiments of the present invention, the algorithm that encryption equipment is supported includes:The symmetrical enciphering and deciphering algorithm data of data symmetrically add
Decryption uses:DES Cipher algorithm, triple DES 3DES algorithms, Advanced Encryption Standard aes algorithm;Number
Word signature, sign test use:Public key encryption RSA Algorithm (including 1024/2048/4096 bit);The protection of personal identification code uses:Number
According to encryption standard DES algorithms, triple DES 3DES algorithms, Advanced Encryption Standard aes algorithm, the close SM1 algorithms of state and
The close SM4 algorithms of state;Message integrity protection uses:Message authentication code MAC is calculated and verification, DES Cipher algorithm, and three
Weight data encryption standards 3DES algorithms, Advanced Encryption Standard aes algorithm;Eap-message digest includes:Hash SHA1 algorithms, Hash SHA-
The 256 MD5 algorithms of algorithm eap-message digest the 5th edition.
Through the embodiment of the present invention, inexpensive hardware and structure design save purchase machine expense;On hardware, using tactile
Send out inductor tamper sensor and mating hardware circuit, the battery back area BBL Area of processor CPU safe to use
To store sensitive data (key etc.);On software, since the code ROM CODE in read-only memory, utilization step by step
Digital signature technology ensures that firmware is safe, and encryption equipment firmware itself has self-checking function etc., by hardware above circuit and
Software hierarchical structure, Booting sequence design, digital signature etc. provide the physics and surface structure design of safety and stability, related
Safe design can pass through the requirement of payment card industry PCI highest safety certifications;The software model of stratification is provided, and is carried
A kind of safe startup control mode is supplied;Additionally provide the Life cycle such as key generation, preservation, distribution, injection and destruction
Key security management system.
In addition, through the embodiment of the present invention, system mean time between failures can pass through Payment Card row up to 2400 hours
The verification of industry PCI 4.x standards, it is 12 seconds to generate a pair of of public key encryption algorithm RSA 1024bits key longests and take, RSA
It is 38 seconds that 2048bits key longests, which take, and highest can support 115200 serial port baud rate and common serial bus USB
The communication of full rate.
Figure 13 is the schematic diagram for the encrypted terminal device of safety that one embodiment of the invention provides.As shown in figure 13, the reality
The encrypted terminal device of safety 13 for applying example includes:It processor 130, memory 131 and is stored in the memory 131 simultaneously
The computer program 132 that can be run on the processor 130, for example, the data structure program of key asymmetric arithmetic key or
The generation program of public and private key key pair.The processor 130 realizes that above-mentioned each safety adds when executing the computer program 132
Step in decryption method embodiment, such as step 101 shown in FIG. 1 is to 103.Alternatively, the processor 130 executes the calculating
The function of each module/unit in above-mentioned each device embodiment is realized when machine program 132.
Illustratively, the computer program 132 can be divided into one or more module/units, it is one or
Multiple module/the units of person are stored in the memory 131, and are executed by the processor 130, to complete the present invention.Institute
It can be the series of computation machine program instruction section that can complete specific function, the instruction segment to state one or more module/units
For describing implementation procedure of the computer program 62 in the encrypted terminal device of the safety 13.For example, the calculating
Machine program 132 can be divided into synchronization module, summarizing module, acquisition module, return module (module in virtual bench) etc..
The encrypted terminal device of the safety 13 can be desktop PC, notebook, palm PC and cloud service
The computing devices such as device.The encrypted terminal device of safety may include, but be not limited only to, processor 130, memory 131.Ability
Field technique personnel are appreciated that Figure 13 is only the example of safe encrypted terminal device 13, do not constitute encrypted to safety
The restriction of terminal device 13 may include either combining certain components or different portions than illustrating more or fewer components
Part, such as the encrypted terminal device of the safety can also include input-output equipment, network access equipment, bus etc..
Alleged processor 130 can be central processing unit (Central Processing Unit, CPU), can also be
Other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor
Deng.
The memory 131 can be the internal storage unit of the encrypted terminal device of the safety 13, for example, safety plus
The hard disk or memory of close terminal device 13.The memory 131 can also be the outer of the encrypted terminal device of the safety 13
The plug-in type hard disk being equipped in portion's storage device, such as the encrypted terminal device of the safety 13, intelligent memory card (Smart
Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card) etc..Further,
The memory 131 can also both include the internal storage unit of the encrypted terminal device of the safety 13 or including external storage
Equipment.The memory 131 is used to store other needed for the computer program and the encrypted terminal device of the safety
Program and data.The memory 131 can be also used for temporarily storing the data that has exported or will export.
Yet another embodiment of the invention additionally provides a kind of computer readable storage medium, which can
To be computer readable storage medium included in the memory in above-described embodiment;Can also be individualism, it is unassembled
Enter the computer readable storage medium in terminal.There are one the computer-readable recording medium storages or more than one journey
Sequence, the one or more programs are used for executing an information processing side by one or more than one processor
Method.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each work(
Can unit, module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different
Functional unit, module are completed, i.e., the internal structure of described device are divided into different functional units or module, more than completion
The all or part of function of description.Each functional unit, module in embodiment can be integrated in a processing unit, also may be used
It, can also be above-mentioned integrated during two or more units are integrated in one unit to be that each unit physically exists alone
The form that hardware had both may be used in unit is realized, can also be realized in the form of SFU software functional unit.In addition, each function list
Member, the specific name of module are also only to facilitate mutually distinguish, the protection domain being not intended to limit this application.Above system
The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment
The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may realize that lists described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, depends on the specific application and design constraint of technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with
It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute
The division of module or unit is stated, only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as
Multiple units or component can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately
A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be by some interfaces, device
Or INDIRECT COUPLING or the communication connection of unit, can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list
The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or
In use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention realizes above-mentioned implementation
All or part of flow in example method, can also instruct relevant hardware to complete, the meter by computer program
Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on
The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program generation
Code can be source code form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium
May include:Any entity or device, recording medium, USB flash disk, mobile hard disk, magnetic of the computer program code can be carried
Dish, CD, computer storage, read-only memory (ROM, Read-Only Memory), random access memory (RAM,
Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that described
The content that computer-readable medium includes can carry out increasing appropriate according to legislation in jurisdiction and the requirement of patent practice
Subtract, such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium do not include be electric carrier signal and
Telecommunication signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although with reference to aforementioned reality
Applying example, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to aforementioned each
Technical solution recorded in embodiment is modified or equivalent replacement of some of the technical features;And these are changed
Or replace, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.
Claims (10)
1. a kind of safe encryption method, it is applied to encryption equipment, which is characterized in that the firmware of the encryption equipment includes:Safe handling
Device CPU, sensor, battery back area BBL Area and trigger circuit;The safe encryption method includes encryption equipment firmware safety
Detection method:
By the sensor inside detection safe processor CPU and external circumstances;
If detecting situation exception, issue warning signal;
By the pre-warning signal, directly notice or by trigger circuit notify battery back area BBL Area to backup area content into
Marketing is ruined.
2. safe encryption method as described in claim 1, which is characterized in that the safe encryption method further includes software security
Startup method, includes the following steps:
Start the safe processor CPU internal securities bootstrap Security Boot Loader;
It loads the safe bootstrap Security Boot Loader and verifies startup guiding Boot firmwares;
If verification has exception, start failure;
If verifying successfully, verifies and start encryption equipment firmware.
3. safe encryption method as claimed in claim 2, which is characterized in that it further includes system that the software security, which starts later,
Self-test, the System self-test include the following steps:
System starts, encryption equipment firmware self-test;
If there is exception, system, which reports an error, to be exited;If self-test is normal, system encryption keys SEK is read;
Verify the correctness of the system encryption keys SEK;
If the system encryption keys SEK is incorrect, system, which reports an error, to be exited;If the system encryption keys SEK is correct, read
Take key to be checked;
Judge the key to be detected using the system encryption keys SEK and encrypts the consistency of storage key;
If inconsistent, system, which reports an error, to be exited, if unanimously, showing self-detection result, continues to start subsequent software module.
4. safe encryption method as claimed in claim 3, which is characterized in that the encryption equipment further includes:External flash
External Flash, the safe encryption method further include the method for secure storing of key, are included the following steps:
The system encryption keys SEK is defined, and the system encryption keys SEK is stored in the battery back area BBL
Area;
All keys are encrypted using the system encryption keys SEK and encrypted key is stored in external flash
In External Flash;
All keys are read out using system encryption keys SEK.
5. safe encryption method as claimed in claim 4, which is characterized in that described pair of all keys use the system encryption
Key SEK is encrypted and encrypted key is stored in external flash External Flash:
The system encryption keys SEK is read, clear data is encrypted to obtain using the system encryption keys SEK corresponding
The ciphertext is stored in external flash External Flash by ciphertext.
6. safe encryption method as claimed in claim 5, which is characterized in that described pair of all keys use system encryption keys
SEK be read out including:
The system encryption keys SEK is read, the ciphertext of external flash External Flash is stored in described in reading, uses institute
It states system encryption keys the ciphertext is decrypted, obtained corresponding plaintext is supplied to subsequent software flow.
7. a kind of encryption equipment, which is characterized in that including:Hardware configuration and software module, the software module are based on hardware configuration
Realize function load;The hardware configuration includes safe processor CPU, sensor, trigger circuit;The sensor includes inside
Sensor and external trigger inductor Tamper Sensors, the internal sensor are set in the safe processor CPU
Portion, the excessively described trigger circuits of external trigger inductor Tamper Sensors are connect with the safe processor CPU;It is described
Safe processor CPU includes battery back area BBL Area;
The software module includes:Software security start unit and key handling unit, the software security start unit are used for
The clean boot of software level, the key handling unit is for the encryption, decryption and storage to key.
8. encryption equipment as claimed in claim 7, which is characterized in that the hardware configuration further includes:
Read only memory ROM and internal stationary memory I nternal SRAM, the read only memory ROM and the inside are quiet
State memory I nternal SRAM are set to inside the safe processor CPU, and read-only deposit is stored in the read-only memory
Code Resident ROM code in reservoir;
Liquid crystal display LCD, keyboard, smart card reader, external memory, external memory, battery, serial ports, printer, magnetic stripe
Card reader one or more and it is connected with safe processor CPU;
Ethernet network interface and/or normal serial module network interface, and ethernet network interface and/or normal serial module
Network interface is connected with the safe processor CPU;
The software module further includes:Data communication unit, the data communication unit are used for the reception and transmission of data.
9. a kind of encrypted terminal device of safety, including memory, processor and it is stored in the memory and can be in institute
State the computer program run on processor, which is characterized in that the processor is realized when executing the computer program as weighed
Profit requires the step of any one of 1 to 6 the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist
In when the computer program is executed by processor the step of any one of such as claim 1 to 6 of realization the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711331236.3A CN108629206B (en) | 2017-12-13 | 2017-12-13 | Secure encryption method, encryption machine and terminal equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711331236.3A CN108629206B (en) | 2017-12-13 | 2017-12-13 | Secure encryption method, encryption machine and terminal equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108629206A true CN108629206A (en) | 2018-10-09 |
CN108629206B CN108629206B (en) | 2020-11-03 |
Family
ID=63705871
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711331236.3A Active CN108629206B (en) | 2017-12-13 | 2017-12-13 | Secure encryption method, encryption machine and terminal equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108629206B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505048A (en) * | 2019-08-16 | 2019-11-26 | 兆讯恒达微电子技术(北京)有限公司 | A kind of method of data encryption standards coprocessor self-test |
CN110502379A (en) * | 2019-08-16 | 2019-11-26 | 兆讯恒达微电子技术(北京)有限公司 | A kind of method of elliptic curve encryption algorithm coprocessor self-test |
CN110688660A (en) * | 2019-09-27 | 2020-01-14 | 深圳市共进电子股份有限公司 | Method and device for safely starting terminal and storage medium |
CN111008392A (en) * | 2019-12-25 | 2020-04-14 | 中电科航空电子有限公司 | Self-destruction control method of positioning equipment and related device |
CN111563280A (en) * | 2020-05-06 | 2020-08-21 | 杭州锘崴信息科技有限公司 | Secure computing system and method of operating the same |
CN113282950A (en) * | 2021-07-26 | 2021-08-20 | 阿里云计算有限公司 | Operation and maintenance method, device, equipment and system of encryption machine |
CN114924808A (en) * | 2022-05-12 | 2022-08-19 | 中国电子科技集团公司第二十九研究所 | SRAM type FPGA on-orbit reliable loading method based on duplicate storage program |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
CN107341085A (en) * | 2017-06-14 | 2017-11-10 | 北京多思技术服务有限公司 | A kind of control device |
-
2017
- 2017-12-13 CN CN201711331236.3A patent/CN108629206B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106059771A (en) * | 2016-05-06 | 2016-10-26 | 上海动联信息技术股份有限公司 | Intelligent POS machine secret key management system and method |
CN107341085A (en) * | 2017-06-14 | 2017-11-10 | 北京多思技术服务有限公司 | A kind of control device |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110505048A (en) * | 2019-08-16 | 2019-11-26 | 兆讯恒达微电子技术(北京)有限公司 | A kind of method of data encryption standards coprocessor self-test |
CN110502379A (en) * | 2019-08-16 | 2019-11-26 | 兆讯恒达微电子技术(北京)有限公司 | A kind of method of elliptic curve encryption algorithm coprocessor self-test |
CN110505048B (en) * | 2019-08-16 | 2022-04-15 | 兆讯恒达科技股份有限公司 | Self-checking method for data encryption standard coprocessor |
CN110502379B (en) * | 2019-08-16 | 2022-11-22 | 兆讯恒达科技股份有限公司 | Self-checking method for coprocessor of elliptic encryption algorithm |
CN110688660A (en) * | 2019-09-27 | 2020-01-14 | 深圳市共进电子股份有限公司 | Method and device for safely starting terminal and storage medium |
CN110688660B (en) * | 2019-09-27 | 2021-08-24 | 深圳市共进电子股份有限公司 | Method and device for safely starting terminal and storage medium |
CN111008392A (en) * | 2019-12-25 | 2020-04-14 | 中电科航空电子有限公司 | Self-destruction control method of positioning equipment and related device |
CN111563280A (en) * | 2020-05-06 | 2020-08-21 | 杭州锘崴信息科技有限公司 | Secure computing system and method of operating the same |
CN111563280B (en) * | 2020-05-06 | 2023-12-05 | 杭州锘崴信息科技有限公司 | Secure computing system and method of operating the same |
CN113282950A (en) * | 2021-07-26 | 2021-08-20 | 阿里云计算有限公司 | Operation and maintenance method, device, equipment and system of encryption machine |
CN113282950B (en) * | 2021-07-26 | 2021-12-21 | 阿里云计算有限公司 | Operation and maintenance method, device, equipment and system of encryption machine |
CN114924808A (en) * | 2022-05-12 | 2022-08-19 | 中国电子科技集团公司第二十九研究所 | SRAM type FPGA on-orbit reliable loading method based on duplicate storage program |
Also Published As
Publication number | Publication date |
---|---|
CN108629206B (en) | 2020-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108629206A (en) | A kind of safe encryption method, encryption equipment and terminal device | |
Cooper et al. | Computer and communications security | |
US10733291B1 (en) | Bi-directional communication protocol based device security | |
CN104217327B (en) | A kind of financial IC card internet terminal and its method of commerce | |
US20030009687A1 (en) | Method and apparatus for validating integrity of software | |
US20050283826A1 (en) | Systems and methods for performing secure communications between an authorized computing platform and a hardware component | |
Longley et al. | Data And Computer Security: A Dictionary Of Terms And Concepts | |
JP2015154491A (en) | System and method for remote access and remote digital signature | |
CN103065102A (en) | Data encryption mobile storage management method based on virtual disk | |
TW200405963A (en) | Sleep protection | |
JP2008269610A (en) | Protecting sensitive data intended for remote application | |
CN101739622A (en) | Trusted payment computer system | |
CN108694122B (en) | Method for symbol execution of restricted devices | |
Mavrovouniotis et al. | Hardware security modules | |
CN107133512A (en) | POS terminal control method and device | |
CN200993803Y (en) | Internet banking system safety terminal | |
Götzfried et al. | Mutual authentication and trust bootstrapping towards secure disk encryption | |
CN1331015C (en) | Computer security startup method | |
CN101206779A (en) | Online banking system safety terminal and data safety processing method thereof | |
WO2024011812A1 (en) | Blockchain-based supervision system and method, device, and medium | |
Müller et al. | Stark: Tamperproof Authentication to Resist Keylogging | |
CN112825093B (en) | Security baseline checking method, host, server, electronic device and storage medium | |
US20210111870A1 (en) | Authorizing and validating removable storage for use with critical infrastrcture computing systems | |
CN101739623A (en) | Trusted payment computer system | |
Bulut | Secure hardware cryptocurrency wallet within common criteria framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |