CN109981671B - Data processing method based on encryption machine and encryption machine - Google Patents

Data processing method based on encryption machine and encryption machine Download PDF

Info

Publication number
CN109981671B
CN109981671B CN201910266538.XA CN201910266538A CN109981671B CN 109981671 B CN109981671 B CN 109981671B CN 201910266538 A CN201910266538 A CN 201910266538A CN 109981671 B CN109981671 B CN 109981671B
Authority
CN
China
Prior art keywords
data
check code
transmission
operation result
processed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910266538.XA
Other languages
Chinese (zh)
Other versions
CN109981671A (en
Inventor
孙吉平
陈文静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Senseshield Technology Co Ltd
Original Assignee
Beijing Senseshield Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Senseshield Technology Co Ltd filed Critical Beijing Senseshield Technology Co Ltd
Priority to CN201910266538.XA priority Critical patent/CN109981671B/en
Publication of CN109981671A publication Critical patent/CN109981671A/en
Application granted granted Critical
Publication of CN109981671B publication Critical patent/CN109981671B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The data processing method based on the encryption machine and the encryption machine are provided, the encryption machine comprises a password chip, and the method comprises the following steps: responding to the data operation request to obtain data to be processed, and sending the data to be processed and the check code before transmission of the data to be processed to the password chip; receiving a first check code before transmission of an operation result and a calculated operation result, wherein the operation result is obtained by executing operation after the password chip determines that the data to be processed successfully passes the transmission integrity check of the data to be processed; after the integrity check is successfully transmitted through the first operation result, the inverse operation request, the operation result and a second check code before transmission of the operation result are sent to the password chip; receiving an inverse operation result obtained by executing inverse operation after the operation result is determined to pass the transmission integrity check of the second operation result successfully by the password chip and a check code before transmission of the calculated inverse operation result; after the transmission integrity check of the inverse operation result is successfully passed, whether the data to be processed is consistent with the inverse operation result is determined; if the data are consistent, the data operation is successful.

Description

Data processing method based on encryption machine and encryption machine
Technical Field
The invention relates to the field of computer security, in particular to a data processing method based on an encryption machine and the encryption machine for improving the reliability of cipher chip reason data.
Background
In order to improve the efficiency and security of data encryption and decryption, cryptographic chips are often used to replace soft algorithms for cryptographic operations, especially in application fields requiring high performance cryptographic operations. Generally, a cryptographic chip provides a set of Application Programming Interfaces (APIs), and a built-in application (hereinafter also referred to as a built-in application) of an encryption equipment (hereinafter also referred to as an encryption equipment) directly uses an operation function provided by the chip through the API provided by the cryptographic chip. However, when the application program uses the cryptographic operation function of the chip, it is necessary to transmit data from the memory of the encryption device to the inside of the chip, and the data transmission process requires other hardware related to the encryption device, so that there is a possibility that data is lost or incomplete. The inside of the cryptographic chip may have unstable programs or data due to the electrical characteristics of hardware. In summary, there may be cases where the operation result is incorrect when the cryptographic chip is used for operation.
Therefore, there is a need in the art to improve the reliability of data manipulation (e.g., encryption and decryption of data) performed by cryptographic chips.
Disclosure of Invention
The invention aims to provide a data processing method based on an encryption machine and the encryption machine, which can improve the reliability of data operation processing (such as data encryption and decryption operation processing).
According to a first aspect of the present invention, there is provided a data processing method based on an encryption machine, the encryption machine including a cryptographic chip, the method including: the method comprises the steps of responding to a data operation processing request to obtain data to be processed, sending the data to be processed and a check code before transmission of the data to be processed to a password chip, receiving a first check code before transmission of an operation result obtained by executing a preset operation on the data to be processed according to the data operation processing request and an operation result obtained by calculation of the password chip after the data to be processed is determined to successfully pass the transmission integrity check of the data to be processed, sending a data inverse operation request, the operation result and a second check code before transmission of the operation result to the password chip after the first operation result is successfully passed the transmission integrity check, receiving a reverse operation result obtained by executing the inverse operation of the preset operation on the operation result according to the data inverse operation request and a check code before transmission of the inverse operation result obtained by calculation of the password chip after the operation result is determined to successfully pass the transmission integrity check of the second operation result, and after the transmission integrity check of the inverse operation result is successfully passed, determining whether the data to be processed is consistent with the inverse operation result, and if the data to be processed is consistent with the inverse operation result, indicating that the data operation processing is successful.
According to a preferred embodiment of the first aspect, the checking of the integrity of the transmission of the data to be processed includes comparing a check code before transmission of the data to be processed with a check code after transmission of the data to be processed calculated using the same check algorithm as that used to calculate the check code before transmission of the data to be processed.
According to a preferred embodiment of the first aspect, the data arithmetic processing request includes a data encryption request and a data decryption request.
According to a preferred embodiment of the first aspect, the first operation result transmission integrity check comprises comparing a first pre-transmission check code of the operation result with a first post-transmission check code of the operation result calculated using the same check algorithm as the pre-transmission check code of the operation result.
According to a preferred embodiment of the first aspect, the second operation result transmission integrity check comprises comparing a second pre-transmission check code of the operation result with a second post-transmission check code of the operation result calculated using the same check algorithm as the second pre-transmission check code of the operation result.
Preferably, the checking of the transmission integrity of the inverse operation result includes comparing a check code before transmission of the inverse operation result with a check code after transmission of the inverse operation result calculated using the same check algorithm as the check code before transmission of the inverse operation result.
According to a second aspect of the present invention, there is provided an encryption apparatus comprising: the password chip is used for carrying out preset data operation processing on data to be processed; a memory having computer program instructions stored therein; a processor, the computer program instructions, when executed by the processor, implementing the method of any of the aspects described above.
According to a third aspect of the present invention, there is provided a data processing method based on an encryption machine, including: the method comprises the steps of sending a data operation processing request and data to be processed to an encryption machine, receiving an operation result obtained by performing preset operation on the data to be processed from the encryption machine, sending a data inverse operation request and an operation result to the encryption machine, receiving an inverse operation result obtained by performing preset operation on the operation result from the encryption machine, comparing the data to be processed with the inverse operation result, and if the data to be processed and the inverse operation result are consistent, indicating that the data operation processing is successful.
According to the scheme of the invention, the data processing method based on the encryption machine and the encryption machine provided by the invention can verify the safety and reliability of the data operation processing and data transmission process performed by the encryption chip in consideration of the possibility of data loss or incompleteness due to the need of other hardware related to the encryption machine equipment in the data transmission process and the condition that the program or data is unstable due to the electrical characteristics of the hardware in the encryption chip, thereby ensuring that an accurate and correct operation processing result is obtained and improving the safety and reliability of the data operation processing performed by the encryption machine.
Drawings
These and other aspects of the disclosure, as well as the above and other objects, advantages and features, will become apparent from the following description of the embodiments with reference to the accompanying drawings, in which:
fig. 1 is a block diagram showing the constituent components of the architecture of an encryptor device according to an embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating reliability enhancement of cryptographic operations according to an embodiment of the present disclosure;
FIG. 3 is a flow chart illustrating the reliability enhancement of a decryption operation according to an embodiment of the present disclosure;
FIG. 4 is a flow chart illustrating steps of a data processing method according to an embodiment of the present disclosure;
fig. 5 is a flowchart illustrating steps of a data processing method of a user interface side according to another embodiment of the present disclosure.
Detailed Description
The embodiments and figures presented herein illustrate various principles of the invention. It will be appreciated that those skilled in the art will be able to devise various arrangements and implementations that, although not explicitly described or shown herein, embody the principles of the invention and are included within the scope of the disclosure. In addition, the various embodiments described herein are not necessarily mutually exclusive, but rather the various embodiments can be combined to produce further embodiments incorporating the principles of the present invention. In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and examples.
Fig. 1 shows a block diagram of the constituent components of the architecture of an encryptor device 10 (also simply referred to as encryptor 10). In at least some embodiments, as shown in FIG. 1, the encryptor device 10 includes a memory 101, a processor 102, a cryptographic chip 103, a user interface 104, and the processor 102 may include a built-in application 105. Specifically, the application aspect of the encryption device 10 mainly includes the encryption protection/verification and the data encryption/decryption operation processing, and these two operations are implemented by using two different service keys in the cryptographic chip 103.
In one embodiment of the present disclosure, memory 101 is used to store an operating system, other applications, and program data and application data used during operation of the operating system and applications, such as built-in application 105. The processor 102 is used to perform various operations and processes that need to be performed in the encryption engine. In various embodiments, processor 102 may include one or more processing cores or processing units.
The cryptographic chip 103 is a secure chip in the encryptor device 10, and is a main cryptographic operation unit. The inside of the crypto chip 103 stores data such as core service keys, seed codes and the like, the service keys are invisible to the outside, and all cryptographic operations related to services are completed inside the crypto chip 103, so that the safety of the data is ensured to the maximum extent. Typically, to improve performance, one encryptor device 10 may have multiple cryptographic chips 103 embedded therein.
In embodiments, the user interface 104 may be any interface with which a user can interact, and the user interface 104 may be communicatively coupled with the built-in application 105 through an Application Programming Interface (API).
The built-in application 105 shown in fig. 1 may be an internal module of the encryption device 10, and the built-in application 105 may generally be an application implemented by software, and mainly provides the following functions: registration initialization, management functions (copy administrator lock, system settings), key recovery, and the like of the encryptor device 10. In other embodiments, the built-in application 105 may also be implemented in firmware.
As mentioned above, the cryptographic chip 103 usually provides one or more cryptographic chip APIs, and the built-in application 105 of the encryption apparatus directly uses the operation function provided by the cryptographic chip 103 through the cryptographic chip API provided by the cryptographic chip 103. In this case, the built-in application 105 needs to transmit data from the memory of the encryption device to the inside of the encryption chip 103 when using the cryptographic operation function of the encryption chip 103, and the data transmission process may involve other hardware and other related elements of the encryption device 10, so that data may be lost or incomplete during the transmission process. There may be situations where the program or data is not stable or changed inside the cryptographic chip 103 due to the electrical characteristics of the hardware. For these reasons, there is a possibility that an operation result obtained when a data processing operation is performed using the cryptographic chip 103 is incorrect.
In view of the above, the present invention discloses a scheme for improving the reliability of data operation processing (e.g., data encryption and decryption) by using the cryptographic chip 103. The scheme mainly involves the built-in application 105, the cryptographic chip 103 and the cryptographic chip API of the encryptor device 10. The scheme improves the reliability of the data operation processing (for example, encrypting and decrypting data) performed by the cryptographic chip 103 by adding the following two verification means in the process that the built-in application program 105 performs the data operation processing by using the cryptographic chip 103: and checking the integrity of the data transmission process and the correctness of the cryptographic operation result. Fig. 2 to 5 respectively show flowcharts of methods for performing data operation processing (including data encryption and data decryption processing) by using the cryptographic chip 103 of the encryptor device 10 according to various embodiments of the present invention.
First, two processing procedures for performing data transmission integrity check are described below. In the context of the main application aspects of the cryptographic chip 103 of the cryptographic apparatus 10, the process mainly involves both the transfer of data from the built-in application to the cryptographic chip 103 and the transfer of data from the cryptographic chip 103 to the built-in application.
A. Data transfer process integrity verification
The data transfer process includes two sub-processes of data transfer from the built-in application 105 to the cryptographic chip 103 and data transfer from the cryptographic chip 103 to the built-in application 105. The reliability guarantee of the process is realized through a data integrity check algorithm.
Data slave built-in applicationProgram transmission to the cryptographic chip 103
Before data transmission, the check code of the data to be operated is calculated firstly, and the check code and the data are transmitted to the password chip 103 together, the password chip 103 calculates the check code of the data by using the same algorithm after receiving the data, if the calculated check code is consistent with the received check code, the data is not changed in the transmission process, and data processing operation, such as password operation, can be continuously performed. If not, indicating that the data has been changed, the cryptographic chip 103 returns an error indication directly without performing a data processing operation, such as a cryptographic operation.
Data transfer from cryptographic chip 103 to a built-in application
Before data transmission, the check code of the operation result data is calculated firstly, and the check code and the data are transmitted to the password chip 103 together, the built-in application program 105 can calculate the check code of the data by using the same algorithm after receiving the data, if the calculated check code is consistent with the received check code, the data is not changed in the transmission process, and subsequent verification can be continued. If not, indicating that the data has been changed, built-in application 105 returns an error prompt directly, and the program ends and exits.
Further, the embodiment of the present invention also relates to the correctness check of the data operation processing performed by the cryptographic chip 103 of the encryption equipment 10, and in the context of the present invention, the data operation processing correctness check mainly includes two aspects of the encryption correctness check of the cryptographic chip 103 and the decryption correctness check of the cryptographic chip 103.
B. Cryptographic operation result correctness checking
The data processing operation, such as a cryptographic operation, mainly includes two operations, i.e., the cryptographic chip 103 encrypts data and the cryptographic chip 103 decrypts data. The reliability guarantee of the operation process is realized by using the cryptographic chip 103 to perform inverse operation on the result of the data operation.
Cipher chip103 encryption correctness checking
This check is performed on the premise that the data transfer process integrity check has been passed. After the built-in application program 105 receives the encryption result of the password chip 103, the encryption result is decrypted by using the password chip 103, and then whether the decryption result is consistent with the data to be encrypted is compared, if so, the encryption result of the password chip 103 is correct, otherwise, the built-in application program 105 returns an error prompt, and the program is ended and exits.
Verification of decryption correctness by crypto chip 103
This check is performed on the premise that the data transfer process integrity check has been passed. After the built-in application program 105 receives the decryption result of the password chip 103, the decryption result is encrypted by using the password chip 103, and then whether the encryption result is consistent with the data to be decrypted is compared, if so, the decryption result of the password chip 103 is correct, otherwise, the built-in application program 105 returns an error prompt and exits.
The method and the traditional method for encrypting and decrypting data by using the password chip 103 have the advantages that the integrity verification in the data transmission process and the verification of the operation result of the password chip 103 are added, errors of the data in the transmission process and the password operation process can be effectively detected and prevented through the two verifications, the possible errors can be found in time, and the accuracy of the operation result is improved.
The scheme for improving the reliability of the data processing operation (for example, encrypting and decrypting data) performed by the cryptographic chip 103 specifically includes two processes of data encryption and data decryption, and the following will describe in detail the process of applying the method to an encryptor device for encrypting and decrypting data of a user with reference to fig. 2 and fig. 3.
The flow of this data encryption process will be described below with reference to fig. 2. Fig. 2 shows a flow timing diagram of encryption operation reliability improvement according to an embodiment of the present disclosure. As shown in fig. 2, a process of a data encryption operation according to an embodiment of the present invention includes an encryption process and a decryption process.
The encryption process involved in the data encryption process shown in fig. 2 is explained below. First, a user initiates an encrypted data request to the encryptor device 10, and passes data to be encrypted (also referred to as plaintext or plaintext data) as a parameter to the encryptor device. The built-in application 105 of the encryptor device 10 receives and parses the user request, obtaining the data to be encrypted. Then, the built-in application 105 of the encryptor device 10 calculates a check code of the data to be encrypted, and transmits the data to be encrypted together with the check code to the cryptographic chip 103 via the cryptographic chip API. Next, after the crypto chip 103 receives the data to be encrypted and the check code, the check code of the data to be encrypted is calculated by using the same algorithm as that of the built-in application program 105 of the encryptor device 10, if the calculated check code is identical to the received check code, it is determined that no error occurs in the transmission process of the data to be encrypted, and the cryptographic operation can be performed, otherwise, error information is directly returned.
Then, the cryptographic chip 103 performs an encryption operation on the plaintext data to obtain an encryption result (also referred to as ciphertext or ciphertext data); the cryptographic chip 103 calculates a check code of the encryption result, and returns the encryption result together with the result check code to the built-in application 105 of the encryptor device 10. The built-in application 105 of the encryptor device 10 calculates a check code of the encryption result.
Then, the built-in application 105 of the encryption device 10 compares whether the check code calculated by itself and the received check code are consistent, and if so, considers that no error occurs in the transmission process of the encryption result, the encryption result is correct, and returns the encryption result to the user, otherwise, directly returns error information.
The following explains a decryption process involved in the data encryption processing shown in fig. 2. First, the built-in application 105 of the encryptor device 10 calculates a check code of the above-described encryption result (also referred to as ciphertext or ciphertext data), and then sends the encryption result as data to be decrypted to the cryptographic chip 103 via the cryptographic chip API together with the check code.
Next, after the crypto chip 103 receives the data to be decrypted and the check code, the check code of the data to be decrypted is calculated by using the same algorithm as that of the built-in application program 105 of the encryptor device 10, if the calculated check code is identical to the received check code, it is determined that no error occurs in the transmission process of the data to be decrypted, and the cryptographic operation can be performed, otherwise, error information is directly returned.
Then, the cryptographic chip 103 performs decryption operation on the ciphertext data to obtain a decryption result (also referred to as plaintext or plaintext data); the cryptographic chip 103 calculates the check code of the decryption result, and returns the decryption result together with the check code of the decryption result to the built-in application 105 of the encryption apparatus device 10. Subsequently, the built-in application 105 of the encryptor device 10 calculates the check code of the decryption result.
Then, the built-in application 105 of the encryption device 10 compares whether the check code calculated by itself and the received check code are consistent, and if so, considers that no error occurs in the transmission process of the decryption result, and the decryption result is correct, and returns the decryption result to the user, otherwise, directly returns error information.
Then, the built-in application program 105 compares whether the plaintext data and the decryption result are consistent, if so, it indicates that the data encryption processing is successful, and the program is normally ended, otherwise, it indicates that the data encryption processing is failed, and the program exits abnormally.
The flow of the data decryption process will be described in detail below with reference to fig. 3. Fig. 3 shows a flow timing diagram of the reliability enhancement of the decryption operation according to an embodiment of the present disclosure. As shown in fig. 3, the process of the data decryption operation includes a decryption process and an encryption process.
The decryption process involved in the data decryption process is described in detail below with reference to fig. 3. First, a user initiates a request for decrypting data to the encryptor device 10, and passes data to be decrypted (also referred to as ciphertext or ciphertext data) as a parameter to the encryptor device 10. Then, the built-in application 105 of the encryptor device 10 receives and parses the user request, and obtains data to be decrypted. Thereafter, the built-in application 105 of the encryptor device 10 calculates a check code of the data to be decrypted, and transmits the data to be decrypted together with the check code to the cryptographic chip 103 via the cryptographic chip API.
After receiving the data to be decrypted and the check code, the cryptographic chip 103 calculates the check code of the ciphertext data by using the same algorithm as the built-in application program 105 of the encryption equipment 10, if the calculated check code is consistent with the received check code, it is determined that no error occurs in the transmission process of the data to be decrypted, and cryptographic operation can be performed, otherwise, error information is directly returned.
The crypto chip 103 performs decryption calculation on the data to be decrypted to obtain a decryption result (also referred to as plaintext or plaintext data). Then, the cryptographic chip 103 calculates a check code of the decryption result, and returns the decryption result together with the decryption result check code to the built-in application 105 of the encryptor device 10 via the cryptographic chip API. The built-in application 105 of the encryptor device 10 calculates the check code of the decryption result.
Then, the built-in application 105 of the encryption device 10 compares whether the check code calculated by itself and the received check code are consistent, and if so, considers that no error occurs in the transmission process of the decryption result, and the decryption result is correct, and returns the decryption result to the user, otherwise, directly returns error information.
The encryption process involved in the data decryption process is described in detail below with reference to fig. 3. First, the built-in application 105 of the encryptor device 10 calculates a check code of the above-described decryption result (also referred to as plaintext or plaintext data), and sends the decryption result as data to be encrypted to the cryptographic chip 103 via the cryptographic chip API together with the check code.
Next, after the crypto chip 103 receives the data to be encrypted and the check code, the check code of the data to be encrypted is calculated by using the same algorithm as that of the built-in application program 105 of the encryptor device 10, if the calculated check code is identical to the received check code, it is determined that no error occurs in the transmission process of the data to be encrypted, and the cryptographic operation can be performed, otherwise, error information is directly returned.
Then, the cryptographic chip 103 performs encryption calculation on the data to be encrypted to obtain an encryption result (also referred to as ciphertext or ciphertext data). Then, the cryptographic chip 103 calculates a check code of the encryption result, and returns the encryption result together with the encryption result check code to the built-in application 105 of the encryptor device 10 via the cryptographic chip API. Subsequently, the built-in application 105 of the encryptor device 10 calculates a check code of the encryption result.
Then, the built-in application 105 of the encryption device 10 compares whether the check code calculated by itself and the received check code are consistent, and if so, considers that no error occurs in the transmission process of the encryption result, and the encryption result is correct, and returns the encryption result to the user, otherwise, directly returns error information.
Then, the built-in application program 105 compares whether the ciphertext data and the encryption result are consistent, if so, the data decryption processing is successful, and the program is normally ended, otherwise, the data decryption processing is failed, and the program exits abnormally.
FIG. 4 is a flow diagram illustrating steps of a data processing method according to one embodiment of the present disclosure. According to the embodiment, a data processing method based on an encryption equipment device 10 is provided, the encryption equipment device 10 comprises a crypto chip 103, and the data processing method specifically comprises the following steps S210-S260 as shown in FIG. 4. Specifically, S210: acquiring data to be processed in response to the data operation processing request, and sending the data to be processed and a check code before transmission of the data to be processed to the password chip 103; s220: receiving a first transmission check code of an operation result obtained by the password chip 103 executing a predetermined operation on the data to be processed according to the data operation processing request after the password chip 103 determines that the data to be processed successfully passes the transmission integrity check of the data to be processed, and the operation result calculated by the password chip 103; s230: after the integrity check is successfully transmitted through the first operation result, the data inverse operation request, the operation result and a second check code before transmission of the operation result are sent to the password chip; s240: receiving an inverse operation result obtained by the cryptographic chip 103 performing inverse operation of a predetermined operation on the operation result according to the data inverse operation request after determining that the operation result successfully passes the second operation result transmission integrity check and a check code before transmission of the inverse operation result calculated by the cryptographic chip 103; s250: after the transmission integrity check of the inverse operation result is successfully passed, determining whether the data to be processed is consistent with the inverse operation result; s260: if the data to be processed is consistent with the inverse operation result, the data operation is successfully processed.
According to a preferred embodiment, the checking of the integrity of the transmission of the data to be processed comprises comparing a check code before transmission of the data to be processed with a check code after transmission of the data to be processed calculated using the same checking algorithm as that used for calculating the check code before transmission of the data to be processed.
According to another preferred embodiment, the data arithmetic processing request includes a data encryption request and a data decryption request.
According to another preferred embodiment, the first operation result transmission integrity check comprises comparing a first pre-transmission check code of the operation result with a first post-transmission check code of the operation result calculated using the same check algorithm as the pre-transmission check code of the operation result is calculated.
According to a further preferred embodiment, the second operation result transmission integrity check comprises comparing a second pre-transmission check code of the operation result with a second post-transmission check code of the operation result calculated using the same check algorithm as the second pre-transmission check code of the operation result.
Preferably, the checking of the transmission integrity of the inverse operation result includes comparing a check code before transmission of the inverse operation result with a check code after transmission of the inverse operation result calculated using the same check algorithm as the check code before transmission of the inverse operation result.
According to another embodiment of the present invention, there is provided an encryptor device 10, the encryptor device 10 including: the password chip 103 is used for performing predetermined data operation processing on data to be processed; a memory 101 having computer program instructions stored therein; a processor 102, the computer program instructions when executed by the processor 102 implementing the method defined by any one or combination of the above embodiments.
Fig. 5 is a flowchart illustrating steps of a data processing method on the user interface 104 side according to another embodiment of the present disclosure. According to the embodiment of the present invention, there is provided a data processing method based on the encryptor device 10, the data processing method including the following respective steps S310-S350 as shown in fig. 5. Specifically, S310: a user sends a data operation processing request and data to be processed to the encryption equipment 10; s320: the user receives an operation result obtained by performing a predetermined operation on data to be processed from the encryptor device 10; s330: a user sends a data inverse operation request and an operation result to the encryption equipment 10; s340: the user receives an inverse operation result obtained by performing an inverse operation of a predetermined operation on the operation result from the encryptor device 10; s350: and comparing the data to be processed with the inverse operation result by the user, and if the data to be processed and the inverse operation result are consistent, indicating that the data operation processing is successful.
The embodiment shown in fig. 5 illustrates a flow of a data processing method implemented on the user interface side when a user interacts with an output device (e.g., a display device) of the encryptor device 10 through the user interface 104. It is noted that in this embodiment, the user interface 104 is communicably coupled with the built-in application 105 of the encryption device 10 through an API, and the data transmission integrity check is done by the built-in application 105 of the encryption device 10.
According to the various embodiments of the present invention, in consideration of the possibility that data may be lost, damaged or incomplete due to any other reasons in the process of data transmission caused by the hardware related to the encryption equipment, and the fact that programs or data may not be stable due to the electrical characteristics of the hardware inside the cryptographic chip, the data processing method and the encryption equipment based on the encryption equipment provided by the various embodiments can verify the security and reliability of the data arithmetic processing performed by the cryptographic chip and the data transmission process of the encryption equipment, thereby ensuring to obtain accurate and correct arithmetic processing results, timely finding and correcting various errors and faults that may occur during the data arithmetic processing, and contributing to improving the security and reliability of the data arithmetic processing performed by the encryption equipment.
The flow diagrams illustrated herein provide examples of sequences of various process actions. Although shown in a particular order or sequence, the order of the acts may be modified unless otherwise indicated. Thus, the illustrated embodiments are provided for illustrative purposes only, the processes may be performed in a different order, and some of the processes may be performed in parallel. In addition, one or more steps may be omitted as desired in various embodiments.
The software of the embodiments described herein may be provided via a computer-readable storage medium or any article of manufacture in which software content is stored, or via a communications interface. The computer-readable storage media may cause a machine to perform the described functions or operations, including any mechanism for storing program modules or data content in a form accessible by a computing device, such as read-only memory, random-access memory, magnetic disk storage media, optical disk storage media, flash memory devices, and so forth. A communication interface includes any mechanism for interfacing with any of a hardwired, wireless, optical, etc. medium to communicate with another device, such as a memory bus interface, a processor bus interface, an internet connection, a disk controller, etc.
The various components described herein may be modules for performing the described operations or functions. Each component described herein includes software, hardware, firmware, or a combination thereof. These components may be implemented as software modules, hardware modules, dedicated hardware (e.g., application specific integrated circuits, digital signal processors, etc.), embedded controllers, etc.
References in the specification to "one embodiment," "an embodiment," "various embodiments," etc., indicate that the embodiment described may include a particular feature or structure. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature or structure is described in connection with an embodiment, it is submitted that it is within the knowledge and capability of one skilled in the art to effect such feature or structure in connection with other embodiments whether or not explicitly described.
In addition to what is described herein above, various modifications and variations may be made to the various embodiments of the present disclosure without departing from the scope thereof. Accordingly, the description, examples, and embodiments herein should be construed as illustrative and not restrictive. The scope of the present disclosure should be limited only by the following claims and equivalents and arrangements thereof.

Claims (8)

1. A method of data processing based on an encryption engine, the encryption engine including a cryptographic chip, the method comprising:
the method comprises the steps of responding to a data operation processing request, obtaining data to be processed, and sending the data to be processed and a fourth check code before transmission to a password chip, wherein the fourth check code before transmission is the check code before transmission of the data to be processed;
receiving an operation result and a first check code before transmission; the operation result is obtained by the cipher chip executing a predetermined operation on the data to be processed according to the data operation processing request after the cipher chip determines that the data to be processed successfully passes the transmission integrity check of the data to be processed; the first check code before transmission is a check code before transmission of the operation result calculated by the cryptographic chip,
after the operation result passes the first operation result transmission integrity check successfully, sending a data inverse operation request, the operation result and a second check code before transmission to the password chip, wherein the second check code before transmission is the check code before transmission of the operation result;
receiving an inverse operation result and a third check code before transmission; the inverse operation result is obtained by the cryptographic chip executing the inverse operation of the preset operation on the operation result according to the data inverse operation request after the cryptographic chip determines that the operation result successfully passes the transmission integrity check of the second operation result; the third check code before transmission is the check code before transmission of the inverse operation result calculated by the cryptographic chip,
after the inverse operation result successfully passes the inverse operation result transmission integrity check, determining whether the data to be processed is consistent with the inverse operation result,
and if the data to be processed is consistent with the inverse operation result, indicating that the data operation processing is successful.
2. The method of claim 1, wherein the pending data transmission integrity check comprises: comparing the fourth pre-transmission check code with a fourth post-transmission check code; and the fourth check code after transmission is the check code after transmission of the data to be processed, which is calculated by using the same check algorithm as that for calculating the check code before the fourth transmission.
3. The method of claim 1, wherein the data operation processing request comprises a data encryption request and a data decryption request.
4. The method of claim 1, wherein the first operation result transfer integrity check comprises: comparing the first pre-transmission check code with a first post-transmission check code; the first check code after transmission is a check code after transmission of the operation result calculated by using the same check algorithm as that used for calculating the check code before transmission.
5. The method of claim 1, wherein the second operation result transmission integrity check comprises: comparing the second pre-transmission check code with a second post-transmission check code; and the second check code after transmission is the check code after transmission of the operation result calculated by using the same check algorithm as that used for calculating the check code before transmission.
6. The method of claim 3, wherein the inverse result transfer integrity check comprises: comparing the third pre-transmission check code with a third post-transmission check code; and the third check code after transmission is a check code after transmission of an inverse operation result calculated by using the same check algorithm as that used for calculating the check code before the third transmission.
7. An encryption engine comprising:
the password chip is used for carrying out preset data operation processing on data to be processed;
a memory having computer program instructions stored therein;
a processor, the computer program instructions, when executed by the processor, implementing the method of any of claims 1-6.
8. A data processing method based on an encryption machine comprises the following steps:
sending a data operation processing request and data to be processed to the encryption machine, wherein a fourth check code before transmission is sent to a password chip of the encryption machine through a built-in application program of the encryption machine, wherein the fourth check code before transmission is the check code before transmission of the data to be processed;
a step of receiving an operation result obtained by performing a predetermined operation on the data to be processed from the encryption engine, wherein a first check code before transmission is also sent from the cryptographic chip to the built-in application program, the operation result is obtained by the cryptographic chip executing the predetermined operation on the data to be processed according to the data operation processing request after the cryptographic chip determines that the data to be processed successfully passes the transmission integrity check of the data to be processed, and the first check code before transmission is a check code before transmission of the operation result calculated by the cryptographic chip;
a step of sending a data inverse operation request and the operation result to the encryption machine after the operation result is successfully checked through the transmission integrity of the first operation result, wherein a second check code before transmission is also sent to the password chip through the built-in application program, wherein the second check code before transmission is a check code before transmission of the operation result;
a step of receiving an inverse operation result obtained by performing an inverse operation of the predetermined operation on the operation result from the encryption engine, wherein the cryptographic chip further sends a third check code before transmission to the built-in application program, the inverse operation result is obtained by performing the inverse operation of the predetermined operation on the operation result according to a data inverse operation request after the cryptographic chip determines that the operation result successfully passes a second operation result transmission integrity check, and the third check code before transmission is a check code before transmission of the inverse operation result calculated by the cryptographic chip;
and comparing the data to be processed with the inverse operation result after the inverse operation result successfully passes the transmission integrity check of the inverse operation result, and if the data to be processed and the inverse operation result are consistent, indicating that the data operation processing is successful.
CN201910266538.XA 2019-04-03 2019-04-03 Data processing method based on encryption machine and encryption machine Active CN109981671B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910266538.XA CN109981671B (en) 2019-04-03 2019-04-03 Data processing method based on encryption machine and encryption machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910266538.XA CN109981671B (en) 2019-04-03 2019-04-03 Data processing method based on encryption machine and encryption machine

Publications (2)

Publication Number Publication Date
CN109981671A CN109981671A (en) 2019-07-05
CN109981671B true CN109981671B (en) 2020-12-08

Family

ID=67082741

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910266538.XA Active CN109981671B (en) 2019-04-03 2019-04-03 Data processing method based on encryption machine and encryption machine

Country Status (1)

Country Link
CN (1) CN109981671B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110502380B (en) * 2019-08-16 2022-11-22 兆讯恒达科技股份有限公司 Self-checking method of Hash algorithm coprocessor
CN111212042B (en) * 2019-12-24 2021-09-17 腾讯科技(深圳)有限公司 Data transmission method, device and system
CN115208587B (en) * 2022-09-15 2022-12-09 三未信安科技股份有限公司 System and method for realizing cryptographic algorithm based on cryptographic module

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101826960A (en) * 2010-04-16 2010-09-08 中国电子科技集团公司第二十八研究所 Checking method of real-time transmission encryption and decryption data
CN102223228A (en) * 2011-05-11 2011-10-19 北京航空航天大学 Method for designing AES (Advanced Encryption Standard) encryption chip based on FPGA (Field Programmable Gate Array) and embedded encryption system
KR101135058B1 (en) * 2010-03-19 2012-04-13 고려대학교 산학협력단 Encryption method and encryption device using differential fault analysis in round key generation of Data Encryption Standard
CN107483177A (en) * 2017-07-07 2017-12-15 郑州云海信息技术有限公司 A kind of method and system for verifying encryption device encryption data authenticity

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103714299A (en) * 2013-12-25 2014-04-09 北京握奇数据系统有限公司 Method and system for encryption and decryption of file of mobile terminal
CN107220545A (en) * 2017-05-31 2017-09-29 郑州云海信息技术有限公司 A kind of hardware encryption system, method and server
CN108898026B (en) * 2018-06-28 2020-09-01 泰康保险集团股份有限公司 Data encryption method and device
CN109194467A (en) * 2018-06-29 2019-01-11 北京东方英卡数字信息技术有限公司 A kind of safe transmission method and system of encryption data
CN108920980B (en) * 2018-07-02 2020-10-27 厦门强力巨彩光电科技有限公司 Encryption method, chip and device
CN109543375A (en) * 2018-11-30 2019-03-29 武汉推杰网络科技有限公司 A kind of remote access financial system with encryption equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101135058B1 (en) * 2010-03-19 2012-04-13 고려대학교 산학협력단 Encryption method and encryption device using differential fault analysis in round key generation of Data Encryption Standard
CN101826960A (en) * 2010-04-16 2010-09-08 中国电子科技集团公司第二十八研究所 Checking method of real-time transmission encryption and decryption data
CN102223228A (en) * 2011-05-11 2011-10-19 北京航空航天大学 Method for designing AES (Advanced Encryption Standard) encryption chip based on FPGA (Field Programmable Gate Array) and embedded encryption system
CN107483177A (en) * 2017-07-07 2017-12-15 郑州云海信息技术有限公司 A kind of method and system for verifying encryption device encryption data authenticity

Also Published As

Publication number Publication date
CN109981671A (en) 2019-07-05

Similar Documents

Publication Publication Date Title
CN110493197B (en) Login processing method and related equipment
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
CN109981671B (en) Data processing method based on encryption machine and encryption machine
US20160080153A1 (en) Device authenticity determination system and device authenticity determination method
CN104836784B (en) A kind of information processing method, client and server
US20070150755A1 (en) Microcomputer, method for writing program to microcomputer, and writing system
CN111639325B (en) Merchant authentication method, device, equipment and storage medium based on open platform
CN110570196A (en) Transaction data processing method and device, terminal equipment and storage medium
US10547451B2 (en) Method and device for authentication
CN111630810A (en) Key exchange device, key exchange system, key exchange method, and key exchange program
US11516024B2 (en) Semiconductor device, update data-providing method, update data-receiving method, and program
CN114793184B (en) Security chip communication method and device based on third-party key management node
CN112600838B (en) CAN bus data encryption method and device, storage medium and electronic equipment
CN113489589A (en) Data encryption and decryption method and device and electronic equipment
US20230379146A1 (en) Securing network communications using dynamically and locally generated secret keys
CN115549910B (en) Data transmission method, equipment and storage medium
CN115004624A (en) Apparatus and method for key enforcement
CN115208587B (en) System and method for realizing cryptographic algorithm based on cryptographic module
CN110048837B (en) Method and system for copying cipher machine equipment and cipher machine equipment
US20180323976A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
US20230327854A1 (en) Methods, apparatuses, and computer-readable storage media for data authentication and error correction using error-tolerant message authentication code
US20180295132A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
US20240249003A1 (en) Efficient memory usage for storing cryptographic keys
CN114338176A (en) Data transmission method, device and network card
CN117251884A (en) Data verification method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee after: Beijing Shendun Technology Co.,Ltd.

Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing

Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd.

CP01 Change in the name or title of a patent holder