CN110324138B - Data encryption and decryption method and device - Google Patents

Abstract

The embodiment of the application provides a data encryption and decryption method and device. The data encryption method comprises the following steps: and generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program, and encrypting data according to the first key. The method and the device can reduce the possibility that hackers and the like directly obtain the first key from the code, and simultaneously ensure that even if the key of certain hardware equipment is cracked, the key in the hardware equipment which is the same as the hardware equipment or belongs to the same hardware manufacturer is still safe, thereby effectively improving the safety of data and the hardware equipment, and also ensuring that the first key can be generated no matter whether the hardware equipment has the hardware safety capacity, thereby improving the reliability of generating the first key.

Description

Data encryption and decryption method and device

Technical Field

The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for encrypting and decrypting data

Background

With the development of the internet of things and computer technologies, a large number of hardware devices with poor hardware security capability and limited resources are put into use, for example, as various hardware devices of terminal nodes of the internet of things, the hardware devices are generally low in price, have no or difficult to set security protection, and have no hardware security capability, so that data in the hardware devices are easily obtained by hackers and the like, and the security is poor.

In the prior art, a key can be written into the code of the hardware device, so that data in the hardware device can be encrypted by the key. However, it is difficult to write the key into the code of the hardware device, i.e. the key in the hardware devices of the same class or the same hardware manufacturer is the same, so when the key in one hardware device is cracked, the keys of other hardware devices of the same class or the same hardware manufacturer are all revealed, thereby it is difficult to ensure the data security, and the security of the data and the hardware device is low.

Disclosure of Invention

In view of the above, the present application is proposed to provide a data encryption and decryption method and apparatus that overcomes or at least partially solves the above problems.

The application provides a data encryption method, which is characterized by comprising the following steps:

generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

data is encrypted according to the first key.

Optionally, the encrypting data according to the first key includes:

randomly generating a second key;

and encrypting the data to be encrypted by adopting the second key, wherein the first key is used for encrypting the second key.

Optionally, the method further includes:

encrypting the second key with the first key.

Optionally, after encrypting the second key with the first key, the method further includes:

and correspondingly storing the encrypted second key and the encrypted data to be encrypted.

Optionally, the method further includes:

and generating check data for verifying the integrity of the data to be encrypted, wherein the check data is stored corresponding to the encrypted data to be encrypted.

Optionally, the generating of the verification data for verifying the integrity of the data to be encrypted includes:

and determining the hash value of the data to be encrypted.

Optionally, before encrypting data according to the first key, the method further includes:

providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted through the second interface;

after the encrypting data according to the first key, the method further comprises:

and outputting an encryption result to the data source of the data to be encrypted through the second interface.

The application also provides a data decryption method, which comprises the following steps:

generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

decrypting the encrypted data according to the first key.

Optionally, the decrypting the encrypted data according to the first key includes:

generating the first key, and acquiring an encrypted second key, wherein the encrypted second key is stored corresponding to the encrypted data;

decrypting the encrypted second key by using the first key to obtain a second key;

decrypting the encrypted data using the second key.

Optionally, the method further includes:

acquiring verification data, wherein the verification data and the encrypted data are correspondingly stored;

and verifying the integrity of the decryption result by using the verification data.

Optionally, the verification data includes a first hash value of the decryption result, and the verifying the integrity of the decryption result by using the verification data includes:

generating a second hash value of the decryption result;

and comparing the second hash value with the first hash value to confirm that the decryption result has integrity.

Optionally, the method further includes:

and outputting the decryption result through the second interface.

The present application further provides a data encryption method, which includes:

generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

data is encrypted according to the first key.

Optionally, the generating, by using the root of trust, the first key uniquely corresponding to the hardware device includes:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

Optionally, the hardware device has a dedicated hardware root-of-trust program, and the accessing the hardware root-of-trust program built in the hardware device includes:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

The application also provides a data decryption method, which comprises the following steps:

generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

decrypting the encrypted data according to the first key.

Optionally, the generating, by using the root of trust, the first key uniquely corresponding to the hardware device includes:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

Optionally, the hardware device has a dedicated hardware root-of-trust program, and the accessing the hardware root-of-trust program built in the hardware device includes:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

The present application further provides a data encryption apparatus, including:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

and the data encryption module is used for encrypting data according to the first key.

Optionally, the data encryption module includes:

the key random generation submodule is used for randomly generating a second key;

and the data encryption submodule is used for encrypting the data to be encrypted by adopting the second secret key, and the first secret key is used for encrypting the second secret key.

Optionally, the apparatus further comprises:

and the second key encryption module is used for encrypting the second key by adopting the first key.

Optionally, the apparatus further comprises:

and the verification data generation module is used for generating verification data for verifying the integrity of the data to be encrypted, and the verification data and the encrypted data to be encrypted are correspondingly stored.

Optionally, the apparatus further comprises:

the device comprises a to-be-encrypted data receiving module, a to-be-encrypted data receiving module and a data processing module, wherein the to-be-encrypted data receiving module is used for providing a second interface for receiving to-be-encrypted data and receiving the to-be-encrypted data through the second interface;

and the encryption result output module is used for outputting an encryption result to the data source of the data to be encrypted through the second interface.

The present application also provides a data decryption apparatus, including:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

Optionally, the data decryption module includes:

the key obtaining submodule is used for generating the first key and obtaining an encrypted second key, and the encrypted second key and the encrypted data are correspondingly stored;

the second key decryption submodule is used for decrypting the encrypted second key by adopting the first key to obtain a second key;

and the data decryption submodule is used for decrypting the encrypted data by adopting the second secret key.

Optionally, the apparatus further comprises:

the verification data acquisition module is used for acquiring verification data, and the verification data and the encrypted data are correspondingly stored;

and the integrity verification module is used for verifying the integrity of the decryption result by adopting the verification data.

Optionally, the apparatus further comprises:

and the decryption result output module is used for outputting the decryption result through the second interface.

The present application further provides a data encryption apparatus, including:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

and the data encryption module is used for encrypting data according to the first key.

Optionally, the first key generation module includes:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

The present application also provides a data decryption apparatus, including:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

Optionally, the first key generation module includes:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

The present application also provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a method according to one or more of the foregoing when executing the computer program.

The present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method according to one or more of the foregoing.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is encrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

FIG. 1 is a flow chart of a data encryption method according to one embodiment of the present application;

FIG. 2 illustrates a flow diagram of another method of encrypting data according to a second embodiment of the present application;

FIG. 3 shows a flow diagram of another method of encrypting data according to a third embodiment of the present application;

FIG. 4 shows a flowchart of a data decryption method according to a fourth embodiment of the present application;

FIG. 5 is a flow diagram of another method for decrypting data according to an embodiment of the present application;

FIG. 6 shows a flow diagram of another method of decrypting data according to a sixth embodiment of the present application;

FIG. 7 shows a flow diagram of a method of data processing according to an embodiment of the present application;

FIG. 8 shows a flow diagram of a method of encrypting data according to one embodiment of the present application;

FIG. 9 shows a flow diagram of a method of decrypting data according to an embodiment of the present application;

fig. 10 is a block diagram showing a data encryption apparatus according to a seventh embodiment of the present application;

fig. 11 is a block diagram showing another data encryption apparatus according to an embodiment eight of the present application;

fig. 12 is a block diagram showing a structure of a data decryption apparatus according to a ninth embodiment of the present application;

fig. 13 is a block diagram showing another data decryption apparatus according to an embodiment of the present application;

FIG. 14 illustrates a block diagram of an exemplary system according to an embodiment of the present application.

Detailed Description

Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While the exemplary embodiments of the present application are illustrated in the accompanying drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

In order to facilitate a person skilled in the art to understand the embodiments of the present application in a deep manner, definitions of terms used in the embodiments of the present application will be described first.

A root-of-trust program, also known as a root of trust, refers to a collection of functions that are considered to be always trusted by operations running on a hardware device, and the root of trust provides trusted encryption and decryption services for the hardware device individually. The root of trust may include at least one of a hardware root of trust and a software root of trust. The hardware root-of-trust program needs to depend on corresponding hardware, and may include an intel Software Guard Extensions (intel SGX) based hardware root-of-trust program or a Trusted Execution Environment (TEE) based hardware root-of-trust program, and the Software root-of-trust program may include a Key Manager (KM). Certainly, in practical applications, the root of trust may also include other hardware root of trust or software root of trust, which is not described herein any more.

The first key is derived by the root of trust according to the device unique identifier of the hardware device, so as to uniquely correspond to the hardware device, and the first key can be used for encrypting data in the hardware device.

The device unique identifier is used to uniquely identify an electronic device, and may include an IMEI (International Mobile Equipment Identity) or a MAC (Media Access Control) address, for example.

The hardware device may be various internet of things terminals or devices, for example, various detectors applied to weather or environment monitoring, or smart home devices such as a smart sound box in a home, and certainly, may also include a mobile phone, a smart watch, a VR (Virtual Reality) device, a tablet computer, an electronic book reader, an MP3(Moving Picture Experts Group Audio Layer III, Moving Picture Experts compression standard Audio Layer 3), a player, an MP4(Moving Picture Experts Group Audio Layer IV, Moving Picture Experts compression standard Audio Layer 4) player, a laptop portable computer, a vehicle-mounted computer, a desktop computer, a set-top box, and the like. The hardware device is capable of interacting with a remote server to obtain a client, a plug-in, a data encryption or decryption service, and may include any of the apparatus of fig. 10-14 below, implementing any of the methods of fig. 1-9, to encrypt or decrypt data.

The client may include at least one application. The client can run in the positioning device, so that the data encryption or decryption method provided by the embodiment of the application is realized.

The plug-in can be included in an application program running on the positioning device, so as to realize the data encryption or decryption method provided by the embodiment of the application.

The embodiment of the application can be applied to scenes of data encryption or decryption in hardware equipment such as Internet of things equipment, for example, an edge gateway and the like. Because the key is directly written in the code of the hardware equipment, when the key in the hardware equipment is cracked, the keys of other hardware equipment of the same class or the same hardware manufacturer are all revealed, so that the data security is difficult to ensure, and the security of the data and the hardware equipment is low, therefore, in order to ensure one machine and one secret, and further improve the security of the data and the hardware equipment, the embodiment of the application provides a data encryption method. In the embodiment of the application, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, data is encrypted according to the first key, and because the key does not need to be directly written in a code of the hardware device, on one hand, the possibility of obtaining the key by hackers and the like is reduced, on the other hand, even if the key of a certain hardware device is cracked, the key in the hardware device of the same class as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, and further, the safe storage of the data can be realized through the safe key, and the safety of the data and the hardware device can be effectively improved. In addition, because some hardware devices may not have hardware on which the hardware trust root program depends, that is, hardware security capability, in order to ensure that the hardware devices with or without hardware security capability can generate the first key, the reliability of the first key is improved, the security of data and hardware devices is further ensured, and at the same time, the cost is reduced, the software trust root program may be called to generate the first key. Namely, the key management function with better security is provided by the software trust root program.

The embodiment of the application can be implemented as a client or a plug-in, and the hardware device can acquire and install the client or the plug-in from a remote server, so that the data encryption or decryption method provided by the embodiment of the application is implemented through the client or the plug-in. Of course, the embodiments of the present application may also be deployed on a remote server in the form of software, and the positioning device may obtain a data encryption or decryption service by accessing the remote server.

Example one

Referring to fig. 1, a flowchart of a data encryption method according to an embodiment of the present application is shown, and the specific steps include:

step 101, a software trust root program is adopted to generate a first key uniquely corresponding to a hardware device.

In order to avoid the problem of one secret key which is difficult to realize due to the fact that the secret key is directly written into the code in the hardware equipment and further cause the problem of low safety of data and the hardware equipment, the secret key is not written into the hardware code, a trust root program is adopted to generate the first secret key, and the generated secret key can uniquely correspond to the hardware equipment, so that the possibility that a hacker and the like directly obtain the first secret key from the code is reduced, and the secret key in the hardware equipment of the same class as the hardware equipment or the same hardware manufacturer is still safe even if the secret key of the hardware equipment is cracked, and therefore the safety of the data and the hardware equipment can be effectively improved. In addition, because some hardware devices may not have hardware on which the hardware trust root program depends, that is, hardware security capability, in order to ensure that the hardware devices with or without hardware security capability can generate the first key, the reliability of the first key is improved, the security of data and hardware devices is further ensured, and at the same time, the cost is reduced, the software trust root program may be called to generate the first key. Namely, the key management function with better security is provided by the software trust root program.

Wherein, the software trust root program may include KM.

The device unique identifier of the hardware device can be obtained, and the first key is derived based on the device unique identifier by adopting a trust root program. Since the device unique identifiers of different hardware devices are different, the first keys obtained by different hardware devices are also different.

Step 102, encrypting data according to the first key.

As can be seen from the foregoing, the first key is generated by using the root of trust and uniquely corresponds to the hardware device, which can effectively improve the security of the data and the hardware device, and therefore, the data can be encrypted according to the first key.

The data to be encrypted in the hardware device may be obtained, and the data to be encrypted is encrypted by using the first key, but in practical application, the data to be encrypted may be encrypted by using a more complex encryption manner according to the first key, for example, to further improve the encryption effect, increase the complexity of cracking the encrypted data, improve the security of the data and the hardware device, generate more keys, encrypt the data to be encrypted by using a plurality of keys including the first key, and so on.

The data to be encrypted may include data that is in the hardware device and has a high requirement for security, such as at least one of a user password, a user fingerprint feature, a user facial feature, a user iris feature, an application key of an application in the hardware device, and the like.

The encrypted data is a result of encrypting the data to be encrypted according to the first key, and the encrypted data can be decrypted according to the first key, so that the data to be encrypted is obtained again.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is encrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

Example two

Referring to fig. 2, a flowchart of a data encryption method according to an embodiment of the present application is shown, and the specific steps include:

step 201, a software trust root program is adopted to generate a first key uniquely corresponding to a hardware device.

The manner of generating the first key uniquely corresponding to the hardware device by using the root of trust program may refer to the related description in the foregoing, which is not described in detail herein.

Of course, in practical applications, at least one of the hardware root of trust and the software root of trust may be included in the hardware device.

In addition, the generated first key may be stored in a storage location corresponding to the root of trust, for example, in a KM-protected storage area.

Step 202, providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted through the second interface.

As can be seen from the foregoing, the hardware device may include a hardware root-of-trust program and/or a software root-of-trust program, and may even include more than one hardware root-of-trust program, which may cause a plurality of first interfaces for the hardware root-of-trust program, thereby causing confusion of a system architecture in the hardware device, and the application program in the application layer needs to perform complex and heavy adaptation, which not only increases the development cost of the application program, but also may cause problems such as adaptation errors, thereby causing difficulty in encrypting data or other problems, and reducing the security and reliability of the data and the hardware device. Therefore, a uniform interface, namely the second interface, can be provided for the application programs in the application layer, and the number to be encrypted is received, so that the root of trust is packaged in the bottom layer through the second interface, and each application program can use each function of the root of trust through the uniform interface, so that the system architecture in the hardware equipment is simpler, the development cost of the application program is reduced, and the safety and reliability of the application program and the hardware equipment are improved.

The second interface facing the application layer can be provided in a hardware or software form, the data from the application layer is received through the second interface, and the received data is converted according to the first interface or the software trust root program, so that the converted data conforms to the data type or standard of the first interface or the software trust root program.

The data to be encrypted is data that needs to be encrypted by a key, and the data to be encrypted may include any data of a source and any application program.

Step 203, randomly generating a second key, and encrypting the data to be encrypted by using the second key, wherein the first key is used for encrypting the second key.

In order to effectively improve the complexity of data cracking and further reduce the possibility of data cracking, a second key can be generated on the basis of the first key, the data to be encrypted is encrypted through the second key, and the second key is encrypted through the first key, that is, the safety of the data and the hardware equipment is improved through hierarchical key management. Because the possibility that a plurality of keys are cracked is smaller than that of one key, the safety of data and hardware equipment is improved. In addition, the second key is randomly generated, so that different keys are adopted for each data to be encrypted, and even if some encrypted data in the hardware equipment is cracked, other encrypted data are still safe, thereby further improving the safety of the data and the hardware equipment.

Wherein, the second key can be generated by the trust root program in the foregoing through a key generation algorithm.

The hierarchical key management means that a plurality of keys are generated in different manners, each key is stored and managed respectively, data is encrypted through the plurality of keys, or a part of keys are used for encrypting the data, and keys for encrypting the data are encrypted through other keys, so that the complexity of encryption is effectively improved, a hacker and the like cannot acquire all the keys easily, and further, the encrypted information cannot be cracked easily, and the security of the encrypted information is improved.

Certainly, in practical application, more keys can be used, and the data to be encrypted is encrypted by the multiple keys in a similar manner, so that the security of the data and the hardware equipment is further improved.

Step 204, encrypting the second key by using the first key.

In order to reduce the possibility of the second key being cracked, further reduce the possibility of the encrypted data being encrypted, and improve the security of the data and the hardware device, the second key may be encrypted with the first key.

Wherein, the second key encrypted by the first key can be saved.

In this embodiment, optionally, in order to ensure that a subsequent legal user of the data can normally obtain the second key to decrypt the encrypted data to be encrypted, and improve the reliability of data encryption, the encrypted second key and the encrypted data to be encrypted may be correspondingly stored.

The encrypted second key and the encrypted data to be encrypted may be stored in the same storage location, or the encrypted second key and the encrypted data to be encrypted may be stored in different storage locations, respectively, and a correspondence between the storage location where the encrypted second key is located and the storage location where the encrypted data to be encrypted is located may be stored. Of course, in practical applications, the encrypted second key and the encrypted data to be encrypted may be stored correspondingly in other manners.

In addition, in another optional embodiment of the present application, in order to improve the efficiency of encrypting data, the first key may be directly used to encrypt the data to be encrypted without generating the second key, that is, the first key is a key used to encrypt the data to be encrypted. Or, in another optional embodiment of the present application, the first key may be encrypted by the second key on the basis that the data to be encrypted is encrypted by the first key, and the encrypted first key and the encrypted data to be encrypted are correspondingly stored.

The method for encrypting the data to be encrypted by using the first key may be the same as the method for encrypting the data to be encrypted by using the second key, which is not described in detail herein.

Step 205, generating verification data for verifying the integrity of the data to be encrypted, where the verification data is stored in correspondence with the encrypted data to be encrypted.

In order to facilitate the subsequent decryption of the encrypted data to be encrypted and verify whether the obtained data to be encrypted is complete or not so as to further improve the safety of the data and hardware equipment, the verification data of the data to be encrypted can be generated, and the verification data and the encrypted data to be encrypted are correspondingly stored.

The verification data is used for verifying the data to be encrypted, including integrity verification.

The check data for integrity verification may include a hash value.

The hash value is a binary value obtained by performing an operation on file data (for example, data to be encrypted), and is used for performing integrity verification on the file data.

In this embodiment of the present application, optionally, in order to ensure that the integrity of the data to be encrypted can be verified subsequently through the hash value of the data to be encrypted, so as to improve the security of the data and the hardware device, the hash value of the data to be encrypted may be determined.

Of course, in practical applications, in order to ensure that the data to be encrypted can be subsequently verified, the verification information may also include other information, for example, the verification information for integrity verification may also include attribute information of the data to be encrypted, and accordingly, the attribute information of the data to be encrypted may be determined, and the determined attribute information is used as the verification data.

The attribute information is information describing an attribute of the data to be encrypted, and may include at least one of a size and a data type of the data to be encrypted.

The size of the data to be encrypted is used for explaining the data volume included in the data to be encrypted.

The type of data to be encrypted is used to specify the format or class of data to be encrypted.

In addition, the way of storing the verification data and the encrypted data to be encrypted correspondingly may be the same as the way of storing the encrypted second key and the encrypted data to be encrypted correspondingly, and is not described in detail here.

In addition, in practical applications, in order to improve the encryption efficiency, the verification data of the data to be encrypted may not be generated, that is, step 205 is an optional step.

And step 206, outputting an encryption result to the data source of the data to be encrypted through the second interface.

In order to facilitate the application program to store or otherwise operate the encrypted data to be encrypted, the encryption result can be output to the application program serving as the data source, and in order to make the system architecture in the hardware device simpler, reduce the development cost of the application program, and improve the security and reliability of the application program and the hardware device, the encryption result can be output to the data source through a unified interface, namely the second interface.

The data source is a source of data to be encrypted, and may include the application program in the foregoing.

The encryption result is a result of encrypting and outputting the data to be encrypted, and may include the encrypted data to be encrypted, and certainly, in practical applications, if the encrypted data to be encrypted is encrypted by using the second key, and the second key is encrypted by using the first key, the encryption result may also include the second key encrypted by using the first key; if the verification data of the data to be encrypted is also generated in the foregoing, the encryption result may further include the verification data.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is encrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

In addition, a unified second interface can be provided, and the encrypted data can be received or the encrypted result can be output through the second interface, so that each function of the trust root program can be used by each application program through the unified interface, the system architecture in the hardware equipment is simpler, the development cost of the application program is reduced, the problem that the data is difficult to encrypt due to the fact that the application program is mistakenly adapted to the first interface of the hardware trust root program is solved, the reliability of encrypting the data is improved, and the safety and the reliability of the data and the hardware equipment are improved.

In addition, the second key can be randomly generated, the data to be encrypted is encrypted by adopting the second key, the second key is encrypted by adopting the first key, the possibility that a plurality of keys are cracked is low, and the randomly generated second key can ensure that different keys can be used for encrypting the data to be encrypted, so that the complexity of cracking the data is effectively improved, and the safety of the data and hardware equipment is further improved.

EXAMPLE III

Referring to fig. 3, a flowchart of a data encryption method according to an embodiment of the present application is shown, and the specific steps include:

step 301, a first key uniquely corresponding to a hardware device is generated by using a root of trust program.

In order to reduce the possibility of directly obtaining a key from a code, reduce the problem that the key of one hardware device is cracked and the keys of other hardware devices which are the same as the hardware device or belong to the same hardware manufacturer are cracked, realize one machine and one secret, effectively improve the safety of data and the hardware device, and generate the key uniquely corresponding to the hardware device by adopting a trust root program.

The manner of generating the first key uniquely corresponding to the hardware device by using the root of trust program may refer to the related description in the foregoing, which is not described in detail herein.

In this embodiment of the application, optionally, the hardware device has a dedicated hardware trust root program, and in order to improve reliability of generating the first key, and ensure that one secret is implemented, and further improve security of data and the hardware device, the hardware trust root program built in the hardware device may be accessed to generate the first key.

Wherein the hardware root of trust may comprise a TEE.

In this embodiment of the application, optionally, in order to ensure that the hardware trust root program can be accessed, and to improve reliability of generating a key and subsequently encrypting data to be encrypted, the hardware trust root program may be accessed through a first interface, where an interface type of the first interface is adapted to a program type of the hardware trust root program.

For example, if the hardware root of trust is intel SGX, the first interface may include an interface in the linux SGX driver; if the new hardware trust root program is a TEE, the first interface may include a GP Client API, where the GP Client API is an interface name adapted to the TEE.

Of course, in practical applications, the hardware device may include at least one of a hardware root of trust and a software root of trust, so as to ensure that the first key can be generated regardless of whether the hardware device has hardware security capability, and ensure the reliability of generating the first key.

Step 302, encrypting data according to the first key.

For a way of encrypting data according to the first key, reference may be made to the related description in the foregoing, and details are not repeated here.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a root-of-trust program, and then data is encrypted according to the first key, so that the possibility that hackers and the like directly obtain the first key from codes is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the keys in the hardware devices of the same type as the hardware device or the same hardware manufacturer are still safe, and the safety of data and the safety of the hardware device are effectively improved.

Secondly, for the hardware equipment with hardware safety capability, the hardware trust root program built in the hardware equipment can be accessed to generate the first key, so that the reliability of generating the first key is improved.

Example four

Referring to fig. 4, a flowchart of a data decryption method according to an embodiment of the present application is shown, and the specific steps include:

step 401, a software root of trust is used to generate a first key uniquely corresponding to a hardware device.

In order to avoid the problem of one secret key which is difficult to realize due to the fact that the secret key is directly written into the code in the hardware equipment and the problem of lower safety of data and the hardware equipment further caused, the secret key is not written into the hardware code, but a root of trust program is adopted to generate the first secret key, and the generated secret key can uniquely correspond to the hardware equipment, so that the possibility that a hacker and the like directly obtain the first secret key from the code is reduced, and the secret key in the hardware equipment which is the same as the hardware equipment or belongs to the same hardware manufacturer is still safe even if the secret key of the hardware equipment is cracked, and the safety of the data and the hardware equipment can be effectively improved. In addition, because some hardware devices may not have hardware on which the hardware trust root program depends, in order to ensure that the hardware devices with or without hardware security capability can generate the first key, the reliability of the first key is improved, the security of data and hardware devices is ensured, and the cost is reduced, the software trust root program can be called to generate the first key.

The manner of generating the first key uniquely corresponding to the hardware device by using the root-of-trust program may refer to the related description in the foregoing, and details are not repeated here.

Step 402, decrypting the encrypted data according to the first key.

To ensure that the encrypted data is normally available to legitimate users of the encrypted data, the encrypted data may be decrypted based on the first key.

The encrypted data may be the data to be encrypted.

The encrypted data may be decrypted according to the first key in the foregoing manner of encrypting the data according to the first key, for example, if the data to be encrypted is encrypted by using the first key, the encrypted data may be decrypted by using the first key; if the data to be encrypted is encrypted by using a plurality of keys including the first key, other keys except the first key among the plurality of keys may be generated, and the encrypted data may be decrypted by using the plurality of keys including the first key.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is decrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

EXAMPLE five

Referring to fig. 5, a flowchart of a data decryption method according to an embodiment of the present application is shown, and the specific steps include:

step 501, a software root-of-trust program is adopted to generate a first key uniquely corresponding to a hardware device.

The manner in which the root-of-trust program generates the first key uniquely corresponding to the hardware device may refer to the foregoing description, and details are not repeated here.

Step 502, obtaining the encrypted data through the second interface.

In order to make the system architecture in the hardware device simpler, reduce the development cost of the application program, and improve the security and reliability of the application program and the hardware device, the encrypted data of each data source can be acquired through a unified interface, i.e., the second interface.

Of course, in practical applications, the encrypted second key and/or the verification data stored corresponding to the encrypted data may also be obtained through the second interface.

Wherein the second encryption key may be a key randomly generated for the encrypted data.

If the second key and/or the check data are in the same storage position as the encrypted data, the second key and/or the check data can be acquired from the storage position; if the storage position of the second key and/or the check data has a corresponding relationship with the storage position of the encrypted data, the storage position of the second key and/or the check data can be determined according to the storage position of the encrypted data, and the second key and/or the check data can be obtained.

In addition, in another optional embodiment of the present application, the second key and/or the verification data may not be acquired in the step, but may be acquired again when the second key and/or the verification data needs to be used subsequently.

Step 503, decrypting the encrypted data according to the first key.

For a way of decrypting the encrypted data according to the first key, reference may be made to the related description in the foregoing, and details are not repeated here.

In this embodiment, optionally, as can be seen from the foregoing description, since the possibility that a plurality of keys are all cracked is smaller than that of one key, in order to improve the security of data and hardware devices, the first key may be generated, and an encrypted second key may be obtained, where the encrypted second key is stored in correspondence with the encrypted data, and the encrypted second key is decrypted by using the first key to obtain a second key, and the encrypted data is decrypted by using the second key. That is, by hierarchical key management, the security of data and hardware devices is improved.

For the manner of generating the first key and the manner of obtaining the second key, reference may be made to the related description in the foregoing, and details are not repeated here.

Step 504, check data is obtained, the check data and the encrypted data are correspondingly stored, and the integrity of the decryption result is verified by using the check data.

In order to facilitate the decryption of the encrypted data and verify whether the obtained decryption result is complete or not, so as to further improve the security of the data and the hardware equipment, the verification data can be obtained, and the decryption result can be verified.

The decryption result is a result of decrypting the encrypted data, and the decryption result may be the data to be encrypted.

Verification data can be generated according to the decryption result, the generated verification data is compared with the acquired verification data, if the verification data is consistent with the acquired verification data, the decryption result is determined to have integrity, and otherwise, the decryption result is determined not to have integrity.

In this embodiment of the present application, optionally, in order to ensure that a decryption result is consistent with data to be encrypted before encryption, that is, to ensure that the integrity of the decryption result is verified, and further improve the security of data and hardware devices, the verification data includes a first hash value of the decryption result, and correspondingly, a second hash value of the decryption result may be generated, and if the second hash value is compared with the first hash value, it is determined that the decryption result has integrity. And if the second hash value is not consistent with the first hash value, confirming that the decryption result does not have integrity.

The first hash value is the hash value of the data to be encrypted determined in the process of encrypting the data to be encrypted; the second hash value is the hash value generated according to the decrypted data. If the data to be encrypted is consistent with the decryption result, that is, the decryption result has integrity, the first hash value and the second hash value should also be consistent.

Check data including the first hash value may be acquired, a second hash value of the decryption result may be generated, and the first hash value and the second hash value may be compared to determine whether the first hash value and the second hash value are identical.

The manner of obtaining the check data may refer to the related description in the foregoing, and is not described in detail here.

In addition, in another optional embodiment implemented by the present application, in order to ensure that the decryption result is consistent with the data to be encrypted before encryption, that is, to ensure that the integrity of the decryption result is verified, and further improve the security of the data and the hardware device, the verification data includes the first attribute information of the data to be encrypted, and correspondingly, the second attribute information of the decryption result may also be obtained, the first attribute information is compared with the second attribute information, and if the first attribute information is consistent with the second attribute information, it is determined that the decryption result has integrity, otherwise, it is determined that the decryption result does not have integrity.

The first attribute information is attribute information generated according to data to be encrypted, the second attribute information is attribute information generated according to a decryption result, and if the data to be encrypted is consistent with the decryption result, namely the decryption result has integrity, the first attribute information and the second attribute information should also be consistent.

In addition, in practical applications, in order to improve the decryption efficiency, the integrity verification may not be performed on the decryption result, that is, step 504 is an optional step.

And 505, outputting a decryption result through the second interface.

In order to facilitate the application program to store or otherwise operate the encrypted data to be encrypted, the encryption result may be output to the application program serving as the data source, and in order to make the system architecture in the hardware device simpler, reduce the development cost of the application program, and improve the security and reliability of the application program and the hardware device, the decryption result may be output through a unified interface, i.e., the second interface.

Wherein the decryption result may be output to the data source of the encrypted data through the second interface.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is decrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

And secondly, the first key can be generated through the hardware trust root program or the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

In addition, a unified second interface can be provided, encrypted data can be obtained through the second interface or a decryption result can be output through the second interface, various functions of the trust root program can be used by each application program through the unified interface, further, the system architecture in the hardware equipment is simpler, the development cost of the application program is reduced, the problem that the data is difficult to decrypt due to the fact that the application program is mistakenly adapted to the first interface of the hardware trust root program is solved, the reliability of decrypting the data is improved, and the safety and the reliability of the data and the hardware equipment are further improved.

In addition, the encrypted second key can be decrypted by adopting the first key, and the encrypted data can be decrypted by adopting the second key, and the possibility that a plurality of keys are cracked is low, so that the complexity of cracking the data is effectively improved, and the safety of the data and hardware equipment is further improved.

EXAMPLE six

Referring to fig. 6, a flowchart of a data decryption method according to an embodiment of the present application is shown, and the specific steps include:

step 601, generating a first key uniquely corresponding to the hardware device by using the root of trust program.

In order to reduce the possibility of directly obtaining a key from a code, reduce the problem that the key of one hardware device is cracked and the keys of other hardware devices which are the same as the hardware device or belong to the same hardware manufacturer are cracked, realize one machine and one secret, effectively improve the safety of data and the hardware device, and generate the key uniquely corresponding to the hardware device by adopting a trust root program.

The manner of generating the first key uniquely corresponding to the hardware device by using the root-of-trust program may refer to the related description in the foregoing, and details are not repeated here.

In this embodiment of the application, optionally, the hardware device has a dedicated hardware trust root program, and in order to improve reliability of generating the first key and ensure that one secret is implemented, and further improve security of data and the hardware device, the hardware trust root program built in the hardware device is accessed to generate the first key.

In this embodiment of the application, optionally, in order to ensure that the hardware root-of-trust program can be accessed, and to improve the reliability of generating the key and subsequently decrypting the encrypted data to be encrypted, the hardware root-of-trust program may be accessed through a first interface, where an interface type of the first interface is adapted to a program type of the hardware root-of-trust program.

Step 602, decrypting the encrypted data according to the first key.

For a way of decrypting the encrypted data according to the first key, reference may be made to the related description in the foregoing, and details are not repeated here.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is decrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved.

Secondly, for the hardware equipment with hardware security capability, the hardware trust root program built in the hardware equipment can be accessed to generate the first key, so that the reliability of generating the first key is improved.

It will be understood by those skilled in the art that the method steps in the above embodiments are not required for each, and in particular cases, one or more of the steps may be omitted as long as the technical purpose of encrypting or decrypting the data is achieved. The invention is not limited to the number and order of steps in the embodiments, and the scope of the invention is defined by the claims.

In order to facilitate better understanding of the present application for those skilled in the art, a data processing, encrypting and decrypting method of the present application is described below by using a specific example, which specifically includes the following steps:

referring to fig. 7, a flow chart of a data processing method according to an embodiment of the present application is shown. The method comprises the following specific steps:

in step 701, a root key is generated by a hardware trust root or a software trust root.

Wherein, the root key may comprise the first key in the foregoing.

If the hardware equipment is provided with hardware (namely has hardware safety capability) on which the hardware trust root program depends, a root key can be generated through the hardware trust root; if the hardware device is not provided with the hardware depending on the hardware trust root program, the root key can be generated through the software trust root.

At step 702, a root key for secure storage is saved by a hardware root of trust or a software root of trust.

Step 703, encrypting the file key by using the root key through the hardware trust root or the software trust root.

The file key is a key for encrypting the data to be encrypted, and may include the second key.

Step 704, encrypt the data to be encrypted by the file key, and store the file key encrypted by the root key.

Therefore, the root key is not directly used for encrypting the data to be encrypted, but is used for encrypting the file key for encrypting the data to be encrypted, and correspondingly, the root key is not directly used for decrypting the encrypted data, but is used for decrypting the file key for decrypting the encrypted data, so that different keys can be provided for encrypting or decrypting different hardware devices and different data, the possibility of cracking the data is reduced, and the safety of the data and the hardware devices is improved.

Step 705, providing a secure storage function to the application layer through the unified interface.

Data to be encrypted (such as sensitive data of the application program) submitted by the application program can be received through the uniform interface, and an encryption result is output to the application degree; or receiving encrypted data submitted by the application program and outputting a decryption result to the application program.

Wherein the unified interface may include the second interface in the foregoing.

Referring to fig. 8, a flow chart of a data encryption method of an embodiment of the present application is shown. The method comprises the following specific steps:

step 801, a trust root program generates a first key, and the first key is stored in a storage position corresponding to the trust root program;

step 802, the root of trust encrypts a second key by a first key;

step 803, encrypting the data to be encrypted by the second key;

step 804, generating a hash value of the data to be encrypted;

step 805, the encrypted data to be encrypted, the hash value of the data to be encrypted, and the second key encrypted by the first key are combined into a file to be stored.

Referring to fig. 9, a flow chart of a data decryption method of an embodiment of the present application is shown. The method comprises the following specific steps:

step 901, the root of trust program reads the encrypted data;

step 902, the root of trust decrypts the second key by the first key;

step 903, decrypting the encrypted data through a second key;

step 904, generating a hash value of the decryption result;

step 905, determining that the generated hash value is consistent with the hash value of the originally stored data to be encrypted;

step 906, the decryption result is output.

EXAMPLE seven

Referring to fig. 10, a block diagram of a data encryption apparatus according to an embodiment of the present application is shown, the apparatus including:

a first key generation module 1001, configured to generate a first key uniquely corresponding to a hardware device by using a software root of trust;

the data encryption module 1002 is configured to encrypt data according to the first key.

Optionally, the data encryption module includes:

the key random generation submodule is used for randomly generating a second key;

and the data encryption submodule is used for encrypting the data to be encrypted by adopting the second secret key, and the first secret key is used for encrypting the second secret key.

Optionally, the apparatus further comprises:

and the second key encryption module is used for encrypting the second key by adopting the first key.

Optionally, the apparatus further comprises:

and the second key storage module is used for correspondingly storing the encrypted second key and the encrypted data to be encrypted.

Optionally, the apparatus further comprises:

and the verification data generation module is used for generating verification data for verifying the integrity of the data to be encrypted, and the verification data and the encrypted data to be encrypted are correspondingly stored.

Optionally, the check data generating module includes:

and the hash value determining submodule is used for determining the hash value of the data to be encrypted.

Optionally, the apparatus further comprises:

the device comprises a to-be-encrypted data receiving module, a to-be-encrypted data receiving module and a data processing module, wherein the to-be-encrypted data receiving module is used for providing a second interface for receiving to-be-encrypted data and receiving the to-be-encrypted data through the second interface;

and the encryption result output module is used for outputting the encryption result to the data source of the data to be encrypted through the second interface.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is encrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

Example eight

Referring to fig. 11, a block diagram of a data encryption apparatus according to an embodiment of the present application is shown, the apparatus including:

a first key generation module 1101, configured to generate a first key uniquely corresponding to a hardware device by using a root of trust;

a data encryption module 1102, configured to encrypt data according to the first key.

Optionally, the first key generation module includes:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

Optionally, the hardware device has a dedicated hardware root of trust, and the first key generation sub-module is further configured to:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

In the embodiment of the application, the first key uniquely corresponding to the hardware device can be generated by adopting the trust root program, and then the data is encrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from the code is reduced, and meanwhile, the keys in the hardware devices of the same class as the hardware device or the same hardware manufacturer are still safe even if the key of a certain hardware device is cracked, and the safety of the data and the hardware device is effectively improved.

Example nine

Referring to fig. 12, a block diagram of a data decryption apparatus according to an embodiment of the present application is shown, the apparatus including:

a first key generation module 1201, configured to generate a first key uniquely corresponding to a hardware device by using a software root of trust;

a data decryption module 1202, configured to decrypt the encrypted data according to the first key.

Optionally, the data decryption module includes:

the key obtaining submodule is used for generating the first key and obtaining an encrypted second key, and the encrypted second key and the encrypted data are correspondingly stored;

the second key decryption submodule is used for decrypting the encrypted second key by adopting the first key to obtain a second key;

and the data decryption submodule is used for decrypting the encrypted data by adopting the second secret key.

Optionally, the apparatus further comprises:

the verification data acquisition module is used for acquiring verification data, and the verification data and the encrypted data are correspondingly stored;

and the integrity verification module is used for verifying the integrity of the decryption result by adopting the verification data.

Optionally, the verification data includes a first hash value of the decryption result, and the integrity verification module includes:

the second hash value generation submodule is used for generating a second hash value of the decryption result;

and the integrity verification confirming submodule is used for comparing the second hash value with the first hash value and confirming that the decryption result has integrity.

Optionally, the apparatus further comprises:

and the decryption result output module is used for outputting the decryption result through the second interface.

In the embodiment of the application, firstly, a first key uniquely corresponding to a hardware device can be generated by adopting a trust root program, and then data is decrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from a code is reduced, and meanwhile, even if the key of a certain hardware device is cracked, the key in the hardware device which is the same as the hardware device or belongs to the same hardware manufacturer is still safe, and the safety of the data and the hardware device is effectively improved. And secondly, the first key can be generated by the software trust root program, so that the first key can be generated no matter whether the hardware equipment has hardware safety capability or not, and the reliability of generating the first key is improved.

Example ten

Referring to fig. 13, a block diagram of a data decryption apparatus according to an embodiment of the present application is shown, the apparatus including:

a first key generation module 1301, configured to generate a first key uniquely corresponding to a hardware device by using a root of trust;

a data decryption module 1302, configured to decrypt the encrypted data according to the first key.

Optionally, the first key generation module includes:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

Optionally, the hardware device has a dedicated hardware root-of-trust, and the first key generation sub-module is further configured to:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

In the embodiment of the application, the first key uniquely corresponding to the hardware device can be generated by adopting the trust root program, and then the data is decrypted according to the first key, so that the possibility that a hacker and the like directly obtain the first key from the code is reduced, and meanwhile, the keys in the hardware devices of the same class as the hardware device or the same hardware manufacturer are still safe even if the key of a certain hardware device is cracked, and the safety of the data and the hardware device is effectively improved.

For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.

Embodiments of the application may be implemented as a system using any suitable hardware, firmware, software, or any combination thereof, in a desired configuration. Fig. 14 schematically illustrates an exemplary system (or apparatus) 1400 that can be used to implement various embodiments described herein.

For one embodiment, fig. 14 illustrates an exemplary system 1400 having one or more processors 1402, a system control module (chipset) 1404 coupled to at least one of the processor(s) 1402, a system memory 1406 coupled to the system control module 1404, a non-volatile memory (NVM)/storage 1408 coupled to the system control module 1404, one or more input/output devices 1410 coupled to the system control module 1404, and a network interface 1412 coupled to the system control module 1406.

Processor 1402 may include one or more single-core or multi-core processors, and processor 1402 may include any combination of general-purpose or special-purpose processors (e.g., graphics processors, application processors, baseband processors, etc.). In some embodiments, the system 1400 can be implemented as a hardware device as described in embodiments herein.

In some embodiments, system 1400 may include one or more computer-readable media (e.g., system memory 1406 or NVM/storage 1408) having instructions and one or more processors 1402 which, in conjunction with the one or more computer-readable media, are configured to execute the instructions to implement modules to perform the actions described herein.

For one embodiment, the system control module 1404 may include any suitable interface controller to provide any suitable interface to at least one of the processor(s) 1402 and/or any suitable device or component in communication with the system control module 1404.

The system control module 1404 may include a memory controller module to provide an interface to the system memory 1406. The memory controller module may be a hardware module, a software module, and/or a firmware module.

System memory 1406 may be used, for example, to load and store data and/or instructions for system 1400. For one embodiment, system memory 1406 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, the system memory 1406 may include a double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).

For one embodiment, system control module 1404 may include one or more input/output controllers to provide an interface to NVM/storage 1408 and input/output device(s) 1410.

For example, NVM/storage 1408 may be used to store data and/or instructions. NVM/storage 1408 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disk (CD) drives, and/or one or more Digital Versatile Disk (DVD) drives).

NVM/storage 1408 may include storage resources that are physically part of the device on which system 1400 is installed or may be accessed by the device and not necessarily part of the device. For example, the NVM/storage 1408 may be accessible over a network via the input/output device(s) 1410.

Input/output device(s) 1410 may provide an interface for system 1400 to communicate with any other suitable device, input/output device(s) 1410 may include communication components, audio components, sensor components, and so forth. Network interface 1412 may provide an interface for system 1400 to communicate over one or more networks, and system 1400 may communicate wirelessly with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols, such as access to a communication standard-based wireless network, such as WiFi, 2G, or 3G, or a combination thereof.

For one embodiment, at least one of the processor(s) 1402 may be packaged together with logic for one or more controller(s) (e.g., memory controller module) of system control module 1404. For one embodiment, at least one of the processor(s) 1402 may be packaged together with logic for one or more controller(s) of system control module 1404 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 1402 may be integrated on the same die with logic for one or more controller(s) of the system control module 1404. For one embodiment, at least one of the processor(s) 1402 may be integrated on the same die with logic for one or more controller(s) of system control module 1404 to form a system on a chip (SoC).

In various embodiments, system 1400 may be, but is not limited to being: a workstation, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.). In various embodiments, system 1400 may have more or fewer components and/or different architectures. For example, in some embodiments, system 1400 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and speakers.

Wherein, if the display includes a touch panel, the display screen may be implemented as a touch screen display to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.

The present application further provides a non-volatile readable storage medium, where one or more modules (programs) are stored in the storage medium, and when the one or more modules are applied to a terminal device, the one or more modules may cause the terminal device to execute instructions (instructions) of method steps in the present application.

Provided in one example is an apparatus comprising: one or more processors; and one or more machine readable media having instructions stored thereon, which when executed by the one or more processors, cause the apparatus to perform a method as performed by a hardware device in embodiments of the application.

One or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform a method as performed by a hardware device in an embodiment of the present application, are also provided in one example.

The embodiment of the application discloses a data encryption and decryption method and device.

Example 1, a data encryption method, comprising:

generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

data is encrypted according to the first key.

Example 2 may include the method of example 1, the encrypting data according to the first key comprising:

randomly generating a second key;

and encrypting the data to be encrypted by adopting the second key, wherein the first key is used for encrypting the second key.

Example 3 may include the method of example 2, the method further comprising:

encrypting the second key with the first key.

Example 4 may include the method of example 3, further comprising, after the encrypting the second key with the first key:

and correspondingly storing the encrypted second key and the encrypted data to be encrypted.

Example 5 may include the method of example 1, the method further comprising:

and generating check data for verifying the integrity of the data to be encrypted, wherein the check data is stored corresponding to the encrypted data to be encrypted.

Example 6 may include the method of example 5, the generating verification data for verifying integrity of the data to be encrypted comprising:

and determining the hash value of the data to be encrypted.

Example 7 may include the method of example 1, further comprising, prior to encrypting data according to the first key:

providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted through the second interface;

after the encrypting data according to the first key, the method further comprises:

and outputting an encryption result to the data source of the data to be encrypted through the second interface.

Example 8, a data decryption method, comprising:

generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

decrypting the encrypted data according to the first key.

Example 9 may include the method of example 8, the decrypting the encrypted data according to the first key comprising:

generating the first key, and acquiring an encrypted second key, wherein the encrypted second key is stored corresponding to the encrypted data;

decrypting the encrypted second key by using the first key to obtain a second key;

decrypting the encrypted data using the second key.

Example 10 may include the method of example 8, the method further comprising:

acquiring verification data, wherein the verification data and the encrypted data are correspondingly stored;

and verifying the integrity of the decryption result by using the verification data.

Example 11 may include the method of example 10, the verification data including a first hash value of the decryption result, the verifying integrity of the decryption result using the verification data including:

generating a second hash value of the decryption result;

and comparing the second hash value with the first hash value to confirm that the decryption result has integrity.

Example 12 may include the method of example 8, the method further comprising:

and outputting the decryption result through the second interface.

Example 13, a method of data encryption, comprising:

generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

data is encrypted according to the first key.

Example 14 may include the method of example 13, wherein generating, with the root of trust, a first key that uniquely corresponds to the hardware device includes:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

Example 15 may include the method of example 14, the hardware device having a dedicated hardware root of trust, the accessing the hardware root of trust built in the hardware device comprising:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

Example 16, a data decryption method, comprising:

generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

decrypting the encrypted data according to the first key.

Example 17 may include the method of example 16, the generating, with the root of trust, a first key that uniquely corresponds to the hardware device comprising:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

Example 18 may include the method of example 17, the hardware device having a dedicated hardware root of trust, the accessing the hardware root of trust built in the hardware device comprising:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

Example 19, a data encryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

and the data encryption module is used for encrypting data according to the first key.

Example 20 may include the apparatus of example 19, the data encryption module comprising:

the key random generation submodule is used for randomly generating a second key;

and the data encryption submodule is used for encrypting the data to be encrypted by adopting the second secret key, and the first secret key is used for encrypting the second secret key.

Example 21 may include the apparatus of example 20, the apparatus further comprising:

and the second key encryption module is used for encrypting the second key by adopting the first key.

Example 22 may include the apparatus of example 19, the apparatus further comprising:

and the verification data generation module is used for generating verification data for verifying the integrity of the data to be encrypted, and the verification data and the encrypted data to be encrypted are correspondingly stored.

Example 23 may include the apparatus of example 19, the apparatus further comprising:

the device comprises a to-be-encrypted data receiving module, a to-be-encrypted data receiving module and a data processing module, wherein the to-be-encrypted data receiving module is used for providing a second interface for receiving to-be-encrypted data and receiving the to-be-encrypted data through the second interface;

and the encryption result output module is used for outputting the encryption result to the data source of the data to be encrypted through the second interface.

Example 24, a data decryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a software trust root program;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

Example 25 may include the apparatus of example 24, the data decryption module comprising:

the key acquisition sub-module is used for generating the first key and acquiring an encrypted second key, and the encrypted second key and the encrypted data are correspondingly stored;

the second key decryption submodule is used for decrypting the encrypted second key by adopting the first key to obtain a second key;

and the data decryption submodule is used for decrypting the encrypted data by adopting the second secret key.

Example 26 may include the apparatus of example 24, the apparatus further comprising:

the verification data acquisition module is used for acquiring verification data, and the verification data and the encrypted data are correspondingly stored;

and the integrity verification module is used for verifying the integrity of the decryption result by adopting the verification data.

Example 27 may include the apparatus of example 24, the apparatus further comprising:

and the decryption result output module is used for outputting the decryption result through the second interface.

Example 28, an apparatus for data encryption, comprising:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

and the data encryption module is used for encrypting data according to the first key.

Example 29 may include the apparatus of example 28, the first key generation module comprising:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

Example 30, a data decryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to the hardware equipment by adopting a trust root program;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

Example 31 may include the apparatus of example 30, the first key generation module comprising:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

Example 32, an apparatus, comprising: one or more processors; and one or more machine readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform a method as one or more of examples 1-18.

Example 33, one or more machine readable media having instructions stored thereon that, when executed by one or more processors, cause an apparatus to perform a method as one or more of examples 1-18.

Although certain examples have been illustrated and described for purposes of description, a wide variety of alternate and/or equivalent implementations, or calculations, may be made to achieve the same objectives without departing from the scope of practice of the present application. This application is intended to cover any adaptations or variations of the embodiments discussed herein. Therefore, it is manifestly intended that the embodiments described herein be limited only by the claims and the equivalents thereof.

Claims (33)

1. A method for data encryption, comprising:

generating a first key uniquely corresponding to hardware equipment by adopting a software trust root program according to an equipment unique identifier of the hardware equipment, wherein the hardware equipment comprises an internet of things terminal or equipment;

data is encrypted according to the first key.

2. The method of claim 1, wherein the encrypting data according to the first key comprises:

randomly generating a second key;

and encrypting the data to be encrypted by adopting the second key, wherein the first key is used for encrypting the second key.

3. The method of claim 2, further comprising:

encrypting the second key with the first key.

4. The method of claim 3, wherein after the encrypting the second key with the first key, the method further comprises:

and correspondingly storing the encrypted second key and the encrypted data to be encrypted.

5. The method of claim 1, further comprising:

and generating check data for verifying the integrity of the data to be encrypted, wherein the check data and the encrypted data to be encrypted are correspondingly stored.

6. The method of claim 5, wherein generating the verification data for verifying the integrity of the data to be encrypted comprises:

and determining the hash value of the data to be encrypted.

7. The method of claim 1, wherein prior to encrypting data according to the first key, the method further comprises:

providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted through the second interface;

after the encrypting data according to the first key, the method further comprises:

and outputting an encryption result to the data source of the data to be encrypted through the second interface.

8. A data decryption method, comprising:

generating a first key uniquely corresponding to hardware equipment by adopting a software trust root program according to an equipment unique identifier of the hardware equipment, wherein the hardware equipment comprises an internet of things terminal or equipment;

decrypting the encrypted data according to the first key.

9. The method of claim 8, wherein decrypting the encrypted data according to the first key comprises:

generating the first key, and acquiring an encrypted second key, wherein the encrypted second key is stored corresponding to the encrypted data;

decrypting the encrypted second key by using the first key to obtain a second key;

decrypting the encrypted data using the second key.

10. The method of claim 8, further comprising:

acquiring verification data, wherein the verification data and the encrypted data are correspondingly stored;

and verifying the integrity of the decryption result by using the verification data.

11. The method of claim 10, wherein the verification data comprises a first hash value of the decryption result, and wherein verifying the integrity of the decryption result using the verification data comprises:

generating a second hash value of the decryption result;

and comparing the second hash value with the first hash value to confirm that the decryption result has integrity.

12. The method of claim 8, further comprising:

and outputting the decryption result through the second interface.

13. A method for data encryption, comprising:

generating a first key uniquely corresponding to hardware equipment by adopting a trust root program, wherein the trust root program comprises a software trust root, and the hardware equipment comprises an internet of things terminal or equipment;

data is encrypted according to the first key.

14. The method of claim 13, wherein generating the first key unique to the hardware device using the root of trust comprises:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

15. The method of claim 14, wherein the hardware device has a dedicated hardware root of trust, and wherein accessing the hardware device built-in hardware root of trust comprises:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

16. A data decryption method, comprising:

generating a first key uniquely corresponding to hardware equipment by adopting a trust root program, wherein the trust root program comprises a software trust root, and the hardware equipment comprises an internet of things terminal or equipment;

decrypting the encrypted data according to the first key.

17. The method of claim 16, wherein generating the first key unique to the hardware device using the root of trust comprises:

and accessing a hardware trust root program built in the hardware equipment to generate the first key.

18. The method of claim 17, wherein the hardware device has a dedicated hardware root of trust, and wherein accessing the hardware device built-in hardware root of trust comprises:

and accessing the hardware trust root program through a first interface, wherein the interface type of the first interface is adapted to the program type of the hardware trust root program.

19. A data encryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to hardware equipment by adopting a software trust root program according to an equipment unique identifier of the hardware equipment, and the hardware equipment comprises an Internet of things terminal or equipment;

and the data encryption module is used for encrypting data according to the first key.

20. The apparatus of claim 19, wherein the data encryption module comprises:

the key random generation submodule is used for randomly generating a second key;

and the data encryption submodule is used for encrypting the data to be encrypted by adopting the second secret key, and the first secret key is used for encrypting the second secret key.

21. The apparatus of claim 20, further comprising:

and the second key encryption module is used for encrypting the second key by adopting the first key.

22. The apparatus of claim 19, further comprising:

and the verification data generation module is used for generating verification data for verifying the integrity of the data to be encrypted, and the verification data and the encrypted data to be encrypted are correspondingly stored.

23. The apparatus of claim 19, further comprising:

the device comprises a to-be-encrypted data receiving module, a to-be-encrypted data receiving module and a data processing module, wherein the to-be-encrypted data receiving module is used for providing a second interface for receiving to-be-encrypted data and receiving the to-be-encrypted data through the second interface;

and the encryption result output module is used for outputting the encryption result to the data source of the data to be encrypted through the second interface.

24. A data decryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to hardware equipment by adopting a software trust root program according to an equipment unique identifier of the hardware equipment, and the hardware equipment comprises an Internet of things terminal or equipment;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

25. The apparatus of claim 24, wherein the data decryption module comprises:

the key obtaining submodule is used for generating the first key and obtaining an encrypted second key, and the encrypted second key and the encrypted data are correspondingly stored;

the second key decryption submodule is used for decrypting the encrypted second key by adopting the first key to obtain a second key;

and the data decryption submodule is used for decrypting the encrypted data by adopting the second secret key.

26. The apparatus of claim 24, further comprising:

the verification data acquisition module is used for acquiring verification data, and the verification data and the encrypted data are correspondingly stored;

and the integrity verification module is used for verifying the integrity of the decryption result by adopting the verification data.

27. The apparatus of claim 24, further comprising:

and the decryption result output module is used for outputting the decryption result through the second interface.

28. A data encryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to hardware equipment by adopting a trust root program, wherein the trust root program comprises a software trust root, and the hardware equipment comprises an internet of things terminal or equipment;

and the data encryption module is used for encrypting data according to the first key.

29. The apparatus of claim 28, wherein the first key generation module comprises:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

30. A data decryption apparatus, comprising:

the first key generation module is used for generating a first key uniquely corresponding to hardware equipment by adopting a trust root program, wherein the trust root program comprises a software trust root, and the hardware equipment comprises an internet of things terminal or equipment;

and the data decryption module is used for decrypting the encrypted data according to the first secret key.

31. The apparatus of claim 30, wherein the first key generation module comprises:

and the first key generation submodule is used for accessing a hardware trust root program built in the hardware equipment and generating the first key.

32. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-18 when executing the computer program.

33. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-18.

Images