CN109446831A - Key generation and verification method and system based on hardware device - Google Patents
Key generation and verification method and system based on hardware device Download PDFInfo
- Publication number
- CN109446831A CN109446831A CN201811602380.0A CN201811602380A CN109446831A CN 109446831 A CN109446831 A CN 109446831A CN 201811602380 A CN201811602380 A CN 201811602380A CN 109446831 A CN109446831 A CN 109446831A
- Authority
- CN
- China
- Prior art keywords
- key
- hardware device
- encrypted
- encryption
- producing line
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 109
- 238000012795 verification Methods 0.000 title claims abstract description 17
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 59
- 239000000470 constituent Substances 0.000 claims abstract description 40
- 239000006185 dispersion Substances 0.000 claims abstract description 31
- 230000008676 import Effects 0.000 claims description 2
- 239000000047 product Substances 0.000 description 68
- 230000008569 process Effects 0.000 description 52
- 238000004321 preservation Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000013475 authorization Methods 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 230000002093 peripheral effect Effects 0.000 description 4
- 239000006227 byproduct Substances 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000002427 irreversible effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Present disclose provides a kind of, and the key for product port protection based on hardware device generates and verification method and its system, it generates and verification method includes: to generate root key by authorized first hardware device connecting with producing line controller, national secret algorithm is used by authorized second hardware device connecting with producing line controller, utilize root key, product identification is generated as dispersion factor using key, national secret algorithm is used by the authorized third hardware device connecting with producing line controller, using using key, product identification is generated to the key for being used for port protection as dispersion factor, it will be used in the protected field of key write-in product of port protection by producing line controller;And it is read from its constituent instruments by third hardware device using key; using national secret algorithm, using application key, product identification generated as dispersion factor be used for the key of port protection, key generated is compared with the key in protected field to verify port by producing line controller.
Description
Technical field
This disclosure relates to which port protection method and its system, are used to produce more particularly, to a kind of based on hardware device
The key of the port protection of product generates and verification method and its system.
Background technique
The port Debug is comprising the port for simplifying exploitation and debugging in equipment, and this is for the normal operation of equipment
It is not required in that.The port Debug usually will not be deleted or disable, that is, the cost for avoiding change from designing is also beneficial to engineering
The tracing and positioning and debugging of Shi Jinhang problem.But if any safeguard measure is not added in the port Debug, which will become black
The important interface of visitor or rival's attack.Such as: port Debug jtag interface, LPC (Low PinCount) on chip,
Serial Wire Debug, Background Debug Mode Interface and Programand Debug Interface
Deng.
The guard method used at present about the port Debug is probably divided into two kinds: first is that the port Debug is directly closed;
Second is that protecting the port Debug using software finger daemon.Using the method for directly closing the port Debug, although can be very safe
The internal resource of protection chip still if going wrong, be then highly detrimental to engineer to the tracing and positioning and tune of problem
Examination solves.The method that second method protects the port Debug using finger daemon, although can protect to a certain extent
The port Debug, but this method is easily subject to cracking and attacking for hacker.
In view of the foregoing, the present disclosure proposes the key of the port protection for product based on hardware device generate and
Verification method and its system, wherein for example, the port of the product can be the port Debug.Disclosed method can effectively prevent
Only the port of product by hacker attack and is cracked, and can be facilitated engineer's location tracking and be debugged the port to solve actually to ask
Topic.
Summary of the invention
The key generation method of present disclose provides a kind of port protection for product based on hardware device, this method
Include: authorized first hardware device by being connect with producing line controller, generates root key, utilize the first encryption and decryption key pair
Public key encryption described in root key, and by encrypted root key write-in connect with producing line controller authorized second firmly
In the constituent instruments of part device;By authorized second hardware device being connect with producing line controller, from the second hardware device
Encrypted root key is read in constituent instruments, decrypts encrypted root key using the private key of the first encryption and decryption key pair,
It is generated as dispersion factor using national secret algorithm, using root key, using product identification using key, it is close using the second encryption and decryption
The public key encryption application key of key pair, and by encrypted authorized the connect using key write-in with producing line controller
In the constituent instruments of three hardware devices;By the authorized third hardware device being connect with producing line controller, filled from third hardware
It reads encrypted using key in the constituent instruments set, decrypts encrypted answer using the private key of the second encryption and decryption key pair
Port protection is used for key, and using national secret algorithm, using application key, using product identification as dispersion factor to generate
Key.
According to the one side of the disclosure, the key for providing a kind of port protection for product based on hardware device is tested
Card method, this method comprises: by the third hardware device being connect with producing line controller, from the constituent instruments of third hardware device
It reads encrypted using key, decrypts encrypted application key with the key that is applied, using national secret algorithm, utilize application
Product identification is generated cipher key source data as dispersion factor, and carries out inverse transform generation to key source data by key
Key for port protection;And by producing line controller, by the protection of the key and product generated for being used for port protection
The key for port protection in domain is compared for verifying port.
According to another aspect of the present disclosure, a kind of key of port protection for product based on hardware device is provided
Generation system, the system include: authorized first hardware device connecting with producing line controller, are configured as: it is close to generate root
Key is written and producing line controller using the public key encryption root key of the first encryption and decryption key pair, and by encrypted root key
In the constituent instruments of authorized second hardware device of connection;The authorized second hardware dress being connect with producing line controller
It sets, is configured as: reading encrypted root key from the constituent instruments of the second hardware device, utilize the first encryption and decryption key pair
Private key decrypt encrypted root key, using national secret algorithm, using root key, using product identification as dispersion factor next life
At key is applied, be written using the public key encryption application key of the second encryption and decryption key pair, and by encrypted application key
In the constituent instruments for the authorized third hardware device being connect with producing line controller;It is connect with producing line controller authorized
Third hardware device, is configured as: reading encrypted using key from the constituent instruments of third hardware device, utilizes second
The private key of encryption and decryption key pair is encrypted using key to decrypt, and using national secret algorithm, using application key, by product
Mark generates the key for port protection as dispersion factor.
According to another aspect of the present disclosure, a kind of key of port protection for product based on hardware device is provided
Verifying system, the system include: the third hardware device connecting with producing line controller, are configured as: from third hardware device
It is read in constituent instruments encrypted using key;Encrypted application key is decrypted with the key that is applied;Using the close calculation of state
Method generates cipher key source data as dispersion factor using application key, using product identification;Reversion change is carried out to key source data
Change the key for generating and being used for port protection;And by the use in the protected field of the key generated for being used for port protection and product
It is compared in the key of port protection for verifying port.
Using the technical solution of the disclosure, root key is all based on what hardware algorithm obtained using key and Debug key
And save within hardware, key plain be it is sightless, using the port Debug key pair Debug carry out protection be safe and reliable
's.Hacker attack can be effectively prevented, steal program code;Simultaneously when chip breaks down, facilitate developer's tracking fixed
Position problem, and carry out debugging solution.
The details of one or more embodiments of the theme of this specification is elaborated in the accompanying drawings and the description below.According to
Specification, drawings and the claims, the other feature, aspect and advantage of this theme will become obvious.
Detailed description of the invention
It, below will be to needed in the embodiment attached in order to illustrate more clearly of the technical solution of the embodiment of the present disclosure
Figure is briefly described, it should be understood that the following drawings illustrates only some embodiments of the disclosure, therefore should not be construed as
Restriction to range for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other relevant attached drawings.
Fig. 1 is the key generation side of the port protection for product according to an embodiment of the present disclosure based on hardware device
The flow chart of method;
Fig. 2 is the generating process of the first encryption and decryption key pair of the generation according to an embodiment of the present disclosure for root key
Flow chart;
Fig. 3 is the flow chart of the decrypting process of root key according to an embodiment of the present disclosure;
Fig. 4 is the generation of the second encryption and decryption key pair according to an embodiment of the present disclosure for the generation using key
The flow chart of journey;
Fig. 5 is the flow chart of the decrypting process according to an embodiment of the present disclosure using key;
Fig. 6 is the flow chart of the generating process according to an embodiment of the present disclosure using key;
Fig. 7 is the flow chart of the generating process of the key according to an embodiment of the present disclosure for port protection;
Fig. 8 is the key authentication side of the port protection for product according to an embodiment of the present disclosure based on hardware device
The flow chart of method;
Fig. 9 is the flow chart of the decrypting process according to an embodiment of the present disclosure using key;
Figure 10 is that the key of the port protection for product according to an embodiment of the present disclosure based on hardware device generates
The block diagram of system;
Figure 11 is the key authentication of the port protection for product according to an embodiment of the present disclosure based on hardware device
The block diagram of system;And
Figure 12 A-12C is the process generated according to the key based on hardware device of disclosed embodiment with verification method
Figure.
Specific embodiment
Below in conjunction with attached drawing in the embodiment of the present disclosure, the technical solution in the embodiment of the present disclosure is carried out clear, complete
Ground description, it is clear that described embodiment is only disclosure a part of the embodiment, instead of all the embodiments.Usually exist
The component of the embodiment of the present disclosure described and illustrated in attached drawing can be arranged and be designed with a variety of different configurations.Therefore, with
Under claimed the scope of the present disclosure is not intended to limit to the detailed description of the embodiment of the disclosure provided in the accompanying drawings,
But it is merely representative of the selected embodiment of the disclosure.Based on embodiment of the disclosure, those skilled in the art are not making wound
All other embodiment obtained under the premise of the property made is worked belongs to the range of disclosure protection.
It should also be noted that identical label and label indicate identical element in following attached drawing, therefore, once a certain item
It is defined in an attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.Meanwhile in this public affairs
In the description opened, term " first ", " second " etc. are only used for distinguishing description, are not understood to indicate or imply relatively important
Property.
The present disclosure proposes the key of the port protection for product based on hardware device generate and verification method and its
System, wherein for example, the port of the product can be the port Debug.It is to be understood, however, that the port of the product is not limited to
The port Debug.
Fig. 1 is the key generation side of the port protection for product according to an embodiment of the present disclosure based on hardware device
The flow chart of method.
As shown in Figure 1, the key generation method of the port protection for product of the disclosure is filled using three secure hardwares
It sets: the first hardware device, the second hardware device and third hardware device.The key generation method includes generation and the guarantor of root key
Deposit (S11), using the generation (S13) of the generation of key and preservation (S12) and the key for port protection.
During the generation of root key and preservation (S11), at step S110, it is close that root is generated by the first hardware device
Key, first hardware device are the hardware devices through producer authorization connecting with producing line controller.At step S111, first
Hardware device encrypts root key using the public key of the first encryption and decryption key pair.At step S112, the first hardware device will be through
In the constituent instruments for authorized second hardware device that the root key write-in of encryption is connect with producing line controller.
During the generation of application key and preservation (S12), at step S120, by the warp being connect with producing line controller
Second hardware device of authorization reads encrypted root key from its constituent instruments.At step S121, the second hardware device
Encrypted root key is decrypted using the private key of the first encryption and decryption key pair.At step S122, adopted by the second hardware device
It uses national secret algorithm, generate using root key, using product identification as dispersion factor using key.At step S123, by
Two hardware devices utilize the public key encryption application key of the second encryption and decryption key pair.At step S124, by the second hardware device
It will be in the constituent instruments of the encrypted authorized third hardware device being connect using key write-in with producing line controller.
During generation (S13) of the key for port protection, at step S130, by being connect with producing line controller
Authorized third hardware device read from its constituent instruments it is encrypted using key.At step S131, by third
Hardware device is decrypted encrypted using key using the private key of the second encryption and decryption key pair.At step S132, by third
Hardware device is used for port protection using national secret algorithm, using application key, using product identification as dispersion factor to generate
Key.
Key generation method described in above-mentioned combination Fig. 1 for port protection is implemented before product export, based on hard
Part device can guarantee above-mentioned root key, using key and for port come the method for generating for protecting the key of product port
The generation of the key of protection is safety and maintains secrecy.
In one embodiment, the key write-in for being used for port protection generated in step S132 is produced by producing line controller
In the protected field of product.
In one embodiment, in addition, can first verify authorized first and second hardware before step S11 starts
Whether device has connect with producing line controller.
In one embodiment, in addition, can first verify authorized second and third hardware before step S12 starts
Whether device has connect with producing line controller.
In one embodiment, in addition, can first verify authorized third hardware device before step S13 starts is
It is no to be connect with producing line controller.
Wherein above-mentioned connection type may include universal serial bus (USB), local area network (LAN), peripheral assembly interconnection height
Fast (PCIE) etc..
In embodiment of the disclosure, during the preservation of root key, encrypted root key can also be written the
In the constituent instruments of one hardware device, with the backup for root key.
It in embodiment of the disclosure, can be by message authentication code (MAC) in addition, during the preservation of application key
Value with it is encrypted using key together be saved in the constituent instruments of third hardware device, with for verify apply key it is complete
Whole property prevents key to be tampered and guarantees its safety.
Fig. 2 is the generating process of the first encryption and decryption key pair of the generation according to an embodiment of the present disclosure for root key
Flow chart.
Since the first and second hardware devices can not wherein generate the first encryption and decryption key pair for encrypting root key,
Therefore it needs to imported into wherein after generating outside hardware device.As shown in Fig. 2, at step S210, by with producing line controller
Authorized first hardware device and the second hardware device of connection generate the first signature key pair respectively;At step S211,
First and second hardware devices are utilized respectively the first session key of public key encryption of the first signature key pair;At step S212,
Encrypted first session key is exported from the first hardware device and the second hardware device respectively;At step S213, the
One and second hardware device be utilized respectively encrypted first session key and encrypt the first encryption and decryption key pair;Then, in step
At S214, encrypted first encryption and decryption key pair is imported into the first and second hardware devices by the first and second hardware devices
In.And at step S215, the first and second hardware devices can decryption be imported in step S214 inside its device respectively
Encrypted first encryption and decryption key pair.
In this embodiment, the first signature key to and the first encryption and decryption key pair be all asymmetric key pair, and it is symmetrical
Key is compared, this can be very good the safety of protection the first session key and root key.Also, it is filled in the first and second hardware
The first encryption and decryption key pair for encrypting or decrypting root key is preserved in setting, i.e. root key can only be hard in the first or second
It is encrypted or unencrypted in part device, to guarantee root key from from extraneous attack.
Fig. 3 is the flow chart of the decrypting process S121 of root key according to an embodiment of the present disclosure.
As shown in figure 3, encrypted root key is imported the second hardware device by producing line controller at step S3210
Cryptographic key containers simultaneously return to first key handle;And at step S3211, by the second hardware device be based on first key handle,
Encrypted root key is decrypted using the private key of the first encryption and decryption key pair.To obtain root key in the second hardware device
With the generation for subsequent applications key.
In this embodiment, the private key of the first encryption and decryption key pair is only stored in hardware device and can not be exported, relatively
The decrypting process for the root key answered only executes inside hardware device, and be based on key handles and non-key itself is decrypted
The root key, therefore tool developer or user can not obtain the clear data of root key, and then protect root well
Key.
Fig. 4 is the generation of the second encryption and decryption key pair according to an embodiment of the present disclosure for the generation using key
The flow chart of journey.
Since second and third hardware device can not wherein generate for encrypting the second encryption and decryption key using key
It is right, it is therefore desirable to be imported into wherein after being generated outside hardware device.As shown in figure 4, at step S420, by being controlled with producing line
The third hardware device of device connection generates the second signature key pair;At step S421, third hardware device utilizes the second signature
The second session key of public key encryption of key pair;At step S422, encrypted second session key is filled from third hardware
Set middle export;It is close using the second encryption and decryption of encrypted second session key encryption by third hardware device at step S423
Key pair;And encrypted second encryption and decryption key pair is imported in second and third hardware device at step S424.Then, exist
At step S425, second and third hardware device encrypted the imported in step S424 can be decrypted in its device respectively
Two encryption and decryption key pairs.
In this embodiment, the second signature key to and the second encryption and decryption key pair be all asymmetric key pair, and it is symmetrical
Key is compared, this can be very good the safety of the second session key of protection and application key.Also, in second and third hardware
Preserved in device for encrypting or decrypting the second encryption and decryption key pair using key, i.e., using key can only second or
It is encrypted or unencrypted in third hardware device, to guarantee using key from from extraneous attack.
Fig. 5 is the flow chart of the decrypting process S131 according to an embodiment of the present disclosure using key.
As shown in figure 5, encrypted application key is imported third hardware device by producing line controller at step S5310
Cryptographic key containers and return the second key handles;And at step S5311, the second key sentence is based on by third hardware device
Handle, decrypted using the private key of the second encryption and decryption key pair it is encrypted using key.To be obtained in third hardware device
Using key with the generation of the key for being subsequently used for port protection.
In this embodiment, the private key of the second encryption and decryption key pair is only stored in hardware device and can not be exported, relatively
The decrypting process using key answered only executes inside hardware device, and be based on key handles and non-key itself solves
Close this applies key, therefore protects the safety using key well.
Fig. 6 is the flow chart of the generating process S122 according to an embodiment of the present disclosure using key.
As shown in fig. 6, at step S6220, by the second hardware device using national secret algorithm, using root key, by product
Mark generates third session key as dispersion factor;And it makes a summary at step S6221 to the third session key
Operation is generated using key.
In this embodiment, national secret algorithm is executed by the national secret algorithm module being built in the second hardware device, this
Key generation method based on hardware device has ensured the safety of the generating process using key.In addition, passing through abstract operation
It generates using key, can make the length regardless of the third session key inputted, that is calculated applies key
Length it is always fixed, and the third session key of the obtained input using key corresponding thereto is closely related,
Sound guarantee is provided to the integrality of key data.On the other hand, abstract operation is irreversible, i.e., can not be according to calculating
Obtained application key carries out reversed operation to obtain session key and then obtain root key, this ensure that the sum of root key is answered
Therefore for a user, root key is only obtained by the hardware device of used authorization or using key with the independence of key.
In one embodiment, national secret algorithm can be SM4 national secret algorithm.
In one embodiment, product identification can be product ID number.
In one embodiment, in addition, the second hardware device can delete the application key of its generation, to guarantee to apply
Key is only stored in authorized third hardware device, further ensures the safety for applying key.
Fig. 7 is the flow chart of the generating process S132 of the key according to an embodiment of the present disclosure for port protection.
As shown in fig. 7, at step S7320, by third hardware device using national secret algorithm, using application key, will produce
Product mark generates cipher key source data as dispersion factor;And at step S7321, inverse transform is carried out to key source data
Generate the key for being used for port protection.
In this embodiment, national secret algorithm is executed by being built in the national secret algorithm module of third hardware device, this base
The safety of the generating process of the key for port protection has been ensured in the key generation method of hardware device.
In embodiment of the disclosure, carrying out key of the inverse transform generation for port protection to key source data includes
Cipher key source datacycle is shifted N, and left 2N byte and right 2N byte exclusive or M times are used for the close of port protection to generate
Key, wherein N is positive integer, and M is positive integer.
In embodiment of the disclosure, national secret algorithm can be SM4 national secret algorithm.
In embodiment of the disclosure, product identification can be product ID number.
Fig. 8 is the key authentication side of the port protection for product according to an embodiment of the present disclosure based on hardware device
The flow chart of method.
As shown in figure 8, the secret key verification method of the port protection for product of the disclosure needs third hardware device.It should
Secret key verification method include for port protection key generate (S80) and this be used for the key authentication (S81) of port protection.
During the key for port protection generates (S80), by the third hardware device being connect with producing line controller
It is read from its constituent instruments at step S800 encrypted using key;It is close that encrypted application is decrypted at step S801
Key is with the key that is applied;At step S802 using national secret algorithm, using application key, using product identification as dispersion factor
To generate cipher key source data;And inverse transform is carried out to key source data at step S803 and is generated for the close of port protection
Key.
During key authentication (S81) for port protection, producing line controller is used for port protection for generated
Key and the protected field of product in the key for port protection that saves be compared for verifying the port.
The port is opened if being proved to be successful, and be can according to need and is opened the port for location tracking or debugging
Etc. practical applications do not open port if authentication failed, so as to protect port not cracked or attacked by the external world.
In embodiment of the disclosure, in addition, whether can first verify third hardware device before step S80 starts
Through connecting with producing line controller, wherein the connection type may include universal serial bus (USB), local area network (LAN), peripheral group
Part interconnect high-speed (PCIE) etc..
In embodiment of the disclosure, carrying out key of the inverse transform generation for port protection to key source data includes
Cipher key source datacycle is shifted N, and left 2N byte and right 2N byte exclusive or M times are used for the close of port protection to generate
Key, wherein N is positive integer, and M is positive integer.
In one embodiment, national secret algorithm can be SM4 national secret algorithm.
In one embodiment, product identification can be product ID number.
In one embodiment, product identification can be read from the eFuse of product.
Fig. 9 is the flow chart of the decrypting process S802 according to an embodiment of the present disclosure using key.
As shown in figure 9, in the decrypting process of application key, it will be encrypted by producing line controller at step S9020
The cryptographic key containers and " return " key" handle of third hardware device are imported using key;And at step S9021, by third hardware
Device is decrypted encrypted using key based on key handles, using the private key of encryption and decryption key pair.To in third hardware
Key is applied in device with the generation of the key for being subsequently used for port protection.
In this embodiment, the private key of encryption and decryption key pair, which is saved in hardware device, to be exported, if this is hard
Part device be it is uncommitted, then will be unable to obtain correctly using key to can not be by verification process, therefore can be very well
Protection product port safety.
Figure 10 is that the key of the port protection for product according to an embodiment of the present disclosure based on hardware device is raw
At the schematic diagram of system.
As shown in Figure 10, the generation system of the key of the port protection for being used for product include producing line controller 100 and
Authorized first hardware device 101, the second hardware device 102 and third hardware device 103.Wherein the second hardware device 102
It include the close calculation of state including national secret algorithm module 1020, cryptographic key containers 1021 and constituent instruments 1022 and third hardware device 103
Method module 1030, cryptographic key containers 1031 and constituent instruments 1032.
In accordance with an embodiment of the present disclosure, during the generation of root key and preservation, in the warp being connect with producing line controller
First hardware device 101 of authorization is configured as: generating root key, the public key encryption root using the first encryption and decryption key pair is close
In key, and the constituent instruments of authorized second hardware device 102 that encrypted root key is connect with producing line controller.
In accordance with an embodiment of the present disclosure, during the generation and preservation of application key, the warp that is connect with producing line controller
Second hardware device 102 of authorization is configured as: being read encrypted root key from its constituent instruments 1022, is added using first
The private key of decruption key pair decrypts encrypted root key, using national secret algorithm, benefit state root key, using product identification as point
The scattered factor is generated using key, is answered using the public key encryption application key of the second encryption and decryption key pair, and by encrypted
It is written with key in the constituent instruments 1032 for the authorized third hardware device 103 being connect with producing line controller.
In accordance with an embodiment of the present disclosure, it in the generating process for the key of port protection, is connect with producing line controller
Authorized third hardware device 103 be configured as reading from its constituent instruments 1032 encrypted using key, utilize
The private key of second encryption and decryption key pair is encrypted using key to decrypt, and using national secret algorithm, utilize application key, will
Product identification generates the key for port protection as dispersion factor.
In the key generation system of the above-mentioned port protection for product based on hardware device first to third hardware
Device can guarantee that above-mentioned root key and application key are safety for the generation of the key of port protection and maintain secrecy.
In one embodiment, producing line controller 100 is configured as that the key for being used for port protection write-in product will be generated
Protected field in.The writing process of the port protection key is completed before product export.
In one embodiment, in addition, can first be verified before the generation of root key starts with preservation process authorized
The first and second hardware devices 101 and 102 whether connect with producing line controller 100.
In one embodiment, in addition, can first be verified through awarding before the generation of application key starts with preservation process
Whether second and third hardware device 120 and 103 of power have connect with producing line controller 100.
In one embodiment, in addition, can be with priori before starting for the generating process of the key of port protection
Demonstrate,prove whether authorized third hardware device 103 has connect with producing line controller 100.
Wherein above-mentioned connection type may include universal serial bus (USB), local area network (LAN), peripheral assembly interconnection height
Fast (PCIE) etc..
In embodiment of the disclosure, during the preservation of root key, encrypted root key can also be written the
In the constituent instruments of one hardware device 101, with the backup for root key.
It in embodiment of the disclosure, can be by message authentication code (MAC) in addition, during the preservation of application key
Value with it is encrypted using key together be saved in third hardware device 103 constituent instruments 1032 in, with for verify application
The integrality of key prevents key to be tampered and guarantees its safety.
In accordance with an embodiment of the present disclosure, authorized first hardware device 101 and the second hardware device 102 can be used for
The generation of one encryption and decryption key pair.The first encryption and decryption key pair is used to that root key to be encrypted or decrypted in hardware device.
In embodiment, it is close to be configured to the first signature of generation for the first hardware device 101 and the second hardware device 102
Key pair, using the first session key of public key encryption of the first signature key pair and by encrypted first session key respectively from
It is exported in one hardware device 101 and the second hardware device 102;And first hardware device 101 and the second hardware device 102 go back quilt
It is configured to encrypt the first encryption and decryption key pair using encrypted first session key and add encrypted first
Decruption key is in importing first hardware device 101 and the second hardware device 102;And first hardware device 101 and
Two hardware devices 102 are additionally configured to decrypt the encrypted first encryption and decryption key pair to obtain the first encryption and decryption key
It is right.
In this embodiment, the first signature key to and the first encryption and decryption key pair be all asymmetric key pair, and it is symmetrical
Key is compared, this can be very good the safety of protection the first session key and root key.Also, it is filled in the first and second hardware
The first encryption and decryption key pair for encrypting or decrypting root key is preserved in setting, i.e. root key can only be hard in the first or second
It is encrypted or unencrypted in part device, to guarantee root key from from extraneous attack.
In accordance with an embodiment of the present disclosure, it is close to can be used for root for authorized second hardware device 102 and producing line controller 100
The decrypting process of key.The key that producing line controller 100 is configured as importing encrypted root key the second hardware device 102 holds
Device 1021 simultaneously returns to first key handle;And second hardware device 102 be configured as based on first key handle, utilize first
The private key of encryption and decryption key pair decrypts encrypted root key.To obtained in the second hardware device 102 root key with
In the generation of subsequent applications key.
In this embodiment, the private key of the first encryption and decryption key pair is only stored in hardware device and can not be exported, relatively
The decrypting process for the root key answered only executes inside hardware device, and be based on key handles and non-key itself is decrypted
The root key, therefore tool developer or user can not obtain the clear data of root key, and then protect root well
Key.
In accordance with an embodiment of the present disclosure, authorized second hardware device 102 and third hardware device 103 can be used for
The generation of two encryption and decryption key pairs.The second encryption and decryption key pair, which is used to encrypt or decrypt in hardware device, applies key.
In embodiment, the third hardware device 103 connecting with producing line controller 100 is configured as: generating the second signature
Key pair;Utilize the second session key of public key encryption of the second signature key pair;By encrypted second session key from third
It is exported in hardware device 103;The second encryption and decryption key pair is encrypted using encrypted second session key;And by encrypted
Two encryption and decryption key pairs import in the second hardware device 102 and third hardware device 103.Subsequent second hardware device 102 and
Three hardware devices 103 can be respectively configured as decrypting the encrypted second encryption and decryption key pair previously imported in its device
To obtain the second encryption and decryption key pair.
In this embodiment, the second signature key to and the second encryption and decryption key pair be all asymmetric key pair, and it is symmetrical
Key is compared, this can be very good the safety of the second session key of protection and application key.Also, in second and third hardware
Preserved in device for encrypting or decrypting the second encryption and decryption key pair using key, i.e., using key can only second or
It is encrypted or unencrypted in third hardware device, to guarantee using key from from extraneous attack.
In accordance with an embodiment of the present disclosure, authorized third hardware device 103 and producing line controller 100 can be used for applying
The decrypting process of key.Producing line controller is configured as the encrypted key for importing third hardware device 103 using key
Container 1031 simultaneously returns to the second key handles;And third hardware device 103 is configured as based on the second key handles, utilizes the
The private key of two encryption and decryption key pairs is encrypted using key to decrypt.It is close to be applied in third hardware device 103
Key is with the generation of the key for being subsequently used for port protection.
In this embodiment, the private key of the second encryption and decryption key pair is only stored in hardware device and can not be exported, relatively
The decrypting process using key answered only executes inside hardware device, and be based on key handles and non-key itself solves
Close this applies key, therefore protects the safety using key well.
In accordance with an embodiment of the present disclosure, 100 authorized second hardware device 102 is connect with producing line controller to be used
In application key generating process, wherein the second hardware device 102 be configured as using national secret algorithm, using root key, will produce
Product mark generates third session key as dispersion factor;Place carries out abstract operation to the third session key to generate application
Key.
In this embodiment, national secret algorithm is executed by being built in the national secret algorithm module 1020 of the second hardware device 102,
This key generation system based on hardware device has ensured the safety of the generating process using key.In addition, passing through abstract
Operation is generated using key, can make the length regardless of the third session key inputted, the application calculated
What the length of key was always fixed, and the close phase of third session key of the obtained input using key corresponding thereto
It closes, sound guarantee is provided to the integrality of key data.On the other hand, abstract operation is irreversible, i.e., can not basis
The application key being calculated carries out reversed operation to obtain session key and then obtain root key, this ensure that root key
With the independence of application key therefore for a user, root key is only obtained by the hardware device of used authorization or application is close
Key.
In embodiment of the disclosure, national secret algorithm can be SM4 national secret algorithm.
In embodiment of the disclosure, product identification can be product ID number.
In embodiment of the disclosure, the second hardware device 102 can delete the application key of its generation, to guarantee to answer
It is only stored in key in authorized third hardware device 103, further ensures the safety for applying key.
In accordance with an embodiment of the present disclosure, 100 authorized third hardware device 103 is connect with producing line controller to be used
In the generating process of the key of port protection, wherein 3rd device 103 be configured as using national secret algorithm, using application key,
Product identification is generated into cipher key source data as dispersion factor;And inverse transform is carried out to key source data and is generated for holding
The key of mouth protection.
In this embodiment, national secret algorithm is executed by being built in the national secret algorithm module 1030 of third hardware device 103,
This key generation system based on hardware device has ensured the safety of the generating process of the key for port protection.
In embodiment of the disclosure, carrying out key of the inverse transform generation for port protection to key source data includes
Cipher key source datacycle is shifted N, and left 2N byte and right 2N byte exclusive or M times are used for the close of port protection to generate
Key, wherein N is positive integer, and M is positive integer.
In embodiment of the disclosure, national secret algorithm is SM4 national secret algorithm.
In embodiment of the disclosure, product identification can be product ID number.
Figure 11 is the key authentication of the port protection for product according to an embodiment of the present disclosure based on hardware device
The schematic diagram of system.
As shown in figure 11, the verifying system of the key of the port protection for being used for product includes producing line controller 110, third
Hardware device 113 and product 114, wherein third hardware device includes national secret algorithm module 1130, cryptographic key containers 1131 and base
This document 1131.
In accordance with an embodiment of the present disclosure, third hardware device 113 can be used in the key generation process of port protection,
In the third hardware device 113 that is connect with producing line controller 110 be configured as: read from its constituent instruments 1132 encrypted
Using key;Encrypted application key is decrypted with the key that is applied;Using national secret algorithm, using application key, by product
Mark generates cipher key source data as dispersion factor;And inverse transform is carried out to key source data and is generated for port protection
Key.
During the key authentication for port protection, producing line controller 110 is configured as being used to hold by generated
The key for port protection saved in the key and the protected field of product of mouth protection is compared for verifying the port.
The port is opened if being proved to be successful, and be can according to need and is opened the port for location tracking or debugging
Etc. practical applications do not open port if authentication failed, so as to protect port not cracked or attacked by the external world.
In this embodiment, national secret algorithm is executed by being built in the national secret algorithm module 1130 of third hardware device 113,
This key generation system based on hardware device has ensured the safety of the generating process of the key for port protection.
In embodiment of the disclosure, in addition, can first verify third hardware device before key authentication process starts
Whether 113 connect with producing line controller 110, and wherein the connection type may include universal serial bus (USB), local area network
(LAN), peripheral assembly interconnect high-speed (PCIE) etc..
In embodiment of the disclosure, carrying out key of the inverse transform generation for port protection to key source data includes
Cipher key source datacycle is shifted N, and left 2N byte and right 2N byte exclusive or M times are used for the close of port protection to generate
Key, wherein N is positive integer, and M is positive integer.
In embodiment of the disclosure, national secret algorithm can be SM4 national secret algorithm.
In embodiment of the disclosure, product identification can be product ID number.
In embodiment of the disclosure, product identification can be read from the eFuse of product.
In accordance with an embodiment of the present disclosure, third hardware device 113 and producing line controller 110 can be used for the solution using key
Close process.Producing line controller is configured as the encrypted cryptographic key containers 1131 for importing third hardware device 113 using key
And " return " key" handle;And third hardware device 113 is configured as based on key handles, utilizes the private key of encryption and decryption key pair
It is encrypted using key to decrypt.To which the key that is applied in third hardware device 113 is for being subsequently used for port
The generation of the key of protection.
In this embodiment, the private key of encryption and decryption key pair is only stored in hardware device and can not be exported, if this is hard
Part device be it is uncommitted, then will be unable to obtain correctly using key to can not be by verification process, therefore can be very well
Protection product port safety.
Figure 12 A-12C is the process generated according to the key based on hardware device of disclosed embodiment with verification method
Figure.As seen in figures 12 a-12 c, the present invention program uses three secure hardware devices: the first hardware device, the second hardware dress in total
It sets and third hardware device.This programme is divided into three parts: the generation of root key, using key generation, be used for port protection
Key generation and verifying.
Figure 12 A is the generating process of root key according to an embodiment of the present disclosure.
In the generating process of root key, using the first hardware device and the second hardware device, and asymmetric arithmetic is utilized
Public and private key protection mechanism, wherein the second hardware device be used as generate apply key;And the first hardware device is put into guarantor
Dangerous cabinet is backed up.The generating process of the root key, fully transparent to user, tool developer, user can not obtain root
The clear data of key.The plaintext of root key could be decrypted only inside hardware device.Institute can guarantee that root is close in this way
The generation of key is perfectly safe and maintains secrecy.The generating process of root key is explained in detail below.
(1) first determine whether the first hardware device and the second hardware device whether are inserted on producing line controller;
(2) the first signature key pair is generated using the first hardware device and the second hardware device;
The public key that (3) first hardware devices and the second hardware device are utilized respectively the first signature key pair derived from (2) adds
Close first session key;
(4) encrypted first session key is exported from the first and second hardware devices;
(5) first hardware devices and the second hardware device are utilized respectively encrypted first session key derived from (4) and add
Close first encryption and decryption key pair;
(6) encrypted first encryption and decryption key pair is imported into the first and second hardware devices;
(7) first hardware devices generate root key;
(8) first hardware devices utilize the public key encryption root key of the first encryption and decryption key pair imported in (6);
(9) encrypted root key is written to the constituent instruments in the second hardware device;And
(10) encrypted root key is written to the constituent instruments in the first hardware device.
Figure 12 B is the generating process according to an embodiment of the present disclosure using key.
In the generating process of application key, divided using root key and product ID number using SM4 algorithm using key
It is scattered at its generating process is described below in detail:
(1) first determine whether the second hardware device and third hardware device whether are inserted on producing line controller;
(2) the second signature key pair is generated using third hardware device;
(3) third hardware device utilizes the second session key of public key encryption of the second signature key pair generated in (2);
(4) encrypted second session key will be exported from third hardware device;
(5) third hardware device utilizes encrypted second session key derived from (4) to encrypt the second encryption and decryption key pair;
(6) encrypted second encryption and decryption key pair is imported into third hardware device;
(7) encrypted root key is read from the constituent instruments of the second hardware device;
(8) encrypted root key is imported into the second hardware device to cryptographic key containers, while returns to first key handle;
(9) second hardware devices use SM4 algorithm, using root key, and using product IDs as dispersion factor, generate third
Session key;
(10) second hardware devices carry out abstract operation to the third session key generated in (9), and be applied key;
(11) the public key encryption application key of the second encryption and decryption key pair is utilized;
(12) by (11) encrypted application key and the storage of message authentication code (MAC) value to third hardware device
In constituent instruments;And
What the deletion of (13) second hardware devices generated applies key.
Figure 12 C is generation and the verification process of the key according to an embodiment of the present disclosure for port protection.
In generation and verification process for the key of port protection, the generation of the key for port protection, which utilizes, is answered
With the chip ID number of key and reading, dispersion generation is carried out using SM4 algorithm.Its generating process is described below in detail:
(1) it detects first and whether is inserted into third hardware device on the producing line controller of producing line;
(2) it is read from the constituent instruments of third hardware device encrypted using key;
(3) by encrypted application key importing secret key container, and the second key handles are returned to;
(4) chip ID number is read from the efuse of chip;
(5) it utilizes in (3) and applies key, by the chip id of the reading in (4) as dispersion factor, and it is hard using third
SM4 algorithm in part device generates key source data (32 byte);
(6) source data that will be used for the key of port protection carries out 8 bytes of ring shift right, and by left 16 bytes and the right side 16
Byte carries out 1 operation of exclusive or, finally obtains the key for port protection, wherein time of the byte number of ring shift right and exclusive or
Number depends on producing line strategy;
(7) protected field of the key write-in chip of port protection will be used for.
In the verification process for the key of port protection, preceding step (1)~(6) are identical, are written and give birth in (7) step
At the key for port protection, and be compared, be proved to be successful with the key for port protection stored in protected field
The port Debug can then be reopened.
In the disclosure, some embodiments are described above with reference to attached drawing.It should be understood that embodiments described above is only
It is only illustrative, for example, the flow chart and block diagram in the drawings show the devices according to multiple embodiments of the disclosure, method
With the architecture, function and operation in the cards of computer program product.In this regard, each of flowchart or block diagram
Box can represent a part of a module, section or code, and a part of the module, section or code includes one
Or multiple executable instructions for implementing the specified logical function.It should also be noted that in some implementations as replacement
In, function marked in the box can also occur in a different order than that indicated in the drawings.For example, two continuous boxes
It can actually be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.
It is also noted that the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart, it can
To be realized with the dedicated hardware based system for executing defined function or movement, or with specialized hardware and can calculate
The combination of machine instruction is realized.
In addition, each functional module in each embodiment of the disclosure can integrate one independent portion of formation together
Point, it is also possible to modules individualism, an independent part can also be integrated to form with two or more modules.
It, can be with if the function is realized and when sold or used as an independent product in the form of software function module
It is stored in a computer readable storage medium.Based on this understanding, the technical solution of the disclosure is substantially in other words
The part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) execute each embodiment the method for the disclosure all or part of the steps.
It should be noted that, in this document, the relational terms of such as first and third or the like are used merely to an entity or behaviour
Make with another entity or operate distinguish, without necessarily requiring or implying between these entities or operation there are it is any this
The actual relationship of kind or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to nonexcludability
Include so that include a series of elements process, method, article or equipment not only include those elements, but also
Including the other elements being not explicitly listed, or further include for this process, method, article or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method, article or equipment of element.
The foregoing is merely preferred embodiment of the present disclosure, are not limited to the disclosure, for the skill of this field
For art personnel, the disclosure can have various modifications and variations.It is all within the spirit and principle of the disclosure, it is made any to repair
Change, equivalent replacement, improvement etc., should be included within the protection scope of the disclosure.
The above, the only specific embodiment of the disclosure, but the protection scope of the disclosure is not limited thereto, it is any
Those familiar with the art can easily think of the change or the replacement in the technical scope that the disclosure discloses, and should all contain
It covers within the protection scope of the disclosure.Therefore, the protection scope of the disclosure should be with the guarantor of the following claims and their equivalents
It protects subject to range.
Claims (26)
1. a kind of key generation method of the port protection for product based on hardware device, which comprises
By authorized first hardware device being connect with producing line controller,
Root key is generated,
Root key described in public key encryption using the first encryption and decryption key pair, and
By the constituent instruments of encrypted root key write-in authorized second hardware device being connect with producing line controller
In;
By authorized second hardware device being connect with producing line controller,
The encrypted root key is read from the constituent instruments of second hardware device,
The encrypted root key is decrypted using the private key of the first encryption and decryption key pair,
It is generated as dispersion factor using national secret algorithm, using the root key, using product identification using key,
Key is applied described in public key encryption using the second encryption and decryption key pair, and
By the substantially literary of the encrypted authorized third hardware device being connect using key write-in with the producing line controller
In part;
By the authorized third hardware device being connect with producing line controller,
Read from the constituent instruments of the third hardware device it is described encrypted using key,
Decrypted using the private key of the second encryption and decryption key pair it is described encrypted using key, and
Port protection is used for generate using key, using product identification as dispersion factor using national secret algorithm, using described
Key.
2. the method as described in claim 1, wherein the method also includes being used for port for described by the producing line controller
The key of protection is written in the protected field of the product.
3. the method as described in claim 1, wherein the method also includes:
First label are generated by authorized first hardware device connecting with producing line controller and the second hardware device respectively
Name key pair;
The first session key of public key encryption of first signature key pair is utilized respectively by first and second hardware device;
By first and second hardware device respectively by encrypted first session key respectively from first hardware device
It is exported in the second hardware device;
The encrypted first session key encryption described first plus solution are utilized respectively by first and second hardware device
Close key pair;
Encrypted first encryption and decryption key pair is imported into first and second hardware by first and second hardware device
In device;And
The encrypted first encryption and decryption key pair is decrypted by first and second hardware device to add to obtain described first
Decruption key pair.
4. the method as described in claim 1, wherein being decrypted using the private key of the first encryption and decryption key pair described encrypted
Root key includes:
The encrypted root key is imported to cryptographic key containers and the return of second hardware device by the producing line controller
First key handle;And
By second hardware device based on the first key handle, using the private key of the first encryption and decryption key pair to decrypt
State encrypted root key.
5. the method as described in claim 1, wherein the method also includes:
Second signature key pair is generated by the third hardware device connecting with producing line controller;
The second session key of public key encryption of second signature key pair is utilized by the third hardware device;
Encrypted second session key is exported from the third hardware device by the third hardware device;
The second encryption and decryption key pair is encrypted using encrypted second session key by the third hardware device;
Encrypted second encryption and decryption key pair is imported into described second and third hardware device by the third hardware device;With
And
The encrypted second encryption and decryption key pair is decrypted by described second and third hardware device to add to obtain described second
Decruption key pair.
6. the method as described in claim 1, wherein being decrypted using the private key of the second encryption and decryption key pair described encrypted
Include: using key
By the producing line controller encrypted the cryptographic key containers of the third hardware device are imported using key and return described
Return the second key handles;And
By the third hardware device based on second key handles, using the private key of the second encryption and decryption key pair to decrypt
It states encrypted using key.
7. the method as described in claim 1, wherein using national secret algorithm, using the root key, using product identification as dividing
The scattered factor includes: using key to generate
By second hardware device using national secret algorithm, using the root key, using product identification as dispersion factor next life
At third session key;And to carry out abstract operation to the third session key described using key to generate.
8. the method as described in claim 1, wherein using national secret algorithm, using the application key, using product identification as
Dispersion factor includes: come the key for generating for port protection
By the third hardware device using national secret algorithm, using the application key, using the product identification as disperse because
Son generates cipher key source data;And the key that inverse transform generation is used for port protection is carried out to the key source data.
9. method according to claim 8 is used for port protection wherein carrying out inverse transform to the key source data and generating
Key include:
The cipher key source datacycle is shifted N, and by left 2N byte and right 2N byte exclusive or M times to be used to hold described in generation
The key of mouth protection, wherein N is positive integer, and M is positive integer.
10. the method as described in claim 1, wherein the method also includes: it deletes and is connect by described with producing line controller
Authorized second hardware device generated in apply key.
11. a kind of secret key verification method of the port protection for product based on hardware device, which comprises
By the third hardware device being connect with producing line controller,
Read from the constituent instruments of the third hardware device it is encrypted using key,
The encrypted application key is decrypted with the key that is applied,
Cipher key source data are generated as dispersion factor using national secret algorithm, using the application key, using product identification, and
The key that inverse transform generation is used for port protection is carried out to the key source data;And
By the producing line controller, the port that is used in the protected field of the key generated for being used for port protection and product is protected
The key of shield is compared for verifying the port.
12. method as claimed in claim 11, wherein decrypting the encrypted application key with the key that is applied and including:
By the producing line controller encrypted the cryptographic key containers of the third hardware device are imported using key and return described
Return key handles;And
It is decrypted by the third hardware device based on the key handles, using the private key of encryption and decryption key pair described encrypted
Application key it is described using key to obtain.
13. method as claimed in claim 11 is protected wherein carrying out inverse transform to the key source data and generating for port
The key of shield includes: that the cipher key source datacycle is shifted N, and by left 2N byte and right 2N byte exclusive or M times with generation
The key for port protection, wherein N is positive integer, and M is positive integer.
14. a kind of key generation system of the port protection for product based on hardware device, the system comprises:
Authorized first hardware device connecting with producing line controller, is configured as:
Root key is generated,
Root key described in public key encryption using the first encryption and decryption key pair, and
By the constituent instruments of encrypted root key write-in authorized second hardware device being connect with producing line controller
In;
Authorized second hardware device connecting with producing line controller, is configured as:
The encrypted root key is read from the constituent instruments of second hardware device,
The encrypted root key is decrypted using the private key of the first encryption and decryption key pair,
It is generated as dispersion factor using national secret algorithm, using the root key, using product identification using key,
Key is applied described in public key encryption using the second encryption and decryption key pair, and
By the substantially literary of the encrypted authorized third hardware device being connect using key write-in with the producing line controller
In part;
The authorized third hardware device connecting with producing line controller, is configured as:
Read from the constituent instruments of the third hardware device it is described encrypted using key,
Decrypted using the private key of the second encryption and decryption key pair it is described encrypted using key, and
Port protection is used for generate using key, using product identification as dispersion factor using national secret algorithm, using described
Key.
15. system as claimed in claim 14, the system also includes the producing line controller, the producing line controller is matched
It is set to and the key for being used for port protection is written in the protected field of the product.
16. system as claimed in claim 14, wherein
First hardware device and the second hardware device are additionally configured to generate the first signature key pair respectively, utilize described
The first session key of public key encryption of one signature key pair and by encrypted first session key respectively from first hardware
It is exported in device and the second hardware device;
First hardware device and the second hardware device are additionally configured to encrypt using encrypted first session key
The first encryption and decryption key pair simultaneously imports encrypted first encryption and decryption key pair in first and second hardware device,
And
First hardware device and the second hardware device are additionally configured to decrypt the encrypted first encryption and decryption key pair
To obtain the first encryption and decryption key pair.
17. system as claimed in claim 14, wherein authorized second hardware device connecting with producing line controller is matched
It is set to using the private key of the first encryption and decryption key pair and decrypts the encrypted root key and include:
The encrypted root key is imported to cryptographic key containers and the return of second hardware device by the producing line controller
First key handle;And the first key handle is based on by second hardware device, utilizes the first encryption and decryption key pair
Private key decrypt the encrypted root key.
18. system as claimed in claim 14, wherein
The third hardware device is additionally configured to generate the second signature key pair, utilizes the public key of second signature key pair
It encrypts the second session key and exports encrypted second session key from the third hardware device;
The third hardware device is additionally configured to encrypt second encryption and decryption using encrypted second session key
Encrypted second encryption and decryption key pair is simultaneously imported described second and third hardware device by key pair;And
Described second and third hardware device be additionally configured to decrypt the encrypted second encryption and decryption key pair to obtain
State the second encryption and decryption key pair.
19. system as claimed in claim 14, wherein the authorized third hardware device connecting with producing line controller is matched
It is set to using the private key of the second encryption and decryption key pair and decrypts the encrypted application key and include:
By the producing line controller encrypted the cryptographic key containers of the third hardware device are imported using key and return described
Return the second key handles;And second key handles are based on by the third hardware device, utilize the second encryption and decryption key
Pair private key it is described encrypted using key to decrypt.
20. system as claimed in claim 14, wherein second hardware device is configured as: using national secret algorithm, utilizing
Product identification is generated third session key as dispersion factor by the root key;And to the third session key into
Row abstract operation is described using key to generate.
21. system as claimed in claim 15, wherein the third hardware device is configured as: using national secret algorithm, utilizing
The product identification is generated cipher key source data as dispersion factor by the application key;And to the key source data
It carries out inverse transform and generates the key for being used for port protection.
22. system as claimed in claim 21, wherein the third hardware device is configured as: the key source data is followed
Ring shifts N, and left 2N byte and right 2N byte exclusive or M times are used for the key of port protection described in generation, and wherein N is positive
Integer, M are positive integer.
23. system as claimed in claim 14, wherein authorized second hardware device being connect with producing line controller
It is additionally configured to delete generated described using key by its.
24. a kind of key authentication system of the port protection for product based on hardware device, the system comprises:
The third hardware device connecting with producing line controller, is configured as:
Read from the constituent instruments of the third hardware device it is described encrypted using key,
The encrypted application key is decrypted with the key that is applied,
Cipher key source data are generated as dispersion factor using national secret algorithm, using the application key, using product identification, and
The key that inverse transform generation is used for port protection is carried out to the key source data;And
Producing line controller is configured as that port will be used in the protected field of the key generated for being used for port protection and product
The key of protection is compared for verifying the port.
25. system as claimed in claim 24, wherein the third hardware device connecting with producing line controller is configured as decrypting
The encrypted application key includes: with the key that is applied
By the producing line controller encrypted the cryptographic key containers of the third hardware device are imported using key and return described
Return key handles;And it is solved by the third hardware device based on the key handles, using the private key of encryption and decryption key pair
The close encrypted application key is described using key to obtain.
26. system as claimed in claim 24, wherein the third hardware device is configured as: the key source data is followed
Ring shifts N, and left 2N byte and right 2N byte exclusive or M times are used for the key of port protection described in generation, and wherein N is positive
Integer, M are positive integer.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811602380.0A CN109446831B (en) | 2018-12-26 | 2018-12-26 | Key generation and verification method and system based on hardware device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811602380.0A CN109446831B (en) | 2018-12-26 | 2018-12-26 | Key generation and verification method and system based on hardware device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109446831A true CN109446831A (en) | 2019-03-08 |
| CN109446831B CN109446831B (en) | 2024-06-25 |
Family
ID=65537504
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811602380.0A Active CN109446831B (en) | 2018-12-26 | 2018-12-26 | Key generation and verification method and system based on hardware device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109446831B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932853A (en) * | 2019-12-06 | 2020-03-27 | 深圳市纽创信安科技开发有限公司 | Key management device and key management method based on trusted module |
| CN114285554A (en) * | 2021-12-15 | 2022-04-05 | 廊坊市新奥能源有限公司 | Key generation method and device based on equipment identification and computer readable medium |
| CN115408675A (en) * | 2022-11-01 | 2022-11-29 | 湖北芯擎科技有限公司 | Method, device, equipment and storage medium for generating eFuse Key |
| CN116711008A (en) * | 2021-01-12 | 2023-09-05 | 高通股份有限公司 | Protected data flow between memories |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050193220A1 (en) * | 2004-02-05 | 2005-09-01 | Research In Motion Limited | Debugging port security interface |
| US20060161775A1 (en) * | 2004-12-30 | 2006-07-20 | O'brien William G | Secure modem gateway concentrator |
| CN101352003A (en) * | 2005-12-30 | 2009-01-21 | 极进网络股份有限公司 | Method of providing virtual router functionality |
| CN102404721A (en) * | 2010-09-10 | 2012-04-04 | 华为技术有限公司 | Safety protecting method of Un interface, device and base station |
| US20160285636A1 (en) * | 2015-03-27 | 2016-09-29 | Comcast Cable Communications, Llc | Methods And Systems For Key Generation |
| CN106656503A (en) * | 2016-10-13 | 2017-05-10 | 上海众人网络安全技术有限公司 | Key storage method, data encryption and decryption method, electronic signature method and devices thereof |
| CN209149308U (en) * | 2018-12-26 | 2019-07-23 | 贵州华芯通半导体技术有限公司 | Key based on hardware device generates and verifying system |
-
2018
- 2018-12-26 CN CN201811602380.0A patent/CN109446831B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050193220A1 (en) * | 2004-02-05 | 2005-09-01 | Research In Motion Limited | Debugging port security interface |
| US20060161775A1 (en) * | 2004-12-30 | 2006-07-20 | O'brien William G | Secure modem gateway concentrator |
| CN101352003A (en) * | 2005-12-30 | 2009-01-21 | 极进网络股份有限公司 | Method of providing virtual router functionality |
| CN102404721A (en) * | 2010-09-10 | 2012-04-04 | 华为技术有限公司 | Safety protecting method of Un interface, device and base station |
| US20160285636A1 (en) * | 2015-03-27 | 2016-09-29 | Comcast Cable Communications, Llc | Methods And Systems For Key Generation |
| CN106656503A (en) * | 2016-10-13 | 2017-05-10 | 上海众人网络安全技术有限公司 | Key storage method, data encryption and decryption method, electronic signature method and devices thereof |
| CN209149308U (en) * | 2018-12-26 | 2019-07-23 | 贵州华芯通半导体技术有限公司 | Key based on hardware device generates and verifying system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110932853A (en) * | 2019-12-06 | 2020-03-27 | 深圳市纽创信安科技开发有限公司 | Key management device and key management method based on trusted module |
| CN110932853B (en) * | 2019-12-06 | 2022-12-06 | 深圳市纽创信安科技开发有限公司 | Key management device and key management method based on trusted module |
| CN116711008A (en) * | 2021-01-12 | 2023-09-05 | 高通股份有限公司 | Protected data flow between memories |
| CN114285554A (en) * | 2021-12-15 | 2022-04-05 | 廊坊市新奥能源有限公司 | Key generation method and device based on equipment identification and computer readable medium |
| CN115408675A (en) * | 2022-11-01 | 2022-11-29 | 湖北芯擎科技有限公司 | Method, device, equipment and storage medium for generating eFuse Key |
| CN115408675B (en) * | 2022-11-01 | 2023-02-07 | 湖北芯擎科技有限公司 | Method, device, equipment and storage medium for generating eFuse Key |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109446831B (en) | 2024-06-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Chadha et al. | Automated verification of equivalence properties of cryptographic protocols | |
| CN109446831A (en) | Key generation and verification method and system based on hardware device | |
| CN102138300B (en) | Message authentication code pre-computation with applications to secure memory | |
| Longley et al. | An automatic search for security flaws in key management schemes | |
| CN105959111B (en) | Information security big data resource access control system based on cloud computing and trust computing | |
| CN110008745B (en) | Encryption method, computer equipment and computer storage medium | |
| CN110263524A (en) | A kind of mobile device encryption U-shield | |
| CN109741063A (en) | Digital signature method and device based on block chain | |
| CN103281194B (en) | A kind of safety and lightweight RFID ownership transfer method based on Bilinear map | |
| CN107004083A (en) | Device keyses are protected | |
| CN206611427U (en) | A kind of key storage management system based on trust computing device | |
| CN106101150A (en) | The method and system of AES | |
| CN109903052A (en) | A kind of block chain endorsement method and mobile device | |
| CN114357492A (en) | Medical data privacy fusion method and device based on block chain | |
| CN107733936A (en) | A kind of encryption method of mobile data | |
| CN112822010B (en) | Removable storage medium management method based on quantum key and block chain | |
| CN108574578A (en) | A kind of black box data protection system and method | |
| CN209149308U (en) | Key based on hardware device generates and verifying system | |
| Cheval | Automatic verification of cryptographic protocols: privacy-type properties | |
| CN115809480A (en) | Privacy protection method for fine-grained cross-chain transaction data | |
| CN106487509B (en) | A kind of method and host equipment generating key | |
| CN108376212A (en) | Execute code security guard method, device and electronic device | |
| CN111343421B (en) | Video sharing method and system based on white-box encryption | |
| CN113158203A (en) | SOC chip, circuit and external data reading and writing method of SOC chip | |
| CN108989032A (en) | Key reading/writing method, device, block catenary system and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 9th Floor, Building C, Gui'an Center, Plot ZD-64, Big Data Science and Technology Innovation City, Gui'an New Area, Guiyang City, Guizhou Province, 550003 (No. 2 on the south side) Applicant after: Guizhou Huaxin Semiconductor Technology Co.,Ltd. Address before: 550081 2nd floor, intersection of Qianzhong Avenue and Jinma Avenue, Gui'an New District, Guiyang City, Guizhou Province Applicant before: GUIZHOU HUAXINTONG SEMICONDUCTOR TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |