CN111143896A - Physical safety protection method, device and circuit for terminal node of Internet of things - Google Patents
Physical safety protection method, device and circuit for terminal node of Internet of things Download PDFInfo
- Publication number
- CN111143896A CN111143896A CN201911314728.0A CN201911314728A CN111143896A CN 111143896 A CN111143896 A CN 111143896A CN 201911314728 A CN201911314728 A CN 201911314728A CN 111143896 A CN111143896 A CN 111143896A
- Authority
- CN
- China
- Prior art keywords
- authentication
- value
- things
- internet
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the field of Internet of things, in particular to a physical safety protection method, a physical safety protection device and a physical safety protection circuit for terminal nodes of the Internet of things. The physical security protection method, the device and the circuit of the terminal node of the Internet of things firstly acquire a first abstract value and a second abstract value, the first abstract value is compared with the second abstract value, if the first abstract value is equal to the second abstract value, the authentication is successful, and otherwise, the authentication is failed. Fingerprint abstraction and authentication are carried out on the electrification initial value based on the SRAM, appropriate safety measures can be taken through detecting an authentication result, physical safety of the terminal node chip of the Internet of things can be obviously enhanced at low implementation cost, and the method has good adaptability and practicability.
Description
Technical Field
The invention relates to the field of Internet of things, in particular to a physical security protection method, a physical security protection device and a physical security protection circuit for terminal nodes of the Internet of things.
Background
The internet of things integrates a microelectronic technology, an embedded computing technology, a modern network and wireless communication technology, a distributed information processing technology and the like, can cooperatively acquire and process information of various environments or monitored objects in a network coverage area in real time, and has a very wide application prospect. The safety problem of the Internet of things is very important in the safety sensitive fields of security networks, military, finance, medical treatment and the like.
Due to the open characteristic of the terminal distribution area of the internet of things, a malicious attacker is likely to acquire some nodes, physically analyze and modify the nodes, interfere the normal functions of the network by using the captured nodes, and even possibly analyze the internal sensitive information and an upper-layer protocol mechanism to achieve the purpose of breaking and paralyzing the whole network.
Disclosure of Invention
The embodiment of the invention provides a physical security protection method, a physical security protection device and a physical security protection circuit for terminal nodes of the Internet of things, and at least solves the technical problem that the existing terminal of the Internet of things is easily attacked maliciously.
According to an embodiment of the invention, a physical security protection method for terminal nodes of the internet of things is provided, which comprises the following steps:
extracting an SRAM initial value of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, and encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value;
after being electrified, the electrified data of the SRAM in the terminal node chip of the Internet of things is read;
error correction decoding is carried out on the electrified data to obtain random seed data, and hash operation is carried out on the random seed data to obtain a second digest value;
reading and decrypting the encrypted first digest value to obtain a decrypted first digest value, and comparing the first digest value with the second digest value;
if the first abstract value is equal to the second abstract value, the authentication is successful, otherwise, the authentication is failed.
Further, the digest value is encrypted by using a packet encryption algorithm and stored in a nonvolatile storage area in the terminal node chip of the internet of things, so that the encrypted first digest value is obtained.
And further, carrying out error correction decoding on the power-on data by adopting a BCH decoder, continuing to carry out authentication if the BCH error correction code of the BCH decoder can carry out error correction, and jumping to failure of authentication if the BCH error correction code fails to carry out error correction.
According to another embodiment of the present invention, a physical security protection device for a terminal node of an internet of things is provided, which includes:
the first abstract value obtaining unit is used for extracting an SRAM initial value of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, and encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value;
the power-on data reading unit is used for reading power-on data of the SRAM in the terminal node chip of the Internet of things after being powered on;
the second abstract value acquisition unit is used for carrying out error correction decoding on the electrified data, acquiring random seed data and carrying out hash operation on the random seed data to obtain a second abstract value;
the comparison unit is used for reading the encrypted first digest value and decrypting the encrypted first digest value to obtain a decrypted first digest value, and comparing the first digest value with the second digest value;
and the judging unit is used for judging that the authentication is successful if the first abstract value is equal to the second abstract value, or else, judging that the authentication is failed.
According to another embodiment of the present invention, a physical security protection circuit for a terminal node of an internet of things is provided, which includes: the system comprises an SRAM unit, a safety processor kernel, a safety boot unit, a physical random function generation unit, a storage access control unit and an encryption authentication unit for power resistance bypass analysis;
the physical random function generating unit is used for extracting an SRAM initial value of an SRAM unit of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value, and reading power-on data of the SRAM in the terminal node chip of the Internet of things after the power-on;
the encryption authentication unit is used for carrying out error correction decoding on the power-on data to obtain random seed data, and carrying out hash operation on the random seed data to obtain a second digest value;
the safety processor core is used for reading the encrypted first digest value and decrypting the encrypted first digest value to obtain a decrypted first digest value, comparing the first digest value with the second digest value, if the first digest value is equal to the second digest value, the authentication is successful, otherwise the authentication is failed;
the storage access control unit and the security boot unit are used for storing the authentication result state.
Further, a secure trusted unit is disposed in the secure processor core, and the secure processor core is configured to: adjusting the instruction cycle of the multiplication and division so that all the multiplication and division have the same execution cycle; adjusting the time sequence of the branch jump instruction to enable all branch jump instructions to have the same execution cycle; randomly inserting the operation of branch in-place jump, and disturbing the cycle of the instruction execution stream; and controlling the operation data polarity of the safety processor core.
Further, the excitation response pair of the physical random function generation unit is the memory cell address and the power-on initial value of the corresponding address cell.
Further, the secure boot unit is used for updating the code and performing integrity detection, and the implementation manner is as follows:
solidifying a security detection microcode by adopting an 8K/16K ROM;
the ROM address is mapped to a system 0 address, the ROM is started from the ROM every time when the system is powered on or reset, the ROM detects an authentication result of the physical random function, the ROM jumps to a normal operation program after the authentication is successful, and the ROM does not jump when the authentication is unsuccessful, and the authentication result is continuously detected;
the ROM program comprises 7816, a serial port, SPI interface initialization and control codes and is communicated with the outside through the 7816, the serial port and the SPI interface, and the ROM program comprises read-write flash function codes;
and the upper computer sends an updating instruction to update the codes in the flash, when the updating is started, the authentication of the physical random function is started once, the codes are updated after the authentication is passed, and the updating is stopped when the authentication is not passed.
Further, the true random number generator is generated in a manner that includes: circuit noise based true random number generators, chaos based true random number generators, and oscillator sampling based true random number generators.
Furthermore, the true random number generator generates a high-frequency clock above 1 GHz based on the oscillator, then samples the high-frequency clock by using a low-frequency clock about 10M, and performs exclusive OR on a plurality of groups of sampling values, and then performs post-processing by using cyclic coding to generate the true random number.
According to the physical security protection method, device and circuit of the terminal node of the Internet of things in the embodiment of the invention, the first abstract value and the second abstract value are firstly obtained, the first abstract value and the second abstract value are compared, if the first abstract value and the second abstract value are equal, the authentication is successful, and otherwise, the authentication is failed. Fingerprint abstraction and authentication are carried out on the electrification initial value based on the SRAM, appropriate safety measures can be taken through detecting an authentication result, physical safety of the terminal node chip of the Internet of things can be obviously enhanced at low implementation cost, and the method has good adaptability and practicability.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a structural diagram of a terminal node of the Internet of things of the invention;
FIG. 2 is a flow chart of the physical security protection method of the terminal node of the Internet of things of the invention;
FIG. 3 is a preferred flow chart of the physical security protection method for the terminal node of the Internet of things of the invention;
FIG. 4 is a block diagram of the physical security device of the terminal node of the Internet of things according to the invention;
fig. 5 is a structural diagram of a physical security protection circuit of a terminal node of the internet of things.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The terminal node of the internet of things generally comprises a sensor module, an analog-to-digital converter, a radio frequency module, a storage module, a microcontroller, an encryption authentication unit and the like, and the structure of the terminal node of the internet of things is shown in fig. 1. In order to ensure the security of wireless communication and networks, encryption and authentication methods are commonly adopted in wireless sensor networks, but the protection means cannot protect the nodes from physical attack.
There are various ways for the physical attack of the terminal node of the internet of things: (1) the microcontroller can be operated or the data of the memory can be read and written through programming and testing interfaces such as JTAG, ISP, IAP and the like; (2) detecting interfaces of an external EEROM, a Flash and a microprocessor; (3) replacement of sensors and radio frequency chips; (4) various invasive, semi-invasive, and non-invasive attacks such as bypass analysis, probe attacks, and the like.
Example 1
According to an embodiment of the present invention, a physical security protection method for a terminal node of an internet of things is provided, referring to fig. 2, including the following steps:
s101, extracting an SRAM initial value of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, and encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value;
s102, reading the power-on data of an SRAM in the terminal node chip of the Internet of things after power-on;
s103, carrying out error correction decoding on the electrified data to obtain random seed data, and carrying out hash operation on the random seed data to obtain a second digest value;
s104, reading the encrypted first digest value and decrypting the encrypted first digest value to obtain a decrypted first digest value, and comparing the first digest value with the second digest value;
and S105, if the first abstract value is equal to the second abstract value, the authentication is successful, otherwise, the authentication is failed.
According to the physical security protection method for the terminal node of the Internet of things, the first abstract value and the second abstract value are firstly obtained, the first abstract value and the second abstract value are compared, if the first abstract value is equal to the second abstract value, authentication is successful, and otherwise authentication is failed. Fingerprint abstraction and authentication are carried out on the electrification initial value based on the SRAM, appropriate safety measures can be taken through detecting an authentication result, physical safety of the terminal node chip of the Internet of things can be obviously enhanced at low implementation cost, and the method has good adaptability and practicability.
Specifically, referring to fig. 3, the physical security protection method for the terminal node of the internet of things includes the following steps:
(1) the method comprises the steps of extracting an SRAM initial value of a chip in a safe state by using an extractor, carrying out digest by using a hash algorithm, wherein the hash algorithm can be SHA256/512, MD5, SM3 and the like, and then storing the digest value in a nonvolatile storage area of the chip by using a block encryption algorithm to encrypt the digest value, wherein the block encryption algorithm can be AES, DES, SM4 and the like.
(2) And reading the power-on data of the SRAM after power-on.
(3) And adopting a BCH decoder to carry out error correction decoding on the electrified data, continuing to carry out authentication if the BCH error correction code can carry out error correction, and jumping to failure of authentication if the BCH error correction is unsuccessful.
(4) The BCH error correcting code decoded data is random seed data, the random seed data is hashed to obtain a digest value, the algorithm adopted by the hash can be SHA256/512, MD5, SM3 and the like, and the physical random function generating unit can call a hash operation circuit in the encryption authentication unit to carry out the hash operation in the step.
(5) And (4) reading the encrypted digest value from the nonvolatile storage area, calling a decryption operation circuit in the encryption authentication unit to decrypt the digest value, and comparing the decrypted data with the digest value subjected to hash operation in the step (4).
(6) If the two digest values are equal, the authentication is successful, and if not, the authentication is failed. The authentication result state is sent to the storage access control unit and the secure boot unit.
Example 2
According to another embodiment of the present invention, there is provided an internet of things terminal node physical security protection device, referring to fig. 4, including:
a first digest value obtaining unit 201, configured to extract an SRAM initial value of a terminal node chip of the internet of things in a secure state, digest the SRAM initial value by using a hash algorithm, and encrypt the digest value by using a block encryption algorithm to obtain an encrypted first digest value;
the power-on data reading unit 202 is used for reading power-on data of the SRAM in the terminal node chip of the Internet of things after power-on;
a second digest value obtaining unit 203, configured to perform error correction decoding on the powered data, obtain random seed data, and perform hash operation on the random seed data to obtain a second digest value;
a comparing unit 204, configured to read the encrypted first digest value and perform decryption to obtain a decrypted first digest value, and compare the first digest value with the second digest value;
the determining unit 205 is configured to, if the first digest value is equal to the second digest value, successfully authenticate the user, otherwise, fail to authenticate the user.
According to the physical safety protection device for the terminal node of the Internet of things in the embodiment of the invention, the first abstract value and the second abstract value are firstly obtained, the first abstract value and the second abstract value are compared, if the first abstract value is equal to the second abstract value, the authentication is successful, and otherwise the authentication is failed. Fingerprint abstraction and authentication are carried out on the electrification initial value based on the SRAM, appropriate safety measures can be taken through detecting an authentication result, physical safety of the terminal node chip of the Internet of things can be obviously enhanced at low implementation cost, and the method has good adaptability and practicability.
Example 3
According to another embodiment of the present invention, there is provided an internet of things terminal node physical security protection circuit, referring to fig. 5, including: the method comprises the following steps: (1) a secure processor core; (2) a secure boot unit; (3) a physical random function generating unit (true random number generator); (4) a storage access control unit; (5) and the encryption authentication module resists work bypass analysis.
The secure processor core may be implemented by adding a secure trusted unit to a general purpose core, such as an SC000 or SC100 core of ARM. The following safety features are generally included, and the instruction cycle of the multiplication-division method can be adjusted so that all the multiplication-division methods have the same execution cycle; the time sequence of the branch jump instruction can be adjusted, so that all the branch jump instructions have the same execution cycle; the operation of branch in-place jump can be randomly inserted, and the cycle of the instruction execution flow is disturbed; controlling the polarity of the operation data in the processor. The measures reduce the correlation between the operation of the kernel and time and power consumption, and disturb the data bus, thereby effectively enhancing the data security.
The physical random function generation unit is generated based on an SRAM (static random access memory) and the excitation response pair thereof is a memory cell address and a power-on initial value of a corresponding address cell. Due to some uncontrollable factors in the manufacturing process, such as uniformity of doping concentration, length-width ratio of transistor channel and other slight differences, inherent uniqueness of each memory cell is caused, and the characteristic fingerprint characteristic of the SRAM memory cell is formed. Once the structure or chip of the terminal node of the internet of things is damaged, the SRAM is damaged by the power-on environment or the stored abstract value, and the integrity verification of the memory cannot be completed, so that corresponding security countermeasures can be started.
Referring to fig. 3, the authentication procedure of the physical random function is as follows:
(1) the method comprises the steps of extracting an SRAM initial value of a chip in a safe state by using an extractor, carrying out digest by using a hash algorithm, wherein the hash algorithm can be SHA256/512, MD5, SM3 and the like, and then storing the digest value in a nonvolatile storage area of the chip by using a block encryption algorithm to encrypt the digest value, wherein the block encryption algorithm can be AES, DES, SM4 and the like.
(2) And reading the power-on data of the SRAM after power-on.
(3) And adopting a BCH decoder to carry out error correction decoding on the electrified data, continuing to carry out authentication if the BCH error correction code can carry out error correction, and jumping to failure of authentication if the BCH error correction is unsuccessful.
(4) The BCH error correcting code decoded data is random seed data, the random seed data is hashed to obtain a digest value, the algorithm adopted by the hash can be SHA256/512, MD5, SM3 and the like, and the physical random function generating unit can call a hash operation circuit in the encryption authentication unit to carry out the hash operation in the step.
(5) And (4) reading the encrypted digest value from the nonvolatile storage area, calling a decryption operation circuit in the encryption authentication unit to decrypt the digest value, and comparing the decrypted data with the digest value subjected to hash operation in the step (4).
(6) If the two digest values are equal, the authentication is successful, and if not, the authentication is failed. The authentication result state is sent to the storage access control unit and the secure boot unit.
Secure boot units are different from general boot. A boot unit of the general MCU presets a section of code in the flash from a zero address, and when a program needs to be updated, the section of code activates and updates the code behind the flash. When no update is activated, the processor skips the code segment and directly enters the initialization program. The safety boot unit can perform integrity detection besides the code updating function, and can prevent malicious code updating and physical attack. The realization method is as follows:
(1) solidifying a security detection microcode by adopting an 8K/16K ROM;
(2) the ROM address is mapped to a system 0 address, the ROM needs to be started from the ROM at each time of power-on or system reset, the ROM can detect an authentication result of the physical random function, the ROM jumps to a normal operation program after the authentication is successful, and the ROM does not jump when the authentication is unsuccessful, and continues to detect the authentication result;
(3) the ROM program comprises 7816, serial port, SPI and other interface initialization and control codes, and can communicate with the outside through the interfaces;
(4) the ROM program comprises read-write flash function codes;
(5) the upper computer can send an update instruction to update the codes in the flash, when the update is started, the authentication of the physical random function needs to be started once, the code update is carried out after the authentication is passed, and the update is stopped when the authentication is not passed.
There are three ways of generating true random number generators on a chip: circuit noise based true random number generators, chaos based true random number generators, and oscillator sampling based true random number generators. One way to realize this is to generate a high frequency clock above 1 GHz based on an oscillator, then sample the high frequency clock with a low frequency clock of about 10M, XOR the multiple sets of sample values, and then post-process with cyclic coding to generate true random numbers. The following modules are input truly and randomly so as to enhance the security of the terminal node of the Internet of things:
(1) the true random number enters the encryption authentication module and can be used for data masking and path randomization, so that power consumption attack and time attack aiming at an encryption and authentication circuit can be effectively prevented;
(2) when an asymmetric encryption circuit such as RSA, SM2, ECC and the like needs to generate a key pair, a true random number generator is started, so that a key is generated;
(3) the true random number enters the kernel of the safety processor and is used for randomly reversing the polarity of the signal and inserting a jump instruction so as to enhance the randomness of the kernel during operation.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described system embodiments are merely illustrative, and for example, a division of a unit may be a logical division, and an actual implementation may have another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A physical security protection method for terminal nodes of the Internet of things is characterized by comprising the following steps:
extracting an SRAM initial value of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, and encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value;
after being electrified, the electrified data of the SRAM in the terminal node chip of the Internet of things is read;
error correction decoding is carried out on the electrified data to obtain random seed data, and hash operation is carried out on the random seed data to obtain a second digest value;
reading and decrypting the encrypted first digest value to obtain a decrypted first digest value, and comparing the first digest value with the second digest value;
if the first abstract value is equal to the second abstract value, the authentication is successful, otherwise, the authentication is failed.
2. The physical security protection method for the terminal node of the internet of things as claimed in claim 1, wherein the digest value is encrypted by using a block encryption algorithm stored in a nonvolatile storage area of the chip of the terminal node of the internet of things to obtain the encrypted first digest value.
3. The physical security protection method for the terminal node of the internet of things according to claim 1, characterized in that a BCH decoder is adopted to perform error correction decoding on the power-on data, if the BCH error correction code of the BCH decoder can perform error correction, the authentication is continued, and if the BCH error correction code fails, the authentication is skipped to fail.
4. The utility model provides a thing networking terminal node physics safety device which characterized in that includes:
the first abstract value obtaining unit is used for extracting an SRAM initial value of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, and encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value;
the power-on data reading unit is used for reading power-on data of the SRAM in the terminal node chip of the Internet of things after being powered on;
the second abstract value acquisition unit is used for carrying out error correction decoding on the electrified data, acquiring random seed data and carrying out hash operation on the random seed data to obtain a second abstract value;
the comparison unit is used for reading the encrypted first digest value and decrypting the encrypted first digest value to obtain a decrypted first digest value, and comparing the first digest value with the second digest value;
and the judging unit is used for judging that the authentication is successful if the first abstract value is equal to the second abstract value, or else, judging that the authentication is failed.
5. The utility model provides a thing networking terminal node physics safety protection circuit which characterized in that includes: the system comprises an SRAM unit, a safety processor kernel, a safety boot unit, a physical random function generation unit, a storage access control unit and an encryption authentication unit for power resistance bypass analysis;
the physical random function generating unit is used for extracting an SRAM initial value of an SRAM unit of the terminal node chip of the Internet of things in a safe state, abstracting the SRAM initial value by adopting a hash algorithm, encrypting the abstract value by using a block encryption algorithm to obtain an encrypted first abstract value, and reading power-on data of the SRAM in the terminal node chip of the Internet of things after the power-on;
the encryption authentication unit is used for carrying out error correction decoding on the power-on data to obtain random seed data, and carrying out hash operation on the random seed data to obtain a second digest value;
the safety processor core is used for reading the encrypted first digest value and decrypting the encrypted first digest value to obtain a decrypted first digest value, comparing the first digest value with the second digest value, if the first digest value is equal to the second digest value, the authentication is successful, otherwise the authentication is failed;
the storage access control unit and the safety boot unit are used for storing the authentication result state.
6. The physical security protection circuit of an end node of the internet of things of claim 5, wherein a secure trusted unit is disposed in the secure processor core, and the secure processor core is configured to: adjusting the instruction cycle of the multiplication and division so that all the multiplication and division have the same execution cycle; adjusting the time sequence of the branch jump instruction to enable all branch jump instructions to have the same execution cycle; randomly inserting the operation of branch in-place jump, and disturbing the cycle of the instruction execution stream; and controlling the operation data polarity of the safety processor core.
7. The physical security protection circuit of the terminal node of the internet of things of claim 5, wherein the excitation response pair of the physical random function generation unit is a power-on initial value of a storage unit address and a corresponding address unit.
8. The physical security protection circuit of the terminal node of the internet of things of claim 5, wherein the secure boot unit is configured to update a code and perform integrity detection, and the implementation manner is as follows:
solidifying a security detection microcode by adopting an 8K/16K ROM;
the ROM address is mapped to a system 0 address, the ROM is started from the ROM every time when the system is powered on or reset, the ROM detects an authentication result of the physical random function, the ROM jumps to a normal operation program after the authentication is successful, and the ROM does not jump when the authentication is unsuccessful, and the authentication result is continuously detected;
the ROM program comprises 7816, a serial port, SPI interface initialization and control codes and is communicated with the outside through the 7816, the serial port and the SPI interface, and the ROM program comprises read-write flash function codes;
and the upper computer sends an updating instruction to update the codes in the flash, when the updating is started, the authentication of the physical random function is started once, the codes are updated after the authentication is passed, and the updating is stopped when the authentication is not passed.
9. The physical security protection circuit of an end node of the internet of things of claim 5, wherein the generation manner of the true random number generator comprises: circuit noise based true random number generators, chaos based true random number generators, and oscillator sampling based true random number generators.
10. The physical security protection circuit of an internet of things terminal node according to claim 9, wherein the true random number generator generates a high frequency clock above 1 ghz based on an oscillator, samples the high frequency clock with a low frequency clock of about 10M, xors multiple sets of sampled values, and performs post-processing with a cyclic code to generate the true random number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911314728.0A CN111143896A (en) | 2019-12-19 | 2019-12-19 | Physical safety protection method, device and circuit for terminal node of Internet of things |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911314728.0A CN111143896A (en) | 2019-12-19 | 2019-12-19 | Physical safety protection method, device and circuit for terminal node of Internet of things |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111143896A true CN111143896A (en) | 2020-05-12 |
Family
ID=70518896
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911314728.0A Pending CN111143896A (en) | 2019-12-19 | 2019-12-19 | Physical safety protection method, device and circuit for terminal node of Internet of things |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111143896A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420250A (en) * | 2021-07-19 | 2021-09-21 | 卢恩妍 | Data control mode and system based on Internet of things |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070147156A1 (en) * | 2005-12-22 | 2007-06-28 | Sony Computer Entertainment Inc. | Methods and apparatus for random number generation |
| CN104836669A (en) * | 2015-05-08 | 2015-08-12 | 东南大学 | Security authentication method based on SRAM PUF (Static Random Access Memory Physical Uncloable Function), terminal and authentication system |
| CN106941400A (en) * | 2017-03-06 | 2017-07-11 | 东南大学 | A kind of fuzzy safety box authentication method based on SRAM PUF |
| CN107948213A (en) * | 2018-01-17 | 2018-04-20 | 深圳中电国际信息科技有限公司 | A kind of encryption and authentication method, system, device and computer-readable recording medium |
-
2019
- 2019-12-19 CN CN201911314728.0A patent/CN111143896A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070147156A1 (en) * | 2005-12-22 | 2007-06-28 | Sony Computer Entertainment Inc. | Methods and apparatus for random number generation |
| CN104836669A (en) * | 2015-05-08 | 2015-08-12 | 东南大学 | Security authentication method based on SRAM PUF (Static Random Access Memory Physical Uncloable Function), terminal and authentication system |
| CN106941400A (en) * | 2017-03-06 | 2017-07-11 | 东南大学 | A kind of fuzzy safety box authentication method based on SRAM PUF |
| CN107948213A (en) * | 2018-01-17 | 2018-04-20 | 深圳中电国际信息科技有限公司 | A kind of encryption and authentication method, system, device and computer-readable recording medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113420250A (en) * | 2021-07-19 | 2021-09-21 | 卢恩妍 | Data control mode and system based on Internet of things |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10484365B2 (en) | Space-time separated and jointly evolving relationship-based network access and data protection system | |
| Feng et al. | AAoT: Lightweight attestation and authentication of low-resource things in IoT and CPS | |
| Bruinderink et al. | Differential fault attacks on deterministic lattice signatures | |
| Karakoyunlu et al. | Differential template attacks on PUF enabled cryptographic devices | |
| EP2544400B1 (en) | PUF based Cryptographic communication system and cryptographic communication method | |
| Binsalleeh et al. | On the analysis of the zeus botnet crimeware toolkit | |
| US9716584B2 (en) | Systems and methods for operating secure elliptic curve cryptosystems | |
| EP1273996A2 (en) | Secure bootloader for securing digital devices | |
| Shepherd et al. | Physical fault injection and side-channel attacks on mobile devices: A comprehensive analysis | |
| US11171780B2 (en) | Systems and methods for operating secure elliptic curve cryptosystems | |
| WO2011018414A2 (en) | Physically unclonable function with tamper prevention and anti-aging system | |
| US20200089921A1 (en) | Tamper-resistant component networks | |
| US10628575B2 (en) | System and method to cause an obfuscated non-functional device to transition to a starting functional state using a specified number of cycles | |
| US20160352508A1 (en) | Methods and Apparatus for Plaintext Analysis as Countermeasures Against Side Channel Attacks | |
| Jakobsson et al. | Practical and secure software-based attestation | |
| CN113141335B (en) | Network attack detection method and device | |
| CN111614467B (en) | System backdoor defense method and device, computer equipment and storage medium | |
| Backlund et al. | Secret key recovery attack on masked and shuffled implementations of CRYSTALS-Kyber and Saber | |
| BR112013012216B1 (en) | protection against passive eavesdropping | |
| US9264234B2 (en) | Secure authentication of identification for computing devices | |
| Jakobsson et al. | Retroactive detection of malware with applications to mobile platforms | |
| Oswald et al. | When reverse-engineering meets side-channel analysis–digital lockpicking in practice | |
| Pour et al. | Helper data masking for physically unclonable function-based key generation algorithms | |
| CN110659506A (en) | Replay protection of memory based on key refresh | |
| CN111143896A (en) | Physical safety protection method, device and circuit for terminal node of Internet of things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200512 |
|
| RJ01 | Rejection of invention patent application after publication |