CN112260839B - Micro transmission encryption device based on embedded technology and starting method thereof - Google Patents

Micro transmission encryption device based on embedded technology and starting method thereof Download PDF

Info

Publication number
CN112260839B
CN112260839B CN202011127636.4A CN202011127636A CN112260839B CN 112260839 B CN112260839 B CN 112260839B CN 202011127636 A CN202011127636 A CN 202011127636A CN 112260839 B CN112260839 B CN 112260839B
Authority
CN
China
Prior art keywords
control chip
service control
encryption
verification
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011127636.4A
Other languages
Chinese (zh)
Other versions
CN112260839A (en
Inventor
杜瑞忠
李耀龙
佟晓磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hebei Prime Information Security Co ltd
Original Assignee
Hebei Prime Information Security Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hebei Prime Information Security Co ltd filed Critical Hebei Prime Information Security Co ltd
Priority to CN202011127636.4A priority Critical patent/CN112260839B/en
Publication of CN112260839A publication Critical patent/CN112260839A/en
Application granted granted Critical
Publication of CN112260839B publication Critical patent/CN112260839B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B5/00Visible signalling systems, e.g. personal calling systems, remote indication of seats occupied
    • G08B5/22Visible signalling systems, e.g. personal calling systems, remote indication of seats occupied using electric transmission; using electromagnetic transmission
    • G08B5/36Visible signalling systems, e.g. personal calling systems, remote indication of seats occupied using electric transmission; using electromagnetic transmission using visible light sources
    • G08B5/38Visible signalling systems, e.g. personal calling systems, remote indication of seats occupied using electric transmission; using electromagnetic transmission using visible light sources using flashing light
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Electromagnetism (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a micro transmission encryption device based on an embedded technology and a starting method thereof, wherein the encryption device comprises an encryption guard hardware part and an encryption guard software part; the encryption guard hardware part comprises: a service control chip; the safety control chip is mutually connected with the service control chip; the noise source is interactively connected with the safety control chip through an interface; the algorithm coordination processor is interconnected with the service control chip; the multimode positioning module is accessed into the service control chip through an interface; the temperature and humidity sensor is mutually connected with the service control chip; and a smart key; the encrypted guard software part comprises: an application layer; an inner core layer; a drive layer; and a system layer. The invention is applied to the field of unattended operation, can be applied to the condition of severe environment, has less field operation and maintenance times of equipment and low failure rate of the equipment, can seamlessly access the existing network under the condition of minimum adjustment of the network, and has convenient deployment, simplicity and easy use.

Description

Micro transmission encryption device based on embedded technology and starting method thereof
Technical Field
The invention relates to the technical field of data transmission encryption, in particular to a micro transmission encryption device based on an embedded technology and a starting method thereof.
Background
In the age of rapid development of data communication, more and more messages, information and other digital data are transmitted in bits and bytes through cables and air, and the demand for protecting digital data from owners of digital data is increasing. The construction of the network transmission encryption system strictly follows the relevant regulation and system of the cipher law of the people's republic of China, corresponding management regulation and system are formulated while the technical construction is enhanced, the operation and the maintenance of the system are standardized and used through the system, and the operation of the operation and the maintenance and the use are restricted through the technology.
The application scenes of the encryption device are more in the field of unattended operation and are severe in environment, but the existing encryption device often breaks down, so that the field operation and maintenance times of equipment are greatly increased, and the labor intensity is increased. And the existing encryption device has large power consumption, is not easy to install, needs to be periodically overhauled and maintained, and has low safety factor.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a micro transmission encryption device based on an embedded technology and a starting method thereof, so as to solve the problems that the existing encryption device often breaks down to increase the labor intensity, has larger power consumption, is difficult to install and has lower safety factor, so as to improve the safety of the encryption device and reduce the failure rate of the encryption device.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows.
A miniature transmission encryption device based on embedded technology comprises an encryption guard hardware part and an encryption guard software part;
the encryption guard hardware part comprises:
a service control chip;
the safety control chip is mutually connected with the service control chip and is used for taking charge of equipment random number generation, key safety storage, user identity authentication and safety state transfer;
the noise source is interactively connected with the safety control chip through an interface and used for generating unpredictable true random numbers with good cryptographic statistical properties;
the algorithm coordination processor is connected with the service control chip in an interactive way and is connected with the output end of the safety control chip through a communication interface, and the algorithm coordination processor is used for accelerating the SM4 and SM3 algorithms;
the multimode positioning module is accessed into the service control chip through an interface and is used for providing a positioning function;
the temperature and humidity sensor is mutually connected with the service control chip and is used for detecting the temperature and the humidity in the environment where the encryption guard hardware is located; and
the intelligent password key is used for authenticating the identity of a management user or a common user when the encryption guard is started;
the encryption guard software part comprises:
the application layer comprises a key negotiation module, a local management service module, a remote management agent module for realizing communication interaction with a remote management platform, an IP camera authentication agent module for performing agent authentication on a management protocol of a camera and a message sign safety agent module for performing online detection work on encrypted guard protected equipment;
the system comprises a kernel layer and a data processing layer, wherein the kernel layer comprises a data encryption and encapsulation module and an anti-virus module, wherein the data encryption and encapsulation module is used for realizing data encapsulation, data unpacking, an ESP (electronic stability program) protocol and IP (Internet protocol) load encryption;
a drive layer; and
a system layer;
the local management service module is connected with the local management control software through a serial port, and the local management service module is matched with the local management control software to execute related instructions and return execution results to the local management control software.
Further optimizing the technical scheme, the business control chip adopts a MARVELL ARMADA 3720SoC chip;
the safety control chip adopts an HSC32EU chip and is connected with the service control chip through a USB 2.0 protocol;
the algorithm coordination processor adopts a square inch electronic T620, and the service control chip adopts a USB 3.0 protocol to be connected with the algorithm coordination processor.
The technical scheme is further optimized, wherein the service control chip is interactively connected with a DDR3 memory, an eMMC Flash, a reset button and an indicator light; the output ends of the business control chip and the safety control chip are respectively connected with SPI Flash through a selection switch, and the SPI Flash is used for storing a BootLoader program.
Further optimizing the technical scheme, the working mode of the key agreement module is set by local management control software, and the algorithm suite supported by the key agreement module is as follows:
1)SM2-SM3-SM4
2)RSA-SM3-SM4。
further optimizing the technical scheme, the remote management agent module comprises an execution instruction and a state reporting function, and the remote management instruction comprises: resetting and restarting equipment, upgrading equipment software, remotely destroying a secret key, acquiring a security state, acquiring network parameters and setting the network parameters; the state reporting function comprises the following steps: reporting temperature values, reporting humidity values, reporting positioning values, reporting flow information and reporting network parameters.
In the technical scheme, the IP camera authentication agent module provides related cryptographic operation and certificate management functions by a security control chip.
The technical scheme is further optimized, the cryptographic operation function of the data encryption and encapsulation module is realized by an algorithm coordination processor, and the strategy of data encryption and encapsulation is set by local management control software.
A starting method of a micro transmission encryption device based on embedded technology is carried out based on the micro transmission encryption device based on embedded technology, and comprises the following steps:
s1, powering on equipment; after the safety control chip is powered on and started, executing a trusted starting program, setting the service control chip to be in a reset state, and delaying the service control chip to start through a reset signal;
s2, the safety control chip carries out digital signature verification on the starting bootstrap program stored in the SPI Flash chip;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S4;
s3, alarming through an indicator light, and flashing a red light;
s4, after the verification is passed, the service control chip is started by changing the reset signal, and the service control chip loads a starting bootstrap program and initializes various peripheral equipment;
s5, starting a bootstrap program to perform digital signature verification on an operating system kernel program of the eMMC Flash;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S6;
s6, after the verification is passed, the business control chip loads an operating system kernel program in the eMMC Flash, and loads a Linux kernel to a CPU for running;
s7, the kernel of the operating system performs digital signature verification on the application program mirror image;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S8;
and S8, after the verification is passed, decompressing and starting the application program by the kernel of the operating system, and loading the application program into the CPU for running.
Further optimizing the technical scheme, the system appoints that after the boot program is started, the absolute address is increased by 256 bytes to be the storage starting position of the signature data.
In step S6, after the program development is completed, packaging all files of the application program into an image file, signing the image file by using private key data of a vendor signature key pair to obtain a signature result, placing the signature result into a signature file, wherein the name of the signature file is the same as that of the image file, and placing the image file and the signature file into an application partition of the eMMC Flash.
Due to the adoption of the technical scheme, the technical progress of the invention is as follows.
The invention is applied to the field of unattended operation, can be applied to the condition of severe environment, has less field operation and maintenance times of equipment and low failure rate of the equipment, can seamlessly access the existing network under the condition of minimum adjustment of the network, and has convenient deployment, simplicity and easy use.
The encryption guard is developed by adopting an ARM platform with low power consumption, a hardware security chip is adopted in the encryption guard as a module for key management and password operation, a double-gigabit network interface is supported, and the encryption guard has the functions of temperature and humidity sensors, local management, remote management and the like.
The invention can meet various requirements of industrialization, low power consumption, easy installation, maintenance-free, high safety and the like, and obtains electromechanical or informatization related certifications of various industries such as electric power, energy, traffic and the like through related national safety detection certifications.
The business control chip of the invention adopts ARMADA 3720 chip, supports advanced power management technology, can independently switch on each CPU core and dynamically adjust voltage and frequency aiming at each core, and can obviously reduce power consumption when different work loads exist.
Drawings
FIG. 1 is a schematic block diagram of an encryption guard hardware part of a micro transmission encryption device based on embedded technology according to the present invention;
FIG. 2 is an external interface diagram of a micro transmission encryption device based on embedded technology according to the present invention;
FIG. 3 is a schematic block diagram of an encryption guard software part of a micro transmission encryption device based on embedded technology according to the present invention;
FIG. 4 is a diagram of the interaction relationship between the management control software and the encryption guard software in the micro transmission encryption device based on the embedded technology;
fig. 5 is a flowchart illustrating a start-up process of a micro transmission encryption device based on embedded technology according to the present invention.
Detailed Description
The invention will be described in further detail below with reference to the figures and specific examples.
A micro transmission encryption device based on embedded technology, which is shown in fig. 1 to 4, includes an encryption guard hardware part and an encryption guard software part.
The encryption guard is developed by adopting an ARM platform with low power consumption, a hardware security chip is adopted in the encryption guard as a module for key management and password operation, a double gigabit network interface is supported, and the encryption guard has the functions of temperature and humidity sensors, local management, remote management and the like.
The encryption guard hardware part comprises: the system comprises a service control chip, a safety control chip, a noise source, an algorithm coordination processor, a multi-mode positioning module, a temperature and humidity sensor, an intelligent password key, a DDR3 memory, an eMMC Flash, a reset button, an indicator light and an SPI Flash.
The service control chip adopts MARVELLARAMAD 3720SoC chip, which is composed of a chip body and a chip coverChip internal integration
Figure BDA0002734135130000051
And the processor is provided with rich peripheral interfaces. ARMADA 3720 modular chip architecture based on Marvell initiatives, namely MoChi TM The architecture can be expanded into a virtual SoC (Marvell VSoC) by adding a MoChi module TM ) To support custom interconnect modes and various I/O technologies and interfaces; the compact size (11.5mm x 10.5mm) can realize the product design with smaller size and simpler appearance; marvell VSoC integrates strong double 64 bits
Figure BDA0002734135130000052
v8
Figure BDA0002734135130000053
A processor that allows ARMADA 3720 to run multiple applications simultaneously; ARMADA 3720 is optimized for low power consumption, small size applications, such as mobile connectivity network storage and other battery-powered devices, facilitating the rapid, simple and convenient market penetration of high performance, distributed cloud storage and network management platforms; the ARMADA 3720SoC family offers rich high speed I/O including USB 3.0, SATA3.0, gigabit Ethernet (1 GbE) and 2.5GbE (NBASE-T). In addition, the series of devices adopt various safety and data acceleration engines, and are suitable for innovative network, storage and computing application; ARMADA 3720 supports advanced power management techniques, can turn on each CPU core individually and dynamically adjust voltage and frequency for each core, which can significantly reduce power consumption at different workloads.
And the safety control chip is mutually connected with the service control chip. The safety control chip adopts an HSC32EU chip and is connected with the service control chip through a USB 2.0 protocol. The chip is a safety control center of the whole machine and is responsible for functions of equipment random number generation, secret key safety storage, user identity authentication, safety state transfer and the like. The chip supports SM2, SM3 and SM4 algorithms and supports various peripheral interfaces.
The data encryption KEYs of the security control chip are arranged in the algorithm coordination processor, a plurality of data encryption KEYs are distinguished through KEY-ID, the KEY-ID is generated and maintained by a KEY negotiation program, and encryption, decryption and integrity operation are carried out through the KEYs in the KEY-ID scheduling algorithm coordination processor (T620).
The HSC32EU chip is a system-level password security chip which is developed by Beijing Hongsi electronic technology Limited liability company and has the characteristics of multiple functions, high performance, high security, low power consumption, low cost and the like.
The main functions realized by the chip include:
on-chip key management (including key generation, key storage, key update, etc.);
supporting a secret SM2/SM3/SM4/SSF33 algorithm;
the method supports the international AES/TDES/RSA/SHA algorithm;
the USB 2.0 high-speed full-speed communication is supported;
various communication interfaces such as SPI, UART, 7816 main interface, IIC and the like are supported;
the USB flash disk supports the function of a USB flash disk and supports plug-in high-capacity NandFlash and eMMC memory chips;
the functions of an IC card reader and an SD card reader are supported;
supporting the encryption function of high-speed data stream;
supporting a plurality of safety management controls.
The noise source is interactively connected with the security control chip through an interface, is used for generating unpredictable true random numbers with good cryptographic statistical properties, and is an indispensable basic component in an information security level password product. The noise source in the invention adopts WNG-8 physical noise source chip produced by macro-thought electronic design, is mainly applied to key generation and initial vector setting of commercial cipher products, and can meet the wide requirements of true random sequences in a secure communication protocol.
WNG-8 is consistent with WNG-4 and WNG-9 product pin information, forward compatibility of products is kept, and two packaging forms of DIP8 and SOP8 are supported; WNG-8 provides two types of varieties of 3.3V and 5.0V for better adapting to different power supply chips; WNG-8 is simple to use, single-path through output is adopted, and the output rate is 20Mbps.
And the algorithm coordination processor is mutually connected with the service control chip and is connected to the output end of the safety control chip through a communication interface, and the algorithm coordination processor is used for accelerating SM4 and SM3 algorithms. The algorithm coordination processor adopts a square inch electronic T620, and the service control chip adopts a USB 3.0 protocol to be connected with the algorithm coordination processor.
The internal hardware of the chip realizes SM2, SM3, SM4 and other cryptographic algorithms, supports various communication interfaces such as USB 3.0 full speed, SPI, UART and the like, and has safety protection mechanisms such as DPA/SPA attack resistance, storage protection, active shielding, voltage frequency temperature detection and the like.
The chip is mainly used for accelerating processing of SM4 and SM3 algorithms, a data encryption KEY is set into a T620 through a UART interface by an HSC32EU, a plurality of data encryption KEYs are distinguished through KEY-IDs, the KEY-IDs are generated and maintained by a KEY negotiation program, and encryption, decryption and integrity operation are carried out on the KEYs in a coordinating processor (T620) through a KEY-ID scheduling algorithm.
The algorithm coordination processor selects a T620 security chip (the code product certificate model is SSX 1929) of Qingdao cun microelectronics technologies, inc., the chip is a commercial code product level 1, is a new generation SoC network terminal security chip independently developed by the cun microelectronics, and has the characteristics of high security, rich functions, strong performance and low power consumption.
The chip integrates a high-performance 32-bit domestic RISC CPU, supports various ultra-high speed interfaces such as USB 3.0, SATA3.0, eMC5.1 and the like, integrates various commercial cryptographic algorithms (SM 2, SM3 and SM 4), and can meet the safety requirements of terminal cryptographic products in the field of information safety.
The SM4 algorithm engine of the chip has the performance of about 800Mbps and supports 5 types of operation modes such as ECB, CBC, OFB, CFB, CTR and XTS; the key pair generation speed of the SM2 algorithm is 500 pairs/second.
The chip has a FLASH storage space, a 32KB ROM space and a 256KB SRAM space in a 512KB chip, and supports 1 path of QSPI main interfaces, 1 path of SPI main interfaces, 2 paths of UART interfaces and 12-bit GPIO interfaces.
In terms of safety, physical characteristics such as voltage resistance detection, temperature resistance detection, support physical detection protection and the like are supported.
And the multi-mode positioning module is accessed into the service control chip through the UART interface and is used for providing a positioning function. In order to enhance the positioning capability of the multimode positioning module, an external antenna interface needs to be reserved on the shell.
And the temperature and humidity sensor is mutually connected with the service control chip and used for detecting the temperature and the humidity in the environment where the encryption guard hardware is located. The temperature and humidity sensor of the present invention is SHT30-DIS-B available from SENSITION, which has the characteristics of small volume and high accuracy, the volume is 3X 3mm, the humidity detection range is 0-100% RH, the accuracy is less than 5% (0-90% RH), the temperature detection range is-40 ℃ to +125 ℃, and the accuracy is less than 1 ℃ (-10 ℃ -85 ℃).
And the intelligent password key is used for authenticating the identity of the management user or the common user when the encryption guard is started. The intelligent cipher KEY of the invention adopts an intelligent cipher KEY (USB KEY, abbreviated as 'UK') developed and produced by Tianjin Yinda communication science and technology limited company, adopts a high-performance and high-capacity security chip with a full-speed/high-speed core, provides high-speed hardware operational capability, and supports international and national cryptographic algorithms of hardware.
The UK adopts a USB interface design, adopts a USB 2.0 high-speed design scheme, adopts a high-security chip in the UK, can effectively prevent physical attack, adopts a drive-free design, and automatically identifies in a Windows operating system.
The business control chip is interactively connected with a DDR3 memory, an eMMC Flash, a reset button and an indicator light, the DDR3 memory has the capacity of 1G, and the eMMC Flash has the capacity of 4G. The output ends of the business control chip and the safety control chip are respectively connected with SPI Flash through a selection switch, and the SPI Flash is used for storing a BootLoader program and has 16M storage capacity.
The physical interface provided by the encryption guard to the outside is shown in fig. 2, in which the Console port is a single physical interface, but supports two UART serial ports. The pilot lamp adopts 1 row 4 mode to arrange, and the meaning of pilot lamp designs separately, and female mouth of USB is connected with PCB board parallel, and reset button is the power and restarts the button function.
The encrypted guard software part comprises: an application layer, a kernel layer, a driver layer and a system layer.
The application layer comprises a key negotiation module, a local management service module, a remote management agent module, an IP camera authentication agent module and an information board security agent module.
The key negotiation module is mainly responsible for realizing an IKE protocol and a self-defined key distribution protocol which meet GM/T0022-2014 IPSec VPN technical specification, the cryptographic operation required in the protocol is realized by an HSC32EU chip, and the working mode of the key negotiation module is set by local management control software.
The algorithm suite supported by key agreement is as follows:
1)SM2-SM3-SM4
2) RSA-SM3-SM4 (RSA algorithm is 2048 bits).
The remote management agent module is used for realizing communication interaction with the remote management platform. The remote management agent module comprises an execution instruction and a state reporting function, and the remote management instruction comprises: resetting and restarting equipment, upgrading equipment software, remotely destroying a secret key, acquiring a security state, acquiring network parameters and setting the network parameters; the state reporting function comprises the following steps: reporting temperature values, reporting humidity values, reporting positioning values, reporting flow information and reporting network parameters.
The IP camera authentication agent module is used for carrying out agent authentication on a management protocol of the camera, realizing the A-level access identity authentication of GB 35114-2018, and providing related cryptographic operation and certificate management functions by HSC32 EU.
The information board safety agent module is used for carrying out online detection on the protected equipment of the encryption guard, and ensuring the offline warning function of timely discovering the protected equipment.
And the kernel layer comprises a data encryption packaging module and an anti-virus module.
The data encryption and encapsulation module is used for realizing data encapsulation, data unpacking, ESP protocol and IP load encryption. Wherein the function of the cryptographic operation is realized by the T620 chip. The strategy of data encryption packaging is set by local management control software.
And the driving layer comprises a security chip driver, a network interface driver, a USB driver and a UART driver.
And the system layer comprises an operating system.
The local management service module is connected with the local management control software through a serial port, and the local management service module is matched with the local management control software to execute related instructions and return execution results to the local management control software.
A starting method of a micro transmission encryption device based on an embedded technology is carried out based on the micro transmission encryption device based on the embedded technology, and comprises the following steps as shown in a combined figure 5:
s1, powering on equipment; and after the safety control chip is powered on and started, executing a trusted starting program, setting the service control chip to be in a reset state, and delaying the service control chip to start through a reset signal.
And S2, the safety control chip carries out digital signature verification on the starting bootstrap program stored in the SPI Flash chip. The Boot program is a Boot loader program inside the SPI Flash.
If the verification is not passed, step S3 is executed, and if the verification is passed, step S4 is executed.
And S3, giving an alarm through an indicator light, and flashing a red light.
And S4, after the verification is passed, the service control chip is started by changing the reset signal, and the service control chip loads a starting bootstrap program and initializes various peripheral equipment.
S5, starting a bootstrap program to perform digital signature verification on an operating system Kernel Image (Linux Kernel Image) software of the eMMC Flash;
if the verification is not passed, step S3 is executed, and if the verification is passed, step S6 is executed.
And S6, after the verification is passed, the service control chip loads an operating system kernel program in the eMMC Flash, and loads a Linux kernel to the CPU for running.
In step S6, after the program development is completed, packaging all files of the application program (Linux Kernel) into Image files (such as Image, zmimag, and other files in various formats), signing the Image files by using private key data of the vendor signature key pair to obtain signature results, placing the signature results into a signature file (with a suffix name of sig), and placing the Image files and the signature files into an application partition of the eMMC Flash.
And S7, the operating system kernel performs digital signature verification on the application program mirror image.
If the verification is not passed, step S3 is executed, and if the verification is passed, step S8 is executed.
And S8, after the verification is passed, decompressing and starting the application program by the kernel of the operating system, and loading the application program into the CPU for running.
The SPI Flash has small capacity, is internally used for storing a Boot Loader program of a business control chip system, is mainly used for initializing hardware equipment, establishing a memory space mapping map and the like, and prepares a Boot environment for an embedded operating system (generally a Linux series) kernel; the system appoints that the absolute address is increased by 256 bytes after the boot program is started to be the storage starting position of the signature data.
The digital signature algorithm is as follows: SM2, digest algorithm SM3.
In the starting process, the safety control chip firstly carries out abstract operation on a starting bootstrap program of the SPI Flash, reads a signature numerical value from a signature position area of the SPI Flash and reads a manufacturer signature public key stored in the safety control chip for signature verification; and if the verification is passed, the program for starting the boot sector is proved to be the program issued by the manufacturer.
After the boot program is started and normally loaded, the boot program is started to read a system kernel image file in a boot partition of the eMMC Flash system, an algorithm coordination processor is used for carrying out abstract operation, signature data in the signature file and a manufacturer signature public key stored in the signature file are read after the abstract operation is finished, and finally the signature data, the abstract data and the signature public key are verified by the algorithm coordination processor; and if the verification is passed, the kernel of the operating system is proved to be a program released by a manufacturer.
After the kernel of the operating system is normally loaded, the kernel program reads an application program image file in an eMMC Flash application partition, an algorithm coordination processor is used for carrying out abstract operation, signature data in the signature file and a manufacturer signature public key stored in the signature file are read after the abstract operation is finished, and finally the algorithm coordination processor is used for verifying the signature data, the abstract data and the signature public key; and if the verification is passed, the application program is proved to be the program issued by the manufacturer.
The signature and signature verification algorithm in the above process is as follows: SM2, the abstract algorithm is as follows: and (3) SM.

Claims (9)

1. A miniature transmission encryption device based on embedded technology is characterized by comprising an encryption guard hardware part and an encryption guard software part;
the encryption guard hardware part comprises:
a service control chip;
the safety control chip is mutually connected with the service control chip and is used for taking charge of equipment random number generation, key safety storage, user identity authentication and safety state transfer;
the noise source is interactively connected with the safety control chip through an interface and used for generating unpredictable true random numbers with good cryptographic statistical properties;
the algorithm coordination processor is connected with the service control chip in an interconnecting way and is connected with the output end of the safety control chip through a communication interface, and the algorithm coordination processor is used for accelerating SM4 and SM3 algorithms;
the multimode positioning module is accessed into the service control chip through an interface and is used for providing a positioning function;
the temperature and humidity sensor is mutually connected with the service control chip and is used for detecting the temperature and the humidity in the environment where the encryption guard hardware is located; and
the intelligent password key is used for authenticating the identity of a management user or a common user when the encryption guard is started;
the business control chip is interactively connected with a DDR3 memory, an eMMC Flash, a reset button and an indicator light; the input ends of the business control chip and the safety control chip are respectively connected with SPI Flash through a selection switch, and SPIFlash is used for storing a BootLoader program;
the encrypted guard software part comprises:
the application layer comprises a key negotiation module, a local management service module, a remote management agent module for realizing communication interaction with a remote management platform, an IP camera authentication agent module for performing agent authentication on a management protocol of a camera and a message sign safety agent module for performing online detection work on encrypted guard protected equipment;
the system comprises a kernel layer and a data processing layer, wherein the kernel layer comprises a data encryption and encapsulation module and an anti-virus module, wherein the data encryption and encapsulation module is used for realizing data encapsulation, data unpacking, an ESP (electronic stability program) protocol and IP (Internet protocol) load encryption;
a drive layer; and
a system layer;
the local management service module is connected with the local management control software through a serial port, and the local management service module is matched with the local management control software to execute related instructions and return execution results to the local management control software.
2. The embedded technology-based micro transmission encryption device as claimed in claim 1, wherein the service control chip is implemented as MARVELLARMADA 3720SoC chip;
the safety control chip adopts an HSC32EU chip and is connected with the service control chip through a USB 2.0 protocol;
the algorithm coordination processor adopts a square inch electronic T620, and the service control chip adopts a USB 3.0 protocol to be connected with the algorithm coordination processor.
3. The embedded technology-based micro transmission encryption device according to claim 1, wherein the operation mode of the key agreement module is set by local management control software, and the algorithm suite supported by key agreement is as follows:
1)SM2-SM3-SM4
2)RSA-SM3-SM4。
4. the embedded technology-based micro transmission encryption device of claim 1, wherein the remote management agent module comprises an execution instruction and a status reporting function, and the remote management instruction comprises: resetting and restarting equipment, upgrading equipment software, remotely destroying a secret key, acquiring a security state, acquiring network parameters and setting the network parameters; the state reporting function comprises the following steps: reporting temperature values, reporting humidity values, reporting positioning values, reporting flow information and reporting network parameters.
5. The embedded technology-based micro transmission encryption device as claimed in claim 1, wherein the IP camera authentication agent module provides related cryptographic operations and certificate management functions via a security control chip.
6. The embedded technology-based micro transmission encryption device of claim 1, wherein the cryptographic operation function of the data encryption packaging module is implemented by an algorithm coordination processor, and the policy of data encryption packaging is set by local management control software.
7. A method for starting a micro transmission encryption device based on embedded technology, which is performed based on the micro transmission encryption device based on embedded technology of any one of claims 1 to 6, and comprises the following steps:
s1, powering on equipment; after the safety control chip is powered on and started, executing a trusted starting program, setting the service control chip to be in a reset state, and delaying the service control chip to start through a reset signal;
s2, the safety control chip carries out digital signature verification on the boot program stored in the SPIFlash chip;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S4;
s3, giving an alarm through an indicator light, and flashing a red light;
s4, after the verification is passed, the service control chip is started by changing the reset signal, and the service control chip loads a starting bootstrap program and initializes various peripheral equipment;
s5, starting a bootstrap program to perform digital signature verification on an operating system kernel program of the eMMC Flash;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S6;
s6, after the verification is passed, the service control chip loads an operating system kernel program in the eMMC Flash, and loads a Linux kernel to the CPU for running;
s7, the kernel of the operating system performs digital signature verification on the mirror image of the application program;
if the verification is not passed, executing the step S3, and if the verification is passed, executing the step S8;
and S8, after the verification is passed, decompressing and starting the application program by the kernel of the operating system, and loading the application program into the CPU for running.
8. The method as claimed in claim 7, wherein the system agrees to store the starting location of the signature data by increasing the absolute address by 256 bytes after the boot procedure is finished.
9. The method as claimed in claim 7, wherein in step S6, after the program development is completed, all files of the application program are packaged into image files, the image files are signed by using private key data of a vendor signature key pair to obtain signature results, the signature results are placed into signature files, the name of the signature files is the same as that of the image files, and the image files and the signature files are placed into an application partition of the eMMC Flash.
CN202011127636.4A 2020-10-20 2020-10-20 Micro transmission encryption device based on embedded technology and starting method thereof Active CN112260839B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011127636.4A CN112260839B (en) 2020-10-20 2020-10-20 Micro transmission encryption device based on embedded technology and starting method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011127636.4A CN112260839B (en) 2020-10-20 2020-10-20 Micro transmission encryption device based on embedded technology and starting method thereof

Publications (2)

Publication Number Publication Date
CN112260839A CN112260839A (en) 2021-01-22
CN112260839B true CN112260839B (en) 2022-11-22

Family

ID=74244008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011127636.4A Active CN112260839B (en) 2020-10-20 2020-10-20 Micro transmission encryption device based on embedded technology and starting method thereof

Country Status (1)

Country Link
CN (1) CN112260839B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104794393A (en) * 2015-04-24 2015-07-22 杭州字节信息技术有限公司 Embedded type partition image security certification and kernel trusted boot method and equipment thereof
CN106878461A (en) * 2017-03-28 2017-06-20 上海艾络格电子技术有限公司 A kind of industrial Internet of Things on-site wireless instrument
CN109445874A (en) * 2018-11-15 2019-03-08 济南浪潮高新科技投资发展有限公司 A kind of more activation systems and method with safety certification based on embedded Linux system
CN110110526A (en) * 2019-05-08 2019-08-09 郑州信大捷安信息技术股份有限公司 A kind of safety starting device and method based on safety chip
CN110765438A (en) * 2019-10-24 2020-02-07 江苏云涌电子科技股份有限公司 High-performance password card and working method thereof
CN210839642U (en) * 2020-02-25 2020-06-23 无锡艾立德智能科技有限公司 Device for safely receiving and sending terminal data of Internet of things

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2796540A1 (en) * 2011-11-28 2013-05-28 Pika Technologies Inc. Transparent bridge device
CN105279133B (en) * 2015-10-20 2017-10-31 电子科技大学 VPX Parallel DSP Signal transacting board analysis based on SoC on-line reorganizations
US10909248B2 (en) * 2017-06-29 2021-02-02 Microsoft Technology Licensing, Llc Executing encrypted boot loaders
CN109032989A (en) * 2018-07-23 2018-12-18 山东超越数控电子股份有限公司 A kind of server master board framework based on Shen prestige processor and bridge piece

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104794393A (en) * 2015-04-24 2015-07-22 杭州字节信息技术有限公司 Embedded type partition image security certification and kernel trusted boot method and equipment thereof
CN106878461A (en) * 2017-03-28 2017-06-20 上海艾络格电子技术有限公司 A kind of industrial Internet of Things on-site wireless instrument
CN109445874A (en) * 2018-11-15 2019-03-08 济南浪潮高新科技投资发展有限公司 A kind of more activation systems and method with safety certification based on embedded Linux system
CN110110526A (en) * 2019-05-08 2019-08-09 郑州信大捷安信息技术股份有限公司 A kind of safety starting device and method based on safety chip
CN110765438A (en) * 2019-10-24 2020-02-07 江苏云涌电子科技股份有限公司 High-performance password card and working method thereof
CN210839642U (en) * 2020-02-25 2020-06-23 无锡艾立德智能科技有限公司 Device for safely receiving and sending terminal data of Internet of things

Also Published As

Publication number Publication date
CN112260839A (en) 2021-01-22

Similar Documents

Publication Publication Date Title
CN104160403B (en) Use single credible platform module measuring table part
US10664413B2 (en) Hardware security for an electronic control unit
Hwang et al. Securing embedded systems
EP3582129B1 (en) Technologies for secure hardware and software attestation for trusted i/o
CN106605233B (en) Providing trusted execution environment using processor
CN106127043B (en) The method and apparatus that security sweep is carried out to data storage device from remote server
US9210140B2 (en) Remote functionality selection
US9251380B1 (en) Method and storage device for isolating and preventing access to processor and memory used in decryption of text
CN104303190B (en) Device and method for providing geographic protection to a system
CN102667802A (en) Provisioning, upgrading, and/or changing of hardware
US20110040961A1 (en) Binding data to a computing platform through use of a cryptographic module
CN110730159B (en) TrustZone-based secure and trusted hybrid system starting method
EP3692460B1 (en) Computer server device and methods for initiating and running a computer process
CN107003871A (en) Technology for providing hardware subscribing mode using pre-boot update mechanism
WO2020101771A2 (en) System and method for booting processors with encrypted boot image
CN112257119B (en) Identity authentication method and protection method for ensuring security of encryption device
CN110348222A (en) A kind of construction method of the credible calculating platform of dual Architecture
CN112260839B (en) Micro transmission encryption device based on embedded technology and starting method thereof
Adnan et al. Secure boot process for wireless sensor node
US11983260B2 (en) Partitioned platform security mechanism
CN207573453U (en) A kind of trustable network video camera based on domestic commercial cipher algorithm
CN2914500Y (en) Portable and reliable platform module
Feller et al. Towards trustworthy cyber-physical systems
Chen et al. A RISC-V System-on-Chip Based on Dual-core Isolation for Smart Grid Security
US20200235917A1 (en) Shared secret generation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant