CN112272090A - Key generation method and device - Google Patents

Key generation method and device Download PDF

Info

Publication number
CN112272090A
CN112272090A CN202011166625.7A CN202011166625A CN112272090A CN 112272090 A CN112272090 A CN 112272090A CN 202011166625 A CN202011166625 A CN 202011166625A CN 112272090 A CN112272090 A CN 112272090A
Authority
CN
China
Prior art keywords
key
information
level
decryption
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011166625.7A
Other languages
Chinese (zh)
Other versions
CN112272090B (en
Inventor
廖裕民
陈娇丽
刘承
骆飞
刘学
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Anjili New Technology Co ltd
Original Assignee
Shenzhen Anjili New Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Anjili New Technology Co ltd filed Critical Shenzhen Anjili New Technology Co ltd
Priority to CN202011166625.7A priority Critical patent/CN112272090B/en
Priority claimed from CN202011166625.7A external-priority patent/CN112272090B/en
Publication of CN112272090A publication Critical patent/CN112272090A/en
Application granted granted Critical
Publication of CN112272090B publication Critical patent/CN112272090B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention provides a method and a device for generating a secret key, wherein the device comprises the following steps: the source data decryption unit is used for acquiring the encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm; a root key operation unit, configured to calculate root key information according to the decrypted source key; and the hierarchy decryption operation unit is used for acquiring hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypting the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information. In the scheme, the key output information is obtained by a source key through a multi-layer encryption means, so that the security of the key generation process is greatly improved.

Description

Key generation method and device
Technical Field
The present invention relates to the field of chip circuit design, and in particular, to a method and an apparatus for generating a secret key.
Background
SSD data storage has gradually become the primary storage medium for consumer device data storage and cloud storage. For SSD data storage, data error correction is of great importance, particularly for personal critical data and government agency related data. The SSD master control chip is used as the brain of the SSD storage device, and the safety performance of the SSD master control chip directly determines the final overall safety performance of the SSD hard disk.
Currently, for each user data security access, the most common method is still to set a password, and complete user authorization by checking the password, but one SSD storage device may be used by different users, and different users should have different security levels, corresponding to different accessible spaces. The mode of setting the password cannot ensure the uniqueness of the access of the user to the corresponding storage area, and the situation that the user forgets the password and cannot access the data area of the storage device is easily caused.
Disclosure of Invention
Therefore, a technical scheme for generating a key is needed to be provided to solve the problems that the uniqueness of user access cannot be achieved for a data area of a storage device and the security is weak at present.
To achieve the above object, a first aspect of the present invention provides a key generation apparatus, including:
the source data decryption unit is used for acquiring the encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm;
a root key operation unit, configured to calculate root key information according to the decrypted source key;
and the hierarchy decryption operation unit is used for acquiring hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypting the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information.
Further, still include:
the algorithm information storage unit is used for storing the decrypted hierarchical encryption and decryption algorithm;
and the algorithm selection unit is used for selecting different levels of encryption and decryption algorithms to the level decryption operation unit according to the user security level.
Further, still include:
a hierarchy information storage unit for storing hierarchy key information;
and the main control chip is used for acquiring the hierarchy key information in the hierarchy information storage unit and transmitting the hierarchy key information to the hierarchy decryption operation unit.
Further, still include:
a user level storage unit for storing a user security level;
and the main control chip is also used for sending corresponding hierarchy key information to the hierarchy decryption operation unit according to the security level corresponding to the current user.
Further, still include:
the biological characteristic information acquisition unit is used for acquiring the biological characteristic information of the current user;
and the main control chip is used for comparing the acquired biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user.
Furthermore, the hierarchical decryption operation unit comprises a first-level decryption operation unit and a second-level decryption operation unit; the hierarchical key information includes first hierarchical key information and second hierarchical key information; the hierarchical encryption and decryption algorithm comprises a first hierarchical encryption and decryption algorithm and a second hierarchical encryption and decryption algorithm;
the main control chip is used for acquiring the first-level key information from the level information storage unit and transmitting the first-level key information to the first-level decryption operation unit; the hierarchical information storage unit is used for storing the second-level key information and transmitting the second-level key information to the second-level decryption operation unit;
the first-level decryption operation unit is used for decrypting the first-level key information by adopting the root key information according to the first-level key encryption and decryption algorithm to obtain a first-level key;
and the second-level decryption operation unit is used for acquiring the first-level key and decrypting the second-level key information by adopting the first-level key information according to the second-level key encryption and decryption algorithm to obtain a second-level key.
Further, still include:
a user authentication information storage unit for storing user authentication information;
and the root key operation unit is used for acquiring the user authentication information and the decrypted source key, and performing hash operation on the user authentication information according to the decrypted source key to obtain root key information.
Further, the hierarchy information storage unit is further configured to store handshake request information and handshake response information;
the key generation apparatus includes:
the handshake decryption operation circuit is used for decrypting the key output information by adopting the key output information to obtain handshake encryption key information;
the handshake encryption operation circuit is used for receiving the handshake request information and encrypting the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information check circuit is used for acquiring the handshake response information and the handshake encryption information, judging whether the handshake response information and the handshake encryption information are matched, and outputting the key output information if the handshake response information and the handshake encryption information are matched.
Further, still include:
the source data storage unit is used for storing encrypted source data, and the source data comprises a source key and a hierarchical encryption and decryption algorithm; the source data storage unit is an OTP storage unit.
The second aspect of the present invention also provides a key generation method, which is applied to the key generation apparatus according to the first aspect of the present invention, and the method includes the following steps:
the source data decryption unit obtains encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm;
the root key operation unit calculates the decrypted source key to obtain root key information;
the hierarchy decryption operation unit acquires hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypts the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information.
Different from the prior art, the key generation method and device in the above technical solution, the device includes: the source data decryption unit is used for acquiring the encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm; a root key operation unit, configured to calculate root key information according to the decrypted source key; and the hierarchy decryption operation unit is used for acquiring hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypting the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information. In the scheme, the key output information is obtained by a source key through a multi-layer encryption means, so that the security of the key is greatly improved.
Drawings
Fig. 1 is a schematic structural diagram of a key generation apparatus according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a key generation apparatus according to another embodiment of the present invention;
FIG. 3 is a schematic diagram of a key generation apparatus according to another embodiment of the present invention;
FIG. 4 is a flowchart of a key generation method according to an embodiment of the present invention;
FIG. 5 is a flowchart of a key generation method according to another embodiment of the present invention;
fig. 6 is a flowchart of a key generation method according to another embodiment of the present invention.
Description of reference numerals:
30. a key generation device;
301. a source data storage unit;
302. a source data decryption unit;
303. an algorithm information storage unit;
304. a hierarchy information storage unit;
305. a root key operation unit;
306. a hierarchical decryption operation unit; 3061. a first-level decryption operation unit; 3062. a secondary decryption operation unit; 3063. a third-level decryption operation unit;
307. a handshake decryption operational circuit; 3071. a first-stage handshake decryption operation circuit; 3072. a second-stage handshake decryption operation circuit; 3073. a three-stage handshake decryption operation circuit;
308. a handshake encryption arithmetic circuit; 3081. a first-stage handshake encryption operation circuit; 3082. a second-stage handshake encryption operation circuit; 3083. a three-stage handshake encryption operation circuit;
309. a handshake information check circuit;
310. a key selection unit;
311. an algorithm selection unit; 3111. a first-level algorithm selection unit; 3112. a secondary algorithm selection unit; 3113. a third-level algorithm selection unit;
312. a main control chip;
313. a user authentication information storage unit;
40. and a key recording unit.
Detailed Description
To explain technical contents, structural features, and objects and effects of the technical solutions in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
The key information is used as a tool for data encryption and decryption, is a key ring for chip security authentication, and is very important for ensuring the security of the key generation process. In order to enhance the security of the key generation process, the present application designs a special key generation device 30 to generate the finally required key information.
Fig. 1 is a schematic structural diagram of a key generation apparatus according to an embodiment of the present invention. The key generation apparatus includes:
a source data decryption unit 301, configured to obtain encrypted source data and decrypt the encrypted source data to obtain a decrypted source key and a decrypted hierarchical encryption/decryption algorithm;
a root key operation unit 305, configured to calculate root key information according to the decrypted source key;
the hierarchical decryption operation unit 306 is configured to obtain hierarchical key information, a hierarchical key encryption and decryption algorithm, and root key information, and decrypt the hierarchical key information with the root key information according to the hierarchical key encryption and decryption algorithm to obtain key output information. The key output information obtained by the hierarchical decryption operation unit 306 is the finally required key information, and the key output information is obtained by a source key through a multi-layer encryption means, so that the security in the key generation process is greatly improved.
As shown in fig. 2, in some embodiments, the key generation apparatus 30 further includes:
and an algorithm information storage unit 303, configured to store the decrypted hierarchical encryption/decryption algorithm. The hierarchical encryption and decryption algorithm is an algorithm selected when data encryption and decryption are performed subsequently, and specifically may include any one or more of an aes algorithm, a tdes algorithm, and an sm4 algorithm. After the source data decryption unit 301 decrypts the hierarchical encryption/decryption algorithm, the hierarchical encryption/decryption algorithm is stored in the algorithm information storage unit 303, so as to wait for a subsequent call.
And an algorithm selecting unit 311, configured to select different hierarchical encryption/decryption algorithms to the hierarchical decryption operation unit 306 according to the user security level. The user security level refers to access rights that can access different secure storage areas of the storage device. The higher the security level of the user, the higher the security of the secure storage area that the user can access, and the more complicated the corresponding key generation process.
For example, user a, user B, and user C may have a low security level, a medium security level, and a high security level. The hierarchical key decryption operation unit comprises a first hierarchical key decryption operation unit, a second hierarchical key decryption operation unit and a third hierarchical key decryption operation unit. The algorithm information storage unit is assumed to store three encryption and decryption algorithms a, b and c.
When the key output information corresponding to the user A is generated, the device only starts the first-level key decryption operation unit to complete encryption and decryption operation, and the algorithm selection unit only needs to send the encryption and decryption algorithm a to the first-level key decryption operation unit.
When the key output information corresponding to the user B is generated, the device starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operation, the algorithm selection unit firstly selects the encryption and decryption algorithm a to send to the first-level key decryption operation unit, and then sends the encryption and decryption algorithm B to the second-level key decryption operation unit when the subsequent second-level key decryption operation unit performs encryption and decryption operation.
When the key output information corresponding to the user C is generated, the device not only starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operation, but also starts the third-level key decryption operation unit to perform encryption and decryption operation. The algorithm selection unit selects the encryption and decryption algorithm a to be sent to the first-level key decryption operation unit, sends the encryption and decryption algorithm b to the second-level key decryption operation unit when the second-level key decryption operation unit performs encryption and decryption operation, and sends the encryption and decryption algorithm c to the third-level key decryption operation unit subsequently and when the third-level key decryption operation unit performs encryption and decryption operation, so that the third-level key decryption operation unit completes corresponding encryption and decryption operation to output the key output information.
In this embodiment, the algorithm selecting unit 311 selects different hierarchical encryption/decryption algorithms from the algorithm information storage unit 303 to the corresponding hierarchical decryption operation unit 306 according to different security levels of users, so that access of users with different security levels to different storage areas in the same storage device can be set differently, it is ensured that the access of users with different security levels to the same storage device is not affected by each other, and privacy and security in the access process are further improved.
In some embodiments, the key generation apparatus 30 further includes:
a hierarchy information storage unit 304 for storing hierarchy key information;
the main control chip 312 is configured to obtain the hierarchical key information in the hierarchical information storage unit 304, and transmit the hierarchical key information to the main control chip.
In this way, the decryption algorithm in the key output information generation process comes from the encryption and decryption algorithm in the algorithm information storage unit 303, and is screened by the algorithm selection unit 311, the decryption object of the screened encryption and decryption algorithm is the hierarchical key information sent by the main control chip 312, and the key used in the decryption process is the root key information, which specifically is: the hierarchical decryption operation unit 306 decrypts the hierarchical key information by using the root key information according to the hierarchical key encryption and decryption algorithm, so as to obtain key output information. The hierarchical key information, the hierarchical key encryption and decryption algorithm and the root key information are respectively from different units, so that the safety of the generated key output information is further improved.
In certain embodiments, further comprising: a user level storage unit for storing a user security level; and the main control chip is also used for sending corresponding hierarchy key information to the hierarchy decryption operation unit according to the security level corresponding to the current user. The same storage device can be accessed by a plurality of different users, in order to ensure that the accesses of the users to the same storage device are not influenced mutually, each storage device is provided with a corresponding security level, and the security level corresponding to each user is matched with corresponding hierarchical key information, so that the key generating device can generate key output information with different security levels when the different users access.
For example, user a, user B, and user C may have a low security level, a medium security level, and a high security level. The hierarchical key decryption operation unit comprises a first hierarchical key decryption operation unit, a second hierarchical key decryption operation unit and a third hierarchical key decryption operation unit.
Assuming that the hierarchical key information includes a first-layer source key, a second-layer source key and a third-layer source key, when key output information corresponding to the user a is generated, the device only starts a first-layer key decryption operation unit to complete encryption and decryption operation, an algorithm selection unit only needs to send an encryption and decryption algorithm a to the first-layer key decryption operation unit, and the first-layer key decryption operation unit decrypts the first-layer source key by using the root key information according to the encryption and decryption algorithm a to obtain a first-layer key. For user a, the primary key is the required key output information.
When the key output information corresponding to the user B is generated, the device starts a first-level key decryption operation unit and a second-level key decryption operation unit to perform encryption and decryption operation, an algorithm selection unit firstly selects an encryption and decryption algorithm a to send to the first-level key decryption operation unit, and after the first-level key decryption operation unit decrypts to obtain a first-level key (specifically, referring to the generation process of the key output information of the user A), the first-level key is sent to the second-level key decryption operation unit. When the second-level key decryption operation unit performs decryption operation, the main control chip sends the second-level source key to the second-level key decryption operation unit, and the algorithm selection unit selects the encryption and decryption algorithm b and sends the encryption and decryption algorithm b to the second-level key decryption operation unit. And then the second-level key decryption operation unit decrypts the second-level source key by adopting the first-level key according to an encryption and decryption algorithm b to obtain a second-level key. For user B, the secondary key is the required key output information.
When the key output information corresponding to the user C is generated, the device not only starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operation, but also starts the third-level key decryption operation unit to perform encryption and decryption operation. The algorithm selection unit selects the encryption and decryption algorithm a to be sent to the first-level key decryption operation unit, and sends the encryption and decryption algorithm b to the second-level key decryption operation unit when the second-level key decryption operation unit performs encryption and decryption operation. After the second-level key decryption operation unit decrypts the second-level key to obtain the second-level key (specifically, refer to the generation process of the key output information of the user B), the second-level key is sent to the third-level key decryption operation unit. When the third-level key decryption operation unit performs encryption and decryption operation, the algorithm selection unit selects an encryption and decryption algorithm c to send to the third-level key decryption operation unit, and the main control chip also sends the third-level source key to the third-level key decryption operation unit, so that the third-level key decryption operation unit decrypts the third-level source key by using the second-level key according to the encryption and decryption algorithm c to obtain a third-level key. For user C, the three-level key is the required key output information.
In some embodiments, the key generation apparatus further comprises:
and the biological characteristic information acquisition unit is used for acquiring the biological characteristic information of the current user. The biological characteristic information refers to biological characteristic information of a user part and comprises one or more of fingerprint information, palm print information, face information, eyeball information, iris information, lip information and auricle information. The biological characteristic information acquisition unit can be realized by a corresponding biological characteristic identification chip, such as a face identification chip, a fingerprint identification chip and the like.
And the main control chip is used for comparing the acquired biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user. In short, each user enters preset biometric information corresponding to each user in advance and is provided with a corresponding user security level, each time when the user needs to access the access area of the storage device, the key generation device verifies the biometric information of the user in advance to determine the security level of the current user, and then the key output information with different security levels can be generated by adopting the method according to the difference of the security levels of the current users, so that the uniqueness and the privacy of the access of each user to the storage area are ensured.
In some embodiments, the key generation apparatus 30 further includes:
a user authentication information storage unit 313 for storing user authentication information. Preferably, the user authentication information storage unit 313 stores therein user authentication information of a plurality of different users. The user authentication information is an ID for distinguishing different users, and may be, for example, a password set by each user, such as a string of characters.
A root key operation unit 305, configured to obtain the user authentication information and the decrypted source key, and perform a hash operation on the user authentication information according to the decrypted source key to obtain root key information. Because the root key information is obtained by carrying out Hash operation on the user verification information through the decrypted source key, the bit number of the source key and the generated root key can be ensured to be consistent, and meanwhile, the generated root key information is different when different users carry out authentication, so that the safety is further improved
In some embodiments, the key generation apparatus 30 further includes: a source data storage unit 301, configured to store encrypted source data, where the source data includes a source key and a hierarchical encryption/decryption algorithm. In this embodiment, the source data storage unit 301 is an OTP storage unit (i.e., a one-time programmable unit), so that source data can be effectively prevented from being tampered. In order to prevent a hacker from directly obtaining source data from the source data storage unit 301, in the present application, the source data is encrypted and then stored in the OTP storage unit, and an initial key used for encrypting the source data may be stored in another storage unit, so as to improve the security of storing the source data.
In order to prevent the key output information from being intercepted and tampered during the generation process, in this embodiment, the hierarchical information storage unit is further configured to store handshake request information and handshake response information, as shown in fig. 3, and the key generation apparatus 30 includes:
and a handshake decryption operation circuit 307, configured to decrypt the key output information by using the key output information, so as to obtain handshake encryption key information. The key output information is easy to intercept or tamper in the transmission process, but if the key output information is decrypted firstly, the difficulty of reverse cracking of a hacker is exponentially increased, so that the key output information is decrypted before key data verification is carried out, and handshake encryption key information is obtained.
And the handshake encryption operation circuit 308 is configured to receive the handshake request information, and encrypt the handshake request information by using the handshake encryption key information to obtain handshake encryption information. Handshake request information, which refers to information to be verified and is encrypted by handshake encryption key information, may be stored in the handshake information storage unit 304 in advance, so as to obtain handshake encryption information.
And a handshake information checking circuit 309, configured to obtain the handshake response information and the handshake encryption information, and determine whether the handshake response information and the handshake encryption information are matched, if yes, the key output information is output through checking. The handshake response information refers to check standard information which is pre-stored in the handshake information storage unit 304 and is obtained by encrypting the handshake request information. By comparing the handshake response information with the handshake encryption information, whether the current key output information is tampered or not can be deduced, and if the two are matched, the key output information can be output.
As shown in fig. 3, in order to use functions with different permissions when different users use the chip to be tested, in this embodiment, different levels may be set for the key information when different users use the chip to be tested, that is, the key generation device may generate the key information to be tested at corresponding levels according to the security levels of the users, and the higher the level is, the higher the security of the key information to be tested is.
Taking the key level as three security levels as an example, the apparatus includes a key selection unit 310. The decryption operation unit includes a primary decryption operation unit 3061, a secondary decryption operation unit 3062, and a tertiary decryption operation unit 3063. The handshake decryption operation circuit comprises a first-stage handshake decryption operation circuit 3071, a second-stage handshake decryption operation circuit 3072 and a third-stage handshake decryption operation circuit 3073. The handshake encryption operation circuit comprises a first-stage handshake encryption operation circuit 3081, a second-stage handshake encryption operation circuit 3082 and a third-stage handshake encryption operation circuit 3083. The algorithm information storage unit 303 is provided with a plurality of encryption and decryption algorithms, including a first-level encryption and decryption algorithm, a second-level encryption and decryption algorithm, and a third-level encryption and decryption algorithm, and sequentially selects the algorithms through a first-level algorithm selection unit 3111, a second-level algorithm selection unit 3112, and a third-level algorithm selection unit 3113. The hierarchical key information includes a first layer source key, a second layer source key, and a third layer source key.
The key generation apparatus 30 illustrated in fig. 3 operates as follows: the key generation device 30 obtains the current user level, and outputs the test key matched with the user level to the key recording unit 40 through the key selection unit 310, and if the user level has three levels, the key selection unit 310 sequentially selects a first-level key, a second-level key and a third-level key for output, wherein the security level of the third-level key is greater than that of the second-level key, and the security level of the second-level key is greater than that of the first-level key.
The primary key is generated as follows:
the source data decryption unit 302 obtains the encrypted source key and the hierarchical encryption/decryption algorithm in the source data storage unit 301 for decryption, obtains a decrypted source key and a hierarchical encryption/decryption algorithm, sends the decrypted source key to the root key operation unit 305, and stores the decrypted hierarchical key encryption/decryption algorithm in the algorithm information storage unit 303. And the root key operation unit acquires the user authentication information and the decrypted source key, and performs hash operation on the user authentication information according to the decrypted source key to obtain root key information.
The next-level decryption operation unit 3061 receives the first-level source key of the level information storage unit 304, and the first-level algorithm selection unit 3111 selects the first-level key encryption and decryption algorithm to the first-level decryption operation unit 3061, so that the first-level decryption operation unit 3061 decrypts the first-level source key by applying the root key information through the first-level key encryption and decryption algorithm to obtain the first-level key. If the security level of the current user is one level, the key selection unit 310 may select the one level key output.
Before output, in order to prevent the first-level key from being tampered in the transmission process, the generated first-level key needs to be verified, specifically, the first-level key is encrypted once by using the first-level key through the first-level handshake decryption operation circuit 3071, so that first-level handshake encryption key information is obtained. And then, the first-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the first-level handshake encryption operation circuit 3081, and the first-level handshake request data is encrypted by using the first-level handshake encryption key information, so as to obtain first-level handshake encryption information. And then, receiving the first layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the first layer handshake response data with the first layer handshake encryption information, and if the first layer handshake response data and the first layer handshake encryption information are matched, indicating that the first-level key is not tampered, outputting the first layer handshake response data through the key selection unit 310, otherwise, sending a prompt message.
The secondary key is generated as follows:
the generation process of the secondary key is similar to that of the primary key, and the difference is that the primary key is used as an input parameter (equivalent to a root key input when the primary key is generated) for generating the secondary key, specifically, the secondary decryption operation unit 3062 receives the second-layer source key of the hierarchical information storage unit 304, and the secondary algorithm selection unit 3112 selects the secondary key encryption/decryption algorithm to the secondary decryption operation unit 3062, so that the secondary decryption operation unit 3062 applies the primary key to decrypt the second-layer source key by using the secondary key encryption/decryption algorithm, and a secondary key is obtained. If the security level of the current user is secondary, key selection unit 310 may select the secondary key output.
Before output, in order to prevent the second-level key from being tampered in the transmission process, the generated second-level key needs to be verified, specifically, the second-level key is encrypted once by using the second-level key through the second-level handshake decryption operation circuit 3072, so that the second-level handshake encryption key information is obtained. And then, the second-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the second-level handshake encryption operation circuit 3082, and the second-level handshake request data is encrypted by using the second-level handshake encryption key information, so as to obtain second-level handshake encryption information. And then receiving second-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the second-layer handshake response data with the second-layer handshake encryption information, and if the two match, indicating that the secondary key is not tampered, outputting the second-layer handshake response data through the key selection unit 310, otherwise, sending a prompt message.
The generation process of the tertiary key is as follows:
the generation process of the third-level key is similar to that of the second-level key, and the difference is that the second-level key is used as an input parameter for generating the third-level key (equivalent to the first-level key input during generation of the second-level key), specifically, the third-level decryption operation unit 3063 receives the third-level source key of the hierarchical information storage unit 304, and the third-level algorithm selection unit 3113 selects the third-level key encryption/decryption algorithm to the third-level decryption operation unit 3062, so that the third-level decryption operation unit 3063 decrypts the third-level source key by using the second-level key using the third-level key encryption/decryption algorithm, and. If the security level of the current user is three levels, the key selection unit 310 may select the three levels of key outputs.
Before output, in order to prevent the third-level key from being tampered in the transmission process, the generated third-level key needs to be verified, specifically, the third-level key is encrypted once by using the third-level key through the third-level handshake decryption operation circuit 3073, so that the third-level handshake encryption key information is obtained. And then, the third-level handshake request data transmitted by the hierarchical information storage unit 304 is received through the three-level handshake encryption operation circuit 3083, and the third-level handshake request data is encrypted by using the three-level handshake encryption key information, so as to obtain third-level handshake encryption information. And then, receiving third-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the third-layer handshake response data with the third-layer handshake encryption information, and if the third-layer handshake response data and the third-layer handshake encryption information are matched, indicating that the third-layer key is not tampered, outputting the third-layer handshake response data through the key selection unit 310, otherwise, sending a prompt message.
Of course, in other embodiments, the number of the user levels may also be other numbers, such as two security levels or more than four security levels, and correspondingly, the hierarchy of the key output information may also be other numbers, which are specifically set according to actual needs. When the key output information is in other levels, the generation manner thereof can refer to the circuit application process shown in fig. 3, and details thereof are not repeated here.
In some embodiments, the key output information generated by the key generation apparatus 30 may be stored in the key recording unit 40 to wait for the selective calling of other functional modules, such as encryption and decryption of different operation data in the chip circuit process.
As shown in fig. 4, the second aspect of the present application further provides a key generation method, which is applied to the apparatus according to the first aspect of the present application, and the method includes the following steps:
firstly, in step S401, a source data decryption unit acquires encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm;
then step S402 is carried out, the root key operation unit calculates to obtain root key information according to the decrypted source key;
and then, in the step S403, the hierarchy decryption operation unit acquires hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypts the hierarchy key information by using the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information.
Generally, the key generation device needs to perform certain factory settings before being put into use, specifically, some verification data needed in the key generation process is solidified inside the key generation device, and thus as shown in fig. 5, the method includes the following steps:
the process first advances to step S501 to preset a user security level and stores the set user security level in the user level storage unit.
And then proceeds to step S502 to set the source key.
Step S502 may be followed by step S503 of obtaining the hierarchical key information and the handshake request information through a derivation algorithm according to the source key. Synchronously, step S505 may be entered to set a corresponding security level for the current user and user authentication information corresponding to the user.
Step S503 may be followed by step S504 of storing the hierarchical key information and the handshake request information in a hierarchical key information storage unit
Then, the process proceeds to step S506 to complete the initial setting of the user key.
As shown in fig. 6, in some embodiments, the key generation method includes the steps of:
the method first proceeds to step S601, where the source data storage unit stores encrypted source data, where the source data includes a source key and a hierarchical encryption/decryption algorithm.
Then, in step S602, the source data decryption unit may obtain the encrypted source data for decryption, to obtain a decrypted source key and a decrypted hierarchical encryption/decryption algorithm, send the decrypted source key to the root key operation unit, and store the decrypted hierarchical key encryption/decryption algorithm in the algorithm information storage unit.
In parallel with step S601 and step S602, it may be proceeded to step S603 where the hierarchy information storage unit stores hierarchy key information; the user authentication information storage unit stores user authentication information.
After step S602 and step S603, step S604 may be performed by the root key operation unit to obtain the user authentication information and the decrypted source key, and perform hash operation on the user authentication information according to the decrypted source key to obtain root key information.
After step S604, the step S605 may be performed by the hierarchical decryption operation unit to obtain the hierarchical key encryption and decryption algorithm, the hierarchical key information, and the root key information, and the hierarchical key encryption and decryption algorithm is used to decrypt the hierarchical key information using the root key information, so as to obtain key output information.
It should be noted that, although the above embodiments have been described herein, the invention is not limited thereto. Therefore, based on the innovative concepts of the present invention, the technical solutions of the present invention can be directly or indirectly applied to other related technical fields by making changes and modifications to the embodiments described herein, or by using equivalent structures or equivalent processes performed in the content of the present specification and the attached drawings, which are included in the scope of the present invention.

Claims (10)

1. A key generation apparatus, comprising:
the source data decryption unit is used for acquiring the encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm;
a root key operation unit, configured to calculate root key information according to the decrypted source key;
and the hierarchy decryption operation unit is used for acquiring hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypting the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information.
2. The key generation apparatus of claim 1, further comprising:
the algorithm information storage unit is used for storing the decrypted hierarchical encryption and decryption algorithm;
and the algorithm selection unit is used for selecting different levels of encryption and decryption algorithms to the level decryption operation unit according to the user security level.
3. The key generation apparatus of claim 1, further comprising:
a hierarchy information storage unit for storing hierarchy key information;
and the main control chip is used for acquiring the hierarchy key information in the hierarchy information storage unit and transmitting the hierarchy key information to the hierarchy decryption operation unit.
4. The key generation apparatus of claim 1, further comprising:
a user level storage unit for storing a user security level;
and the main control chip is also used for sending corresponding hierarchy key information to the hierarchy decryption operation unit according to the security level corresponding to the current user.
5. The key generation apparatus of claim 4, further comprising:
the biological characteristic information acquisition unit is used for acquiring the biological characteristic information of the current user;
and the main control chip is used for comparing the acquired biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user.
6. The key generation apparatus of claim 4, wherein the hierarchical decryption operation unit includes a primary decryption operation unit and a secondary decryption operation unit; the hierarchical key information includes first hierarchical key information and second hierarchical key information; the hierarchical encryption and decryption algorithm comprises a first hierarchical encryption and decryption algorithm and a second hierarchical encryption and decryption algorithm;
the main control chip is used for acquiring the first-level key information from the level information storage unit and transmitting the first-level key information to the first-level decryption operation unit; the first level is used for acquiring second-level key information from the level information storage unit and transmitting the second-level key information to the second-level decryption operation unit;
the first-level decryption operation unit is used for decrypting the first-level key information by adopting the root key information according to the first-level key encryption and decryption algorithm to obtain a first-level key;
and the second-level decryption operation unit is used for acquiring the first-level key and decrypting the second-level key information by adopting the first-level key information according to the second-level key encryption and decryption algorithm to obtain a second-level key.
7. The key generation apparatus of claim 1, further comprising:
a user authentication information storage unit for storing user authentication information;
and the root key operation unit is used for acquiring the user authentication information and the decrypted source key, and performing hash operation on the user authentication information according to the decrypted source key to obtain root key information.
8. The key generation apparatus according to claim 1, wherein the hierarchical information storage unit is further configured to store handshake request information and handshake response information;
the key generation apparatus includes:
the handshake decryption operation circuit is used for decrypting the key output information by adopting the key output information to obtain handshake encryption key information;
the handshake encryption operation circuit is used for receiving the handshake request information and encrypting the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information check circuit is used for acquiring the handshake response information and the handshake encryption information, judging whether the handshake response information and the handshake encryption information are matched, and outputting the key output information if the handshake response information and the handshake encryption information are matched.
9. The key generation apparatus of claim 1, further comprising:
the source data storage unit is used for storing encrypted source data, and the source data comprises a source key and a hierarchical encryption and decryption algorithm; the source data storage unit is an OTP storage unit.
10. A key generation apparatus, characterized in that the method is applied to the key generation apparatus according to any one of claims 1 to 9, the method comprising the steps of:
the source data decryption unit obtains encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm;
the root key operation unit calculates the decrypted source key to obtain root key information;
the hierarchy decryption operation unit acquires hierarchy key information, a hierarchy key encryption and decryption algorithm and root key information, and decrypts the hierarchy key information by adopting the root key information according to the hierarchy key encryption and decryption algorithm to obtain key output information.
CN202011166625.7A 2020-10-27 Key generation method and device Active CN112272090B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011166625.7A CN112272090B (en) 2020-10-27 Key generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011166625.7A CN112272090B (en) 2020-10-27 Key generation method and device

Publications (2)

Publication Number Publication Date
CN112272090A true CN112272090A (en) 2021-01-26
CN112272090B CN112272090B (en) 2024-04-19

Family

ID=

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968904A (en) * 2021-03-16 2021-06-15 中国科学院深圳先进技术研究院 Block chain data protection method and system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120269340A1 (en) * 2011-04-22 2012-10-25 Stu Jay Hierarchical encryption/decryption device and method thereof
US8892865B1 (en) * 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108599930A (en) * 2018-04-02 2018-09-28 湖南国科微电子股份有限公司 Firmware encrypting and deciphering system and method
CN110098924A (en) * 2019-04-19 2019-08-06 深圳华中科技大学研究院 Support can search for the level cipher key technique of transparent encryption
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120269340A1 (en) * 2011-04-22 2012-10-25 Stu Jay Hierarchical encryption/decryption device and method thereof
US8892865B1 (en) * 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108599930A (en) * 2018-04-02 2018-09-28 湖南国科微电子股份有限公司 Firmware encrypting and deciphering system and method
CN110098924A (en) * 2019-04-19 2019-08-06 深圳华中科技大学研究院 Support can search for the level cipher key technique of transparent encryption
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968904A (en) * 2021-03-16 2021-06-15 中国科学院深圳先进技术研究院 Block chain data protection method and system

Similar Documents

Publication Publication Date Title
US20190089527A1 (en) System and method of enforcing a computer policy
US8930700B2 (en) Remote device secure data file storage system and method
CN103246842B (en) For verifying the method and apparatus with data encryption
US11544365B2 (en) Authentication system using a visual representation of an authentication challenge
WO2015133990A1 (en) Methods and apparatus for migrating keys
KR20180119201A (en) Electronic device for authentication system
US20180083773A1 (en) Information security device and information security method using accessibility
CN112887085B (en) Method, device and system for generating security key of SSD (solid State disk) main control chip
US10785193B2 (en) Security key hopping
CN213817804U (en) Secret key generating device
CN112364323A (en) High-security storage access method and device based on user iris recognition
US11870904B2 (en) Method for encrypting and decrypting data across domains based on privacy computing
CN213814671U (en) High-security-level data access device based on structured light array recognition
CN112364316B (en) High-security-level data access method and device based on structured light array identification
CN112272090B (en) Key generation method and device
CN112685351B (en) PCIE-to-USB protocol bridging chip and operation method thereof
CN112364324A (en) High-security-level data access method and device based on voiceprint recognition
CN112272090A (en) Key generation method and device
KR20200067987A (en) Method of login control
CN213876728U (en) SSD solid state hard drives main control chip security key generation device and system
CN213126079U (en) High security level data access device based on voiceprint recognition
CN213780963U (en) High-safety storage access device based on user iris recognition
CN213814673U (en) Multi-security-level storage access device based on user fingerprint identification
CN213876726U (en) Multi-security-level storage access device based on user face recognition
KR101808313B1 (en) Method of encrypting data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant