CN111722831A - Encryption system and implementation method thereof - Google Patents
Encryption system and implementation method thereof Download PDFInfo
- Publication number
- CN111722831A CN111722831A CN202010378053.2A CN202010378053A CN111722831A CN 111722831 A CN111722831 A CN 111722831A CN 202010378053 A CN202010378053 A CN 202010378053A CN 111722831 A CN111722831 A CN 111722831A
- Authority
- CN
- China
- Prior art keywords
- encryption
- key
- module
- ciphertext
- random
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000004044 response Effects 0.000 claims abstract description 89
- 230000005284 excitation Effects 0.000 claims abstract description 41
- 230000008569 process Effects 0.000 claims description 24
- 238000004891 communication Methods 0.000 claims description 16
- 238000003491 array Methods 0.000 claims description 12
- 238000005070 sampling Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 abstract description 13
- 230000006870 function Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 230000008901 benefit Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000010355 oscillation Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000007306 turnover Effects 0.000 description 2
- 239000000470 constituent Substances 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention discloses an encryption system and a realization method thereof, wherein the system comprises: the true random number generator module is used for generating a configuration signal, an excitation signal and a random plaintext; a response generation module for generating a response value based on the stimulus signal and the configuration signal, the response module having reconfigurability; the key generation module is used for generating a key according to the response value; the ECC encryption and decryption module is used for encrypting the secret key; and the SM4 encryption and decryption module is used for encrypting the data to be encrypted according to the key to obtain a ciphertext. The invention generates the random response value through the response generation module, so that the random key generated according to the random response value has unpredictability, and the ECC encryption and decryption module is used for encrypting the random key, thereby ensuring the safety of the encrypted random key in the transmission process. Can be widely applied to the technical field of encryption.
Description
Technical Field
The invention relates to the technical field of information security, in particular to an encryption system and an implementation method thereof.
Background
The hardware circuit and the software system of the embedded system always face the risks of copying, plagiarism and copycat by copycat manufacturers, the risks of information stealing, impersonation and falsification are often faced in the information transmission process, and the information safety risks undoubtedly bring huge threats and influence the normal operation of market economy.
The encryption protection device and method of the existing embedded system generally generate a key for encryption in advance, then store the key for encryption in a hardware memory, when the hardware needs to transmit information data, read the key for encryption from the memory, and execute an encryption algorithm program in a processor in an electronic product and the encryption protection device, so as to encrypt the data and transmit the encrypted data. However, the key generated by the encryption protection device and the method is single, and the key has the risk of being easily stolen and tampered in the transmission process, and the security of key transmission cannot be guaranteed.
Disclosure of Invention
To solve the above technical problems, the present invention aims to: an encryption system and a method for implementing the same are provided.
The first technical scheme adopted by the invention is as follows:
an encryption system comprising:
the true random number generator module is used for generating a configuration signal, an excitation signal and a random plaintext;
a response generation module for generating a response value based on the stimulus signal and the configuration signal, the response value being randomly generated;
the key generation module is used for generating a random key according to the response value;
the ECC encryption and decryption module is used for encrypting the random key;
and the SM4 encryption and decryption module is used for encrypting the data to be encrypted according to the random key to obtain a ciphertext.
Further, the response generation module includes a ring oscillator array, a counter pair, and a comparator.
Further, the true random number generator module comprises an entropy source circuit, a sampling circuit and an exclusive-or network circuit, wherein the entropy source circuit comprises a plurality of ring oscillator arrays.
Further, the ECC encryption and decryption module comprises a finite field operation circuit and an ECC operation control circuit.
Further, the key generation module employs a shift register, and the shift register is configured to generate a random key according to the response value.
Further, the SM4 encryption and decryption module comprises a key expansion circuit, a round function circuit and an iteration control circuit.
Further, the response generation module and the true random number generator module share a ring oscillator array.
Further, the system comprises an autonomous instruction set processor for controlling the encryption process of the encryption system.
And the communication module is used for realizing the communication between the encryption system and the embedded system.
The second technical scheme adopted by the invention is as follows:
an implementation method of an encryption system, which is used for encryption through the encryption system, includes the following steps:
the ECC encryption and decryption module encrypts and transmits the key of the SM4 encryption and decryption module, and the step comprises the following sub-steps:
the true random number generator module generates a first excitation signal and a first configuration signal;
the response generation module generates a first response value according to the first excitation signal and the first configuration signal;
the key generation module generates a first private key according to the first response value;
the ECC encryption and decryption module generates a ciphertext public key according to the first private key;
the true random number generator module generates a second excitation signal and a second configuration signal;
the response generation module generates a second response value according to the second excitation signal and the second configuration signal;
the key generation module generates a second key according to the second response value;
the ECC encryption and decryption module encrypts a second key according to the received first public key to obtain a first ciphertext and transmits the first ciphertext and the ciphertext public key to the embedded system;
the embedded system decrypts the first ciphertext according to the ciphertext public key and the embedded system private key to obtain a decrypted second secret key;
authenticating an SM4 encryption/decryption module, the authenticating SM4 encryption/decryption module step comprising the sub-steps of:
the true random number generator module generates a first random plaintext;
the SM4 encryption and decryption module encrypts the first random plaintext according to the second key to obtain a second ciphertext, and sends the second ciphertext and the first random plaintext to the embedded system;
the embedded system authenticates the second ciphertext and the first random plaintext according to the decrypted second key;
and encrypting the data to be encrypted transmitted by the embedded system by using an SM4 encryption and decryption module.
The system of the invention has the advantages that: the invention generates the random response value through the response generation module, so that the random key generated according to the random response value has unpredictability, and the ECC encryption and decryption module is used for encrypting the random key, thereby ensuring the safety of the encrypted random key in the transmission process.
Drawings
FIG. 1 is a system block diagram of an encryption system of the present invention;
FIG. 2 is a circuit schematic of a ring oscillator of an encryption system of the present invention;
FIG. 3 is a schematic circuit diagram of a response generation module of a cryptographic system of the present invention;
FIG. 4 is a schematic circuit diagram of a true random number generator module of an encryption system according to the present invention;
FIG. 5 is a schematic circuit diagram of an ECC encryption/decryption module of an encryption system according to the present invention;
FIG. 6 is a schematic diagram of a Diffie-Hellman key exchange scheme for an encryption system of the present invention;
FIG. 7 is an encryption diagram of an ECC encryption/decryption module of an encryption system according to the present invention;
FIG. 8 is a schematic circuit diagram of an SM4 encryption/decryption module of an encryption system of the present invention;
fig. 9 is a schematic diagram of a state machine of an implementation method of an encryption system.
Detailed Description
The conception, the specific structure and the technical effects of the present invention will be clearly and completely described in conjunction with the embodiments and the accompanying drawings to fully understand the objects, the schemes and the effects of the present invention.
It should be noted that, unless otherwise specified, when a feature is referred to as being "fixed" or "connected" to another feature, it may be directly fixed or connected to the other feature or indirectly fixed or connected to the other feature. Furthermore, the descriptions of upper, lower, left, right, etc. used in the present disclosure are only relative to the mutual positional relationship of the constituent parts of the present disclosure in the drawings. As used in this disclosure, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art. The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any combination of one or more of the associated listed items.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element of the same type from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of the present disclosure. The use of any and all examples, or exemplary language ("e.g.," such as "or the like") provided herein, is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed.
Referring to fig. 1, an encryption system includes:
the control module and the autonomous instruction set processor are used for jointly controlling the encryption process of the encryption system;
the communication module is used for carrying out communication between the encryption system and the embedded system;
the true random number generator module is used for generating a configuration signal, an excitation signal and a random plaintext;
a response generation module for generating a response value based on the stimulus signal and the configuration signal, the response value being randomly generated;
the key generation module is used for generating a random key according to the response value;
the ECC encryption and decryption module is used for encrypting the random key;
and the SM4 encryption and decryption module is used for encrypting the data to be encrypted according to the random key to obtain a ciphertext.
Specifically, after receiving the encryption instruction, the autonomous instruction set processor sends an encryption enabling signal to the control module, and the control module controls the authentication process and the encryption process of the encryption system and the embedded system through the control state machine. After the embedded system and the encryption system are authenticated, the encryption system encrypts data to be encrypted transmitted by the embedded system, and the autonomous instruction set process finishes the encryption process after receiving an encryption stop instruction; the true random number module is used for generating an excitation signal and a configuration signal required by the response generation module and generating a random plaintext required by the authentication process; the response generation module generates corresponding response values according to the input excitation signals and the configuration signals, and the response module generates response values with randomness due to reconfigurability; the key generation module further generates a key required by the SM4 encryption and decryption module by using the random response value generated by the response generation module, and the random key generated by the key generation module is random and unpredictable because the response value is random; the ECC encryption and decryption module encrypts a key of the SM4 encryption and decryption module for the purpose of securely transmitting the key of the SM4 encryption and decryption module to the embedded system, the key of the SM4 encryption and decryption module being generated by the key generation module according to the response value; the SM4 encryption and decryption module encrypts data to be encrypted transmitted by the embedded system to generate a ciphertext and transmits the ciphertext; the communication module is used for the serial communication between the encryption system and the embedded system.
The invention is further described with reference to the drawings and the specific examples.
The system comprises an autonomous instruction set processor, wherein the autonomous instruction set processor adopts a simplified eight-bit microprocessor chip and comprises a one-time programmable program memory (OTP ROM) with 512 bytes multiplied by 8 bits, a data memory (RAM) with 64 bytes multiplied by 8 bits, a 5-level cache stack, 8 IO ports with pull-up resistance functions and 2 timing/counters, and each IO port of the autonomous instruction set processor can be set with a wake-up function. Two timers/counters are handled from the main instruction set, one is a fixed 8-bit timer/counter and the other is an 8/16-bit alternative timer/counter. The autonomous instruction set processor adopts a simplified eight-bit microprocessor chip, and can reduce the complexity of hardware, power consumption and manufacturing cost under the condition of meeting basic hardware requirements.
In the autonomous instruction set processor, the instruction encoding and instruction using format of the instruction set can be defined by self and is not disclosed externally, and the autonomous instruction set assembler is written in advance by python and then is provided for a user to use. The autonomous instruction set processor controls the encryption process by controlling a plurality of instructions, such as an encryption instruction, a decryption instruction, and the like. By adopting the instruction encoding of the instruction set and the self-defining of the instruction use format, the transmitted data can be prevented from being cracked, and the safety of data transmission is ensured.
The control module is realized by adopting a singlechip with the model of IOT 01V.
The communication module realizes communication between the encryption system and the embedded system in a serial port communication mode.
The ring oscillator is composed of more than three odd number inverters and an exclusive-OR gate. IN this embodiment, as shown IN fig. 2, a ring oscillator includes an and gate, three not gates, and five exclusive or gates, where the exclusive or gates include a two-input exclusive or gate and a three-input exclusive or gate, one input end of the and gate inputs a one-bit enable signal EN, an input end of the exclusive or gate inputs a three-bit input signal IN, and each ring oscillator is controlled by the three-bit input signal IN. When the enable signal EN is set to 1, the two-input xor gate is equivalent to a nor gate when the input signals IN are all set to low level, and equivalent to a buffer gate when the input signals IN are all set to high level.
Based on the characteristics of the ring oscillator, a true random number generator module and a response generation module are designed. The true random number generator module and the response generation module share the ring oscillator array, so that the method has the advantage of saving hardware resources, and the ring oscillator array is composed of a plurality of ring oscillators.
And the response generation module is used for generating random numbers according to the excitation signals and the configuration signals. As shown in fig. 3, the response generation module includes 16 ring oscillator arrays, and the number of ring oscillators in the ring oscillator array of the present invention can be set according to actual situations, so as to ensure that the generated response values have flexible characteristics, and further ensure that the key generated according to the response values is unpredictable and random, and therefore, the response generation module of the present invention has reconfigurability, and the randomness and the unpredictability of the key are ensured through the reconfigurability of the response generation module.
In this embodiment, each ring oscillator array includes 17 ring oscillators, an output terminal of any one of the ring oscillator arrays is connected to a multiplexer, the multiplexer is a 1-out-of-16 multiplexer, an output terminal of the multiplexer is connected to a counter pair, and an output terminal of the counter pair is connected to a comparator group.
And taking out two periods of random numbers from the register group as excitation signals, wherein the length of the excitation signals is 16 bits, and the lower 12 bits of the excitation signals are used as configuration signals. The excitation signal is used for controlling the operation of the multiplexer, and the configuration signal is used for controlling the operation of the ring oscillator array. The method comprises the steps of dividing 16-bit excitation signals into four groups of excitation signals from high bits to low bits, dividing 12-bit configuration signals into four groups of configuration signals from high bits to low bits, inputting the first group of excitation signals to first to fourth ring oscillator arrays of a response generation module, inputting the second group of excitation signals to fifth to eighth ring oscillator arrays of the response generation module, inputting the third group of excitation signals to ninth to twelfth ring oscillator arrays of the response generation module, inputting the fourth group of excitation signals to thirteenth to sixteenth ring oscillator arrays of the response generation module, and inputting the four groups of configuration signals to a multiplexer connected with the 16 ring oscillator arrays in the same manner.
The multiplexer is a 16-to-1 multiplexer, randomly selects the Nth ring oscillator (N is more than or equal to 0 and less than or equal to 15) in the ring oscillator array each time, and inputs the output result of the selected Nth ring oscillator and the output result of the (N +1) th ring oscillator into the counter group by adopting a chain comparison strategy. The counter pair comprises two counters, the counter group records the turnover times of the Nth ring oscillator and the (N +1) th ring oscillator in a period of time, and the two output turnover times of the counter pair are compared through the comparator, so that a response signal of one bit is output. And sequentially inputting output results of the 16 ring oscillator arrays to a counter group and a comparator to finally obtain a 16-bit wide response signal.
And the true random number generator module is used for generating a configuration signal, an excitation signal and a random plaintext. As shown in FIG. 4, the true random number generator module includes an entropy source circuit, a sampling circuit and an XOR network circuit.
The entropy source circuit multiplexes several ring oscillator arrays that respond to the generation module. In this embodiment, the entropy source circuit multiplexes any two ring oscillator arrays in response to the generation block, and thus, the entropy source circuit includes 34 ring oscillators. The input signals of the 34 ring oscillators are all set to be 0, so that the entropy source circuit is equivalent to a loop consisting of an odd number of inverters, an AND gate and a plurality of buffer gates. And setting the enable signal EN as a high-level signal to be input into the AND gate, starting oscillation of the entropy source circuit to generate a random bit, wherein the value of the random bit is 0 or 1, setting the enable signal EN as a low-level signal to be connected to the AND gate, fixedly outputting a low-level signal by the AND gate, and stopping oscillation of the entropy source circuit.
The sampling circuit is used for storing random bits output by the entropy source circuit. The sampling circuit is composed of a D trigger, an input signal of the D trigger is a random bit output by the entropy source circuit, and a control clock is a low-frequency sampling clock (clk _ sampling).
The exclusive-or network circuit is used for equalizing random bits stored by the sampling circuit, and the random bit equalization means that the ratio of 0 to 1 in the random bits is close to 50%. The XOR network structure comprises a plurality of XOR gates, XOR processing is carried out on random bits stored by the sampling circuit, a random bit (from bit) is output, the XOR network circuit outputs 8 random bits in each clock cycle, the 8 random bits form an 8-bit-wide random number, the random number is stored in a register bank, and the random number stored in the register bank is provided to the SM4 encryption and decryption module as a random plaintext and also provided to the response generation module as an excitation signal and a configuration signal.
And the key generation module generates a random key according to the response value. The key generation module comprises a shift register, and the 16-bit wide response signal is shifted for several times by adopting the shift register, so that a key with the length of 128 bits is obtained.
And the ECC encryption and decryption module is used for encrypting the key to obtain an encryption key. As shown in fig. 5, the ECC encryption/decryption module includes a finite field operation circuit and an ECC operation control circuit.
And the finite field arithmetic circuit is used for providing a basic arithmetic unit. The finite field arithmetic circuit comprises a finite field GF (2)233) The various encryption-related operators of (1): a 233-bit finite field adder, a 233-bit finite field multiplier, a 233-bit finite field squarer, and a 233-bit finite field modular inverse calculator, among others.
And the ECC operation control circuit is used for calling the basic arithmetic unit so as to realize the encryption and decryption processes. The ECC operation control circuit comprises a point addition operation control circuit, a point multiplication operation control circuit and a point multiplication operation control circuit, wherein the point multiplication control circuit realizes a point multiplication function by calling the point addition operation control circuit and the point multiplication operation control circuit, and the point addition and point multiplication operation control circuit realizes the point addition function and the point multiplication function by calling a basic arithmetic unit in the finite field operation circuit.
The ECC encryption and decryption module finally achieves the purpose of encryption and decryption of the secret key through nested calling between hierarchical circuits (a finite field operation circuit and an ECC operation control circuit) on the basis of an ECC elliptic curve encryption algorithm and a Diffie-Hellman secret key exchange system, so that the transmission safety of the secret key is guaranteed, and the specific encryption implementation process is as follows:
finite field F2 mThe elliptic curve equation of (a) is:
E(F2 m):y2+xy=x3+ax2+b,x,y∈F2 m
in a finite field F2 mA primitive G is selected, the primitive G having an order n. And a, b, G, n and F are disclosed2 m。
The key generation process is as follows:
let the private key of sender A be daN, the public key of sender A is: qa=daG;
Let the private key of receiver B be dbIf n, the public key of the receiver B is: qb=dbG;
After the sender a and the receiver B generate the public keys, the sender a and the receiver B exchange the public keys respectively, and the exchange process of the public keys is as shown in fig. 6.
After the key exchange is completed, the encryption and decryption processes are as shown in fig. 7, and the encryption process of the sender a is as follows:
by the private key d of sender AaCalculating (x, y) ═ daQb;
Calculating ciphertext c ═ m × x, where m is plaintext, and m ∈ F2 m;
The sender a sends the ciphertext c to the receiver B.
The decryption process of receiver B is as follows:
calculating (x, y) ═ dbQa;
Calculating c ═ m × x-1The plaintext m can be solved.
According to the encryption and decryption process, the ECC encryption and decryption module can realize the encryption and decryption process of the key by calling the finite field operation circuit and the ECC operation control circuit.
And the SM4 encryption and decryption module is used for encrypting data to be encrypted to obtain a ciphertext. As shown in fig. 8, the SM4 encryption and decryption module includes a key expansion circuit, a round function circuit, and an iteration control circuit. In the encryption process, a set of round keys is required to participate in encryption, so that the key expansion circuit is adopted to carry out operations such as exclusive or, S box substitution, shift and the like on the input initial key with the length of 128 bits, and finally a round key with the bit width of 32 corresponding to a round is obtained; the input data of the round function circuit is a 32-bit wide round key corresponding to the round and result data output by the round function module in the previous round. And carrying out 32 rounds of iteration operations on the plaintext with the length of 128 bits, and finally outputting the ciphertext with the length of 128 bits in an inverted order, wherein the iteration operations comprise operations such as exclusive OR, S box substitution, shifting and the like. The iteration control circuit is used for controlling the state and the times of the iteration operation. The SM4 encryption and decryption module adopts the existing SM4 symmetric encryption algorithm, has high encryption speed and simple hardware structure, and can realize the encryption of a large amount of data to be encrypted.
Referring to fig. 3, an implementation method of an encryption system using fig. 1 of the present invention includes the following steps:
s101: the ECC encryption and decryption module encrypts and transmits the key of the SM4 encryption and decryption module;
the step of step S101 includes the following sub-steps S1011 to S1019:
s1011: the true random number generator module generates a first excitation signal and a first configuration signal;
s1012: the response generation module generates a first response value according to the first excitation signal and the first configuration signal;
s1013: the key generation module generates a first private key according to the first response value;
s1014: the ECC encryption and decryption module generates a ciphertext public key according to the first private key;
s1015: the true random number generator module generates a second excitation signal and a second configuration signal;
s1016: the response generation module generates a second response value according to the second excitation signal and the second configuration signal;
s1017: the key generation module generates a second key according to the second response value;
s1018: the ECC encryption and decryption module encrypts a second key according to the received first public key to obtain a first ciphertext and transmits the first ciphertext and the ciphertext public key to the embedded system;
s1019: the embedded system decrypts the first ciphertext according to the ciphertext public key and the embedded system private key to obtain a decrypted second secret key;
s102: authentication SM4 encryption and decryption module;
the step S102 comprises the following sub-steps S1021-S1023:
s1021: the true random number generator module generates a first random plaintext;
s1022: the SM4 encryption and decryption module encrypts the first random plaintext according to the second key to obtain a second ciphertext, and sends the second ciphertext and the first random plaintext to the embedded system;
s1023: the embedded system authenticates the second ciphertext and the first random plaintext according to the decrypted second key;
s103: and encrypting the data to be encrypted transmitted by the embedded system by using an SM4 encryption and decryption module.
The implementation method of the encryption system realizes the encryption process of the data to be encrypted by matching a plurality of modules. The method comprises the steps that after an autonomous instruction set processor receives an encryption instruction, an encryption enabling signal is sent to a control module, firstly, an ECC encryption and decryption module is used for encrypting and transmitting a secret key of an SM4 encryption and decryption module, then the control module controls an authentication process of an encryption system and an embedded system by controlling a finite state machine shown in figure 9, the authentication process mainly comprises the authentication of the SM4 encryption and decryption module, after the authentication is finished, data to be encrypted transmitted by the embedded system is encrypted, after the autonomous instruction set processor receives an encryption stopping instruction, an encryption stopping signal is sent to the control module, and after the control module receives the encryption stopping signal, the encryption is finished. Referring to fig. 9, an implementation method of an encryption system mainly includes the following three implementation processes:
firstly, the ECC encryption and decryption module encrypts and transmits the key of the SM4 encryption and decryption module
The communication between the encryption system and the embedded system is realized through the communication module, firstly, the embedded system generates a private key (called an embedded private key) of the embedded system and generates an embedded public key (called a first public key) according to the embedded private key and by utilizing an ECC encryption and decryption algorithm, then the first public key is sent to the encryption system through the communication module, and the encryption system writes the first public key into a corresponding register group to enter the next state;
the true random number generator module generates a 16-bit wide excitation signal (called a first excitation signal) and a 12-bit configuration signal (called a first configuration signal), writes the first excitation signal and the first configuration signal into the register group, and enters a next state;
the response generation module generates a response value (called a first response value) according to the first excitation signal and the first configuration signal, and enters a next state;
the key generation module encodes the first response value into a key with the length of 128 bits as a private key (called as a first private key) of the ECC encryption and decryption module, the ECC encryption and decryption module performs point multiplication operation on the provided elements of the finite field and the first private key to obtain a ciphertext public key, and the generated ciphertext public key is transmitted to the embedded system and enters the next state;
the true random number generator module generates an excitation signal (called a second excitation signal) with the width of 16 bits and a configuration signal (called a second configuration signal) with the width of 12 bits, writes the second excitation signal and the second configuration signal into the register group and enters a next state;
the response generation module generates a response value (called as a second response value) according to the second excitation signal and the second configuration signal, and enters a next state;
the key generation module encodes the second response value into a key with the length of 128 bits as a key (called a second key) of the SM4 encryption and decryption module, and enters a next state;
the ECC encryption and decryption module encrypts the second key according to the first public key and the first private key transmitted by the embedded system, a ciphertext (called as a first ciphertext) is obtained after encryption is completed, the first ciphertext and the ciphertext public key are transmitted to the embedded system through the communication module, and the embedded system enters the next state;
the embedded system receives the first ciphertext and the ciphertext public key, and decrypts the first ciphertext through the embedded system private key and the ciphertext public key to obtain a decrypted second key.
Second, authentication of SM4 encryption and decryption module
The true random number generator module generates a random plaintext (called as a first random plaintext) and enters a next state;
the SM4 encryption and decryption module of the encryption system encrypts the first random plaintext according to the second key to obtain a second ciphertext, and sends the first random plaintext and the second ciphertext to the embedded system through the communication module to enter the next state;
the embedded system decrypts the second ciphertext according to the decrypted second key to obtain a decrypted plaintext, if the decrypted plaintext is consistent with the received first random plaintext, the embedded system passes the authentication and enters an encryption transmission process, otherwise, the embedded system stops communicating with the encryption system;
the encryption and transmission of the key of the SM4 encryption and decryption module are performed through the ECC encryption and decryption module, and then the verification of the SM4 encryption and decryption module is performed, so that the security of the key and public key transmission between the encryption system and the embedded system is ensured, and because the key of the SM4 encryption and decryption module is used for encrypting the data to be encrypted transmitted from the embedded system to the encryption system, the key of the SM4 encryption and decryption module must be ensured not to be stolen and tampered in the transmission process.
Third, encryption transmission process
The embedded system transmits the data to be encrypted to the SM4 encryption and decryption module through the communication module, and the SM4 encryption and decryption module encrypts the data to be encrypted by adopting the second key and transmits an encrypted result to the embedded system to finish the encryption process.
In summary, the encryption system and the implementation method thereof of the present invention have the following advantages:
(1) the processor with the self-defined instruction set is adopted for reading and writing data, the processor is simple and low in cost and low in power consumption, and due to the fact that the instruction set is not public, risks of cracking a chip and stealing a program can be effectively avoided;
(2) the response generation module and the true random number generator module share the ring oscillator array, and by adopting the sharing mechanism, the expenditure of hardware resources can be greatly reduced under the condition that the normal work of an encryption system is not influenced;
(3) the response generation module realizes configuration signals, excitation signals and response values which are uniquely related to the circuit by using the physical difference of the circuit, the reconstructed signals, the excitation signals and the response values are used as the generation sources of the secret keys, the response generation module is reconfigurable, the circuit is more flexible, the generated response values are more flexible and changeable, and the secret keys generated according to the response values have the characteristics of high safety, unpredictability, high randomness and the like;
(4) the ECC encryption and decryption module is used for encrypting the key to be transmitted to the embedded system, so that the transmitted key is not easy to steal, and the security of key transmission is guaranteed.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. An encryption system, comprising:
the true random number generator module is used for generating a configuration signal, an excitation signal and a random plaintext;
a response generation module for generating a response value based on the stimulus signal and the configuration signal, the response value being randomly generated;
the key generation module is used for generating a random key according to the response value;
the ECC encryption and decryption module is used for encrypting the random key;
and the SM4 encryption and decryption module is used for encrypting the data to be encrypted according to the random key to obtain a ciphertext.
2. The encryption system of claim 1, wherein the response generation module comprises a ring oscillator array, a counter pair, and a comparator.
3. The encryption system of claim 1, wherein said true random number generator module comprises an entropy source circuit, a sampling circuit and an exclusive or network circuit, said entropy source circuit comprising a number of ring oscillator arrays.
4. The encryption system according to claim 1, wherein the ECC encryption/decryption module includes a finite field operation circuit and an ECC operation control circuit.
5. The cryptographic system of claim 1, wherein the key generation module employs a shift register for generating the random key based on the response value.
6. The encryption system of claim 1, wherein said SM4 encryption and decryption module comprises a key expansion circuit, a round-robin circuit, and an iteration control circuit.
7. A cryptographic system as in claim 3, wherein said response generation module and said true random number generator module share a ring oscillator array.
8. An encryption system according to any one of claims 1 to 7 further comprising an autonomous instruction set processor for controlling the encryption process of the encryption system.
9. The encryption system according to any one of claims 1 to 7, further comprising a communication module for enabling the encryption system to communicate with the embedded system.
10. An encryption method for performing encryption by an encryption system according to any one of claims 1 to 9, comprising the steps of:
the ECC encryption and decryption module encrypts and transmits the key of the SM4 encryption and decryption module, and the step comprises the following sub-steps:
the true random number generator module generates a first excitation signal and a first configuration signal;
the response generation module generates a first response value according to the first excitation signal and the first configuration signal;
the key generation module generates a first private key according to the first response value;
the ECC encryption and decryption module generates a ciphertext public key according to the first private key;
the true random number generator module generates a second excitation signal and a second configuration signal;
the response generation module generates a second response value according to the second excitation signal and the second configuration signal;
the key generation module generates a second key according to the second response value;
the ECC encryption and decryption module encrypts a second key according to the received first public key to obtain a first ciphertext and transmits the first ciphertext and the ciphertext public key to the embedded system;
the embedded system decrypts the first ciphertext according to the ciphertext public key and the embedded system private key to obtain a decrypted second secret key;
authenticating an SM4 encryption/decryption module, the authenticating SM4 encryption/decryption module step comprising the sub-steps of:
the true random number generator module generates a first random plaintext;
the SM4 encryption and decryption module encrypts the first random plaintext according to the second key to obtain a second ciphertext, and sends the second ciphertext and the first random plaintext to the embedded system;
the embedded system authenticates the second ciphertext and the first random plaintext according to the decrypted second key;
and encrypting the data to be encrypted transmitted by the embedded system by using an SM4 encryption and decryption module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010378053.2A CN111722831B (en) | 2020-05-07 | 2020-05-07 | Encryption system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010378053.2A CN111722831B (en) | 2020-05-07 | 2020-05-07 | Encryption system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111722831A true CN111722831A (en) | 2020-09-29 |
| CN111722831B CN111722831B (en) | 2024-03-19 |
Family
ID=72564272
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010378053.2A Active CN111722831B (en) | 2020-05-07 | 2020-05-07 | Encryption system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111722831B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112699393A (en) * | 2020-12-31 | 2021-04-23 | 南方电网科学研究院有限责任公司 | Parallel bus data transmission method and device |
| CN113630386A (en) * | 2021-07-15 | 2021-11-09 | 金杉 | Encryption and decryption method, device and communication system thereof |
| CN113676453A (en) * | 2021-07-17 | 2021-11-19 | 中国人民解放军战略支援部队信息工程大学 | Data encryption system and method for data resource safety access |
| CN113872975A (en) * | 2021-09-29 | 2021-12-31 | 中国人民解放军火箭军工程大学 | Information encryption transmission device and method |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7143294B1 (en) * | 1999-10-29 | 2006-11-28 | Broadcom Corporation | Apparatus and method for secure field upgradability with unpredictable ciphertext |
| CN1894996A (en) * | 2003-11-07 | 2007-01-10 | 高通股份有限公司 | Method and apparatus for authentication in wireless communications |
| CN1960247A (en) * | 2006-11-29 | 2007-05-09 | 中控科技集团有限公司 | Method for encrypting and decrypting industrial control data |
| JP2013134530A (en) * | 2011-12-26 | 2013-07-08 | Kddi Corp | Authentication system, authentication method, and authentication program |
| KR20150135032A (en) * | 2014-05-23 | 2015-12-02 | 숭실대학교산학협력단 | System and method for updating secret key using physical unclonable function |
| US20160056961A1 (en) * | 2014-08-25 | 2016-02-25 | Shay Gueron | Method, apparatus, and instructions for safely storing secrets in system memory |
| US20160364583A1 (en) * | 2015-06-12 | 2016-12-15 | Qualcomm Incorporated | Physically unclonable function assisted memory encryption device techniques |
| CN106550359A (en) * | 2015-09-18 | 2017-03-29 | 中国电信股份有限公司 | The authentication method and system of a kind of terminal and SIM |
| CN107637016A (en) * | 2015-05-29 | 2018-01-26 | 日本电信电话株式会社 | Authentication device, Verification System, authentication method and program |
| CN108540486A (en) * | 2018-04-23 | 2018-09-14 | 湖南东方华龙信息科技有限公司 | The generation of cloud key and application method |
| CN109714307A (en) * | 2018-06-12 | 2019-05-03 | 广东工业大学 | A kind of cloud platform client data encrypting and deciphering system and method based on national secret algorithm |
| CN110752919A (en) * | 2019-10-21 | 2020-02-04 | 湖北工业大学 | Two-party authentication and session key exchange method based on BST-PUF |
| CN110768938A (en) * | 2018-07-27 | 2020-02-07 | 上海汽车集团股份有限公司 | Vehicle safety communication method and device |
| CN110879875A (en) * | 2019-10-28 | 2020-03-13 | 华晟现代电子科技(香港)有限公司 | Hardware encryption device, embedded system copyright protection system and method |
| CN111082925A (en) * | 2019-10-23 | 2020-04-28 | 中山大学 | Embedded system encryption protection device and method based on AES algorithm and PUF technology |
-
2020
- 2020-05-07 CN CN202010378053.2A patent/CN111722831B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7143294B1 (en) * | 1999-10-29 | 2006-11-28 | Broadcom Corporation | Apparatus and method for secure field upgradability with unpredictable ciphertext |
| CN1894996A (en) * | 2003-11-07 | 2007-01-10 | 高通股份有限公司 | Method and apparatus for authentication in wireless communications |
| CN1960247A (en) * | 2006-11-29 | 2007-05-09 | 中控科技集团有限公司 | Method for encrypting and decrypting industrial control data |
| JP2013134530A (en) * | 2011-12-26 | 2013-07-08 | Kddi Corp | Authentication system, authentication method, and authentication program |
| KR20150135032A (en) * | 2014-05-23 | 2015-12-02 | 숭실대학교산학협력단 | System and method for updating secret key using physical unclonable function |
| US20160056961A1 (en) * | 2014-08-25 | 2016-02-25 | Shay Gueron | Method, apparatus, and instructions for safely storing secrets in system memory |
| CN107637016A (en) * | 2015-05-29 | 2018-01-26 | 日本电信电话株式会社 | Authentication device, Verification System, authentication method and program |
| US20160364583A1 (en) * | 2015-06-12 | 2016-12-15 | Qualcomm Incorporated | Physically unclonable function assisted memory encryption device techniques |
| CN106550359A (en) * | 2015-09-18 | 2017-03-29 | 中国电信股份有限公司 | The authentication method and system of a kind of terminal and SIM |
| CN108540486A (en) * | 2018-04-23 | 2018-09-14 | 湖南东方华龙信息科技有限公司 | The generation of cloud key and application method |
| CN109714307A (en) * | 2018-06-12 | 2019-05-03 | 广东工业大学 | A kind of cloud platform client data encrypting and deciphering system and method based on national secret algorithm |
| CN110768938A (en) * | 2018-07-27 | 2020-02-07 | 上海汽车集团股份有限公司 | Vehicle safety communication method and device |
| CN110752919A (en) * | 2019-10-21 | 2020-02-04 | 湖北工业大学 | Two-party authentication and session key exchange method based on BST-PUF |
| CN111082925A (en) * | 2019-10-23 | 2020-04-28 | 中山大学 | Embedded system encryption protection device and method based on AES algorithm and PUF technology |
| CN110879875A (en) * | 2019-10-28 | 2020-03-13 | 华晟现代电子科技(香港)有限公司 | Hardware encryption device, embedded system copyright protection system and method |
Non-Patent Citations (1)
| Title |
|---|
| 卞建秀等: "基于SM4和ECC的混合加密算法研究", 《计算机应用与软件》, vol. 33, no. 10, pages 303 - 324 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112699393A (en) * | 2020-12-31 | 2021-04-23 | 南方电网科学研究院有限责任公司 | Parallel bus data transmission method and device |
| CN113630386A (en) * | 2021-07-15 | 2021-11-09 | 金杉 | Encryption and decryption method, device and communication system thereof |
| CN113630386B (en) * | 2021-07-15 | 2023-05-09 | 金杉 | Encryption and decryption method and device and communication system thereof |
| CN113676453A (en) * | 2021-07-17 | 2021-11-19 | 中国人民解放军战略支援部队信息工程大学 | Data encryption system and method for data resource safety access |
| CN113676453B (en) * | 2021-07-17 | 2023-10-20 | 中国人民解放军战略支援部队信息工程大学 | Data encryption system and method for secure access of data resources |
| CN113872975A (en) * | 2021-09-29 | 2021-12-31 | 中国人民解放军火箭军工程大学 | Information encryption transmission device and method |
| CN113872975B (en) * | 2021-09-29 | 2023-08-18 | 中国人民解放军火箭军工程大学 | Information encryption transmission device and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111722831B (en) | 2024-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111722831B (en) | Encryption system and implementation method thereof | |
| US20220138349A1 (en) | Cryptographic architecture for cryptographic permutation | |
| CN102799800B (en) | Security encryption coprocessor and wireless sensor network node chip | |
| US20210021405A1 (en) | Key sequence generation for cryptographic operations | |
| CN109726598A (en) | Embedded-type security encryption chip based on Cloud Server | |
| CN103516512A (en) | Encryption and decryption method and encryption and decryption device based on AES (advanced encryption standard) algorithm | |
| CN111082925B (en) | Embedded system encryption protection device and method based on AES algorithm and PUF technology | |
| WO2006100801A1 (en) | Key stream encryption device, method, and program | |
| KR20070085129A (en) | Encryption processing method and encryption processing device | |
| CN101431405B (en) | DES encrypted method and its hardware circuit implementing method | |
| Štembera et al. | Breaking Hitag2 with reconfigurable hardware | |
| CN107534558A (en) | For the method and data highway system of the information security for protecting the data via data bus transmission | |
| CN103346878A (en) | Secret communication method based on FPGA high-speed serial IO | |
| CN114218594A (en) | Encryption and decryption initialization configuration method, edge terminal, encryption and decryption platform and security system | |
| CN104219045A (en) | RC4 (Rivest cipher 4) stream cipher generator | |
| CN116073987A (en) | Reliability design method of block cipher mode, cipher card and server | |
| CN102135871B (en) | Device for generating random number by using chaos theory and dynamic password token thereof | |
| CN101819519A (en) | Multifunctional digital signing circuit | |
| CN110493003B (en) | Rapid encryption system based on four-base binary system bottom layer modular operation | |
| Fons et al. | A modular reconfigurable and updateable embedded cyber security hardware solution for automotive | |
| Landge et al. | VHDL based Blowfish implementation for secured embedded system design | |
| US8995659B2 (en) | Parameterized random data generator providing a sequence of bytes with uniform statistical distribution | |
| Sreehari et al. | Implementation of hybrid cryptosystem using DES and MD5 | |
| Palka et al. | Design Flow of Blowfish Symmetric-Key Block Cipher on FPGA | |
| CN112699393B (en) | Parallel bus data transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |