CN112272090B - Key generation method and device - Google Patents

Key generation method and device Download PDF

Info

Publication number
CN112272090B
CN112272090B CN202011166625.7A CN202011166625A CN112272090B CN 112272090 B CN112272090 B CN 112272090B CN 202011166625 A CN202011166625 A CN 202011166625A CN 112272090 B CN112272090 B CN 112272090B
Authority
CN
China
Prior art keywords
key
information
hierarchical
encryption
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011166625.7A
Other languages
Chinese (zh)
Other versions
CN112272090A (en
Inventor
廖裕民
陈娇丽
刘承
骆飞
刘学
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Anjili New Technology Co ltd
Original Assignee
Shenzhen Anjili New Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Anjili New Technology Co ltd filed Critical Shenzhen Anjili New Technology Co ltd
Priority to CN202011166625.7A priority Critical patent/CN112272090B/en
Publication of CN112272090A publication Critical patent/CN112272090A/en
Application granted granted Critical
Publication of CN112272090B publication Critical patent/CN112272090B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention provides a key generation method and a device, wherein the device comprises the following steps: the source data decryption unit is used for obtaining the encrypted source data and decrypting the encrypted source data to obtain a decrypted source key and a decrypted hierarchical encryption and decryption algorithm; the root key operation unit is used for calculating and obtaining root key information according to the decrypted source key; the hierarchical decryption operation unit is used for acquiring hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, decrypting the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm, and obtaining key output information. In the scheme, the key output information is obtained by the source key through a multi-layer encryption method, so that the security of the key generation process is greatly improved.

Description

Key generation method and device
Technical Field
The present invention relates to the field of chip circuit design, and in particular, to a method and apparatus for generating a key.
Background
SSD data storage has evolved into the primary storage medium for consumer device data storage and cloud storage. For SSD data storage, the meaning of data error correction is significant, especially for personal critical data and government agency related data. The SSD main control chip is used as the brain of the SSD storage device, and the safety performance of the SSD main control chip directly determines the overall final safety performance of the SSD hard disk.
Currently, for the secure access of each user data, the most commonly used method is still to set a password, and user authorization is completed by checking the password, but one SSD storage device may be used by different users, and the different users should have different security levels, corresponding to different accessible spaces. The method of setting the password cannot ensure the uniqueness of the user for accessing the corresponding storage area, and the situation that the user forgets the password and cannot access the data area of the storage device is easily caused.
Disclosure of Invention
Therefore, a technical scheme for generating a key is needed to solve the problems that the data area of the storage device cannot be accessed by a user at present, and the uniqueness and the security are weak.
To achieve the above object, a first aspect of the present invention provides a key generation apparatus comprising:
The source data decryption unit is used for obtaining encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
the root key operation unit is used for calculating and obtaining root key information according to the decrypted source key;
The hierarchical decryption operation unit is used for acquiring hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, decrypting the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm, and obtaining key output information.
Further, the method further comprises the following steps:
The algorithm information storage unit is used for storing the decrypted hierarchical key encryption and decryption algorithm;
and the algorithm selection unit is used for selecting different hierarchical key encryption and decryption algorithms to the hierarchical decryption operation unit according to the security level of the user.
Further, the method further comprises the following steps:
A hierarchical information storage unit for storing hierarchical key information;
and the main control chip is used for acquiring the hierarchical key information in the hierarchical information storage unit and transmitting the hierarchical key information to the hierarchical decryption operation unit.
Further, the method further comprises the following steps:
The user grade storage unit is used for storing the user security grade;
the main control chip is also used for sending corresponding hierarchical key information to the hierarchical decryption operation unit according to the security level corresponding to the current user.
Further, the method further comprises the following steps:
The biological characteristic information acquisition unit is used for acquiring biological characteristic information of the current user;
The main control chip is used for comparing the collected biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user.
Further, the hierarchical decryption operation unit comprises a primary decryption operation unit and a secondary decryption operation unit; the hierarchical key information comprises primary hierarchical key information and secondary hierarchical key information; the hierarchical key encryption and decryption algorithm comprises a primary hierarchical key encryption and decryption algorithm and a secondary hierarchical key encryption and decryption algorithm;
The main control chip is used for acquiring the primary level key information from the level information storage unit and transmitting the primary level key information to the primary decryption operation unit; the hierarchical information storage unit is used for acquiring the secondary hierarchical key information from the hierarchical information storage unit and transmitting the secondary hierarchical key information to the secondary decryption operation unit;
The primary decryption operation unit is used for decrypting the primary level key information by adopting the root key information according to the primary level key encryption and decryption algorithm to obtain a primary key;
And the secondary decryption operation unit is used for acquiring the primary key, and decrypting the secondary level key information by adopting the primary key information according to the secondary level key encryption and decryption algorithm to obtain a secondary key.
Further, the method further comprises the following steps:
the user authentication information storage unit is used for storing user authentication information;
and the root key operation unit is used for acquiring the user verification information and the decrypted source key, and carrying out hash operation on the user verification information according to the decrypted source key to obtain root key information.
Further, the hierarchical information storage unit is further configured to store handshake request information and handshake response information;
The key generation apparatus includes:
The handshake decryption operation circuit is used for decrypting the key output information by adopting the key output information to obtain handshake encryption key information;
The handshake encryption operation circuit is used for receiving the handshake request information and encrypting the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information checking circuit is used for acquiring the handshake response information and the handshake encryption information, judging whether the handshake response information and the handshake encryption information are matched, and outputting the key output information if the handshake response information and the handshake encryption information are matched.
Further, the method further comprises the following steps:
The source data storage unit is used for storing encrypted source data, and the source data comprises a source key and a hierarchical key encryption and decryption algorithm; the source data storage unit is an OTP storage unit.
The second aspect of the present invention also provides a key generation method, wherein the method is applied to the key generation apparatus according to the first aspect of the present invention, the method comprising the steps of:
the source data decryption unit obtains encrypted source data to decrypt, and obtains a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
the root key operation unit calculates and obtains root key information according to the decrypted source key;
the hierarchical decryption operation unit obtains hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, and decrypts the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm to obtain key output information.
The key generation method and apparatus according to the above technical solutions are different from the prior art, and the apparatus includes: the source data decryption unit is used for obtaining encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm; the root key operation unit is used for calculating and obtaining root key information according to the decrypted source key; the hierarchical decryption operation unit is used for acquiring hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, decrypting the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm, and obtaining key output information. In the scheme, the key output information is obtained by the source key through a multi-layer encryption method, so that the security of the key is greatly improved.
Drawings
Fig. 1 is a schematic diagram of a key generating device according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a key generating apparatus according to another embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a key generating device according to another embodiment of the present invention;
FIG. 4 is a flow chart of a key generation method according to an embodiment of the present invention;
FIG. 5 is a flow chart of a key generation method according to another embodiment of the present invention;
Fig. 6 is a flowchart of a key generation method according to another embodiment of the present invention.
Reference numerals illustrate:
30. A key generation device;
301. a source data storage unit;
302. a source data decryption unit;
303. an algorithm information storage unit;
304. A hierarchy information storage unit;
305. a root key operation unit;
306. A hierarchical decryption operation unit; 3061. a first-stage decryption operation unit; 3062. a secondary decryption operation unit; 3063. a three-stage decryption operation unit;
307. a handshake decryption operation circuit; 3071. a first-stage handshake decryption operation circuit; 3072. a secondary handshake decryption operation circuit; 3073. a three-stage handshake decryption operation circuit;
308. A handshake encryption operation circuit; 3081. a primary handshake encryption operation circuit; 3082. a two-stage handshake encryption operation circuit; 3083. a three-stage handshake encryption operation circuit;
309. A handshake information checking circuit;
310. a key selection unit;
311. An algorithm selection unit; 3111. a first-order algorithm selection unit; 3112. a second-level algorithm selection unit; 3113. a three-level algorithm selection unit;
312. A main control chip;
313. a user authentication information storage unit;
40. a key recording unit.
Detailed Description
In order to describe the technical content, constructional features, achieved objects and effects of the technical solution in detail, the following description is made in connection with the specific embodiments in conjunction with the accompanying drawings.
The key information is used as a data encryption and decryption tool, is a key ring of chip security authentication, and is particularly important to ensure the security of the key generation process. In order to enhance the security of the key generation process, the present application designs a specific key generation device 30 to generate the key information finally required.
Fig. 1 is a schematic diagram of a key generating device according to an embodiment of the present invention. The key generation apparatus includes:
A source data decryption unit 301, configured to obtain encrypted source data and decrypt the encrypted source data, to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
a root key operation unit 305, configured to calculate root key information according to the decrypted source key;
The hierarchical decryption operation unit 306 is configured to obtain hierarchical key information, a hierarchical key encryption and decryption algorithm, and root key information, and decrypt the hierarchical key information by using the root key information according to the hierarchical key encryption and decryption algorithm, so as to obtain key output information. The key output information obtained by the hierarchical decryption operation unit 306 is the key information finally required, and the key output information is obtained by the source key through a multi-layer encryption method, so that the security in the key generation process is greatly improved.
As shown in fig. 2, in some embodiments, the key generating device 30 further includes:
the algorithm information storage unit 303 is configured to store the decrypted hierarchical key encryption and decryption algorithm. The hierarchical key encryption and decryption algorithm is an algorithm selected when data encryption and decryption are carried out later, and specifically can comprise any one or more of aes algorithm, tdes algorithm and sm4 algorithm. After the source data decryption unit 301 decrypts the hierarchical key encryption and decryption algorithm, the hierarchical key encryption and decryption algorithm is stored in the algorithm information storage unit 303, so as to wait for a subsequent call.
The algorithm selecting unit 311 is configured to select different hierarchical key encryption and decryption algorithms to the hierarchical decryption computing unit 306 according to the security level of the user. The user security level refers to access rights that may access different secure storage areas of the storage device. The higher the user security level, the higher the security of the secure storage area it can access, and the more complex the corresponding key generation process.
For example, there are user a, user B, and user C, and the corresponding user security levels are a low security level, a medium security level, and a high security level, respectively. The hierarchical key decryption operation unit includes a first hierarchical key decryption operation unit, a second hierarchical key decryption operation unit, and a third hierarchical key decryption operation unit. The arithmetic information storage unit is assumed to store three encryption and decryption algorithms, namely a, b and c.
When the key output information corresponding to the user A is generated, the device only starts the first-level key decryption operation unit to complete encryption and decryption operation, and the algorithm selection unit only needs to send the encryption and decryption algorithm a to the first-level key decryption operation unit.
When the key output information corresponding to the user B is generated, the device starts the first-level key decryption operation unit and the second-level key decryption operation unit to carry out encryption and decryption operation, the algorithm selection unit firstly selects the encryption and decryption algorithm a to send to the first-level key decryption operation unit, and when the subsequent second-level key decryption operation unit carries out encryption and decryption operation, the encryption and decryption algorithm B is sent to the second-level key decryption operation unit.
When the key output information corresponding to the user C is generated, the device not only starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operations, but also starts the third-level key decryption operation unit to perform encryption and decryption operations. The algorithm selecting unit firstly selects the encryption and decryption algorithm a to be sent to the first-level key decryption operation unit, and sends the encryption and decryption algorithm b to the second-level key decryption operation unit when the second-level key decryption operation unit performs encryption and decryption operations, and sends the encryption and decryption algorithm c to the third-level key decryption operation unit when the third-level key decryption operation unit performs encryption and decryption operations subsequently, so that the third-level key decryption operation unit completes corresponding encryption and decryption operations to output the key output information.
In this embodiment, the algorithm selecting unit 311 selects different hierarchical key encryption and decryption algorithms from the algorithm information storage unit 303 to the corresponding hierarchical decryption operation unit 306 according to different security levels of users, so that different security level users can set different access to different storage areas in the same storage device, access to the same storage device of different security level users is ensured not to be affected, and privacy and security of an access process are further improved.
In some embodiments, the key generating device 30 further comprises:
A hierarchical information storage unit 304 for storing hierarchical key information;
The main control chip 312 is configured to obtain the hierarchical key information in the hierarchical information storage unit 304, and transmit the hierarchical key information to the hierarchical information storage unit.
In this way, the decryption algorithm in the key output information generation process is derived from the encryption and decryption algorithm in the algorithm information storage unit 303, and is screened by the algorithm selection unit 311, the decryption object of the screened encryption and decryption algorithm is the hierarchical key information sent by the main control chip 312, and the key used in the decryption process is root key information, specifically: the hierarchical decryption operation unit 306 decrypts the hierarchical key information by using the root key information according to the hierarchical key encryption and decryption algorithm, and obtains key output information. The hierarchical key information, the hierarchical key encryption and decryption algorithm and the root key information come from different units respectively, so that the security of the generated key output information is further improved.
In certain embodiments, further comprising: the user grade storage unit is used for storing the user security grade; the main control chip is also used for sending corresponding hierarchical key information to the hierarchical decryption operation unit according to the security level corresponding to the current user. The same storage device can be accessed by a plurality of different users, corresponding security levels are set for each user in order to ensure that the access of the same storage device by the users is not affected, and corresponding hierarchical key information is matched with the security levels corresponding to the users, so that the key generation device can generate key output information with different security levels when the users access.
For example, there are user a, user B, and user C, and the corresponding user security levels are a low security level, a medium security level, and a high security level, respectively. The hierarchical key decryption operation unit includes a first hierarchical key decryption operation unit, a second hierarchical key decryption operation unit, and a third hierarchical key decryption operation unit.
And if the hierarchical key information comprises a first-layer source key, a second-layer source key and a third-layer source key, when the key output information corresponding to the user A is generated, the device only starts a first-layer key decryption operation unit to complete encryption and decryption operation, an algorithm selection unit only needs to send an encryption and decryption algorithm a to the first-layer key decryption operation unit, and the first-layer decryption operation unit decrypts the first-layer source key by adopting the root key information according to the encryption and decryption algorithm a to obtain a first-level key. For the user A, the primary key is the required key output information.
When the key output information corresponding to the user B is generated, the device starts the first-level key decryption operation unit and the second-level key decryption operation unit to carry out encryption and decryption operation, the algorithm selection unit firstly selects the encryption and decryption algorithm a to send to the first-level key decryption operation unit, and after the first-level key decryption operation unit decrypts to obtain the primary key (the specific practice refers to the generation process of the key output information of the user A), the primary key is sent to the second-level key decryption operation unit. When the second-level key decryption operation unit performs decryption operation, the main control chip sends the second-level source key to the second-level key decryption operation unit, and the algorithm selection unit selects the encryption and decryption algorithm b and sends the encryption and decryption algorithm b to the second-level key decryption operation unit. And then the second-level key decryption operation unit decrypts the second-level source key by adopting the first-level key according to the encryption and decryption algorithm b to obtain a second-level key. For user B, the secondary key is the required key output information.
When the key output information corresponding to the user C is generated, the device not only starts the first-level key decryption operation unit and the second-level key decryption operation unit to perform encryption and decryption operations, but also starts the third-level key decryption operation unit to perform encryption and decryption operations. The algorithm selecting unit firstly selects the encryption and decryption algorithm a to send to the first-level key decryption operation unit, and sends the encryption and decryption algorithm b to the second-level key decryption operation unit when the second-level key decryption operation unit performs encryption and decryption operation. After the second-level key decryption operation unit decrypts the second-level key (specifically, refer to the generation process of the key output information of the user B), the second-level key is sent to the third-level key decryption operation unit. When the third-level key decryption operation unit performs encryption and decryption operation, the algorithm selection unit selects an encryption and decryption algorithm c to send to the third-level key decryption operation unit, and the main control chip also sends the third-level source key to the third-level key decryption operation unit, so that the third-level key decryption operation unit decrypts the third-level source key by adopting the second-level key according to the encryption and decryption algorithm c to obtain the third-level key. For the user C, the three-level key is the required key output information.
In some embodiments, the key generation apparatus further comprises:
And the biological characteristic information acquisition unit is used for acquiring the biological characteristic information of the current user. The biological characteristic information refers to biological characteristic information of a user part and comprises one or more of fingerprint information, palm print information, face information, eyeball information, iris information, lip information and auricle information. The biological characteristic information acquisition unit can be realized by a corresponding biological characteristic recognition chip, such as a face recognition chip, a fingerprint recognition chip and the like.
The main control chip is used for comparing the collected biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user. In short, each user inputs preset biological characteristic information corresponding to the user in advance and is provided with corresponding user security levels, the key generation device performs verification in advance based on the biological characteristic information of the user each time when the user needs to access the access area of the storage device so as to determine the security level of the current user, and subsequently, key output information with different security levels can be generated by adopting the method according to the different security levels of the current user, so that the uniqueness and privacy of the access of each user to the storage area are ensured.
In some embodiments, the key generating device 30 further comprises:
the user authentication information storage unit 313 is used for storing user authentication information. Preferably, the user authentication information storage unit 313 stores therein user authentication information of a plurality of different users. The user authentication information is an ID for distinguishing different users, for example, may be a password, such as a string of characters, set by each user.
And the root key operation unit 305 is configured to obtain the user authentication information and the decrypted source key, and perform hash operation on the user authentication information according to the decrypted source key to obtain root key information. Because the root key information is obtained by carrying out hash operation on the user verification information through the decrypted source key, the method can ensure that the digits of the source key and the generated root key are consistent, and ensure that the generated root key information is different when different users are authenticated, thereby further improving the security
In some embodiments, the key generating device 30 further comprises: the source data storage unit 301 is configured to store encrypted source data, where the source data includes a source key and a hierarchical key encryption and decryption algorithm. In this embodiment, the source data storage unit 301 is an OTP storage unit (i.e. one-time programmable unit), so that the source data can be effectively prevented from being tampered with. In order to prevent a hacker from directly obtaining source data from the source data storage unit 301, the source data is encrypted and then stored in the OTP storage unit in the present application, and an initial key used for encrypting the source data may be stored in other storage units, so as to improve the security of source data storage.
In order to prevent the key output information from being intercepted and tampered during the generation process, in this embodiment, the hierarchical information storage unit is further configured to store handshake request information and handshake response information, as shown in fig. 3, the key generation apparatus 30 includes:
The handshake decryption operation circuit 307 is configured to decrypt the key output information by using the key output information to obtain handshake encryption key information. The key output information is easy to intercept or tamper in the transmission process, but if the key output information is firstly used for decrypting the key output information, the difficulty of reverse decryption of a hacker is exponentially increased, so that the key output information is firstly used for decrypting the key output information before the key data is verified, and handshake encryption key information is obtained.
And the handshake encryption operation circuit 308 is configured to receive the handshake request information, and encrypt the handshake request information with the handshake encryption key information to obtain handshake encryption information. The handshake request information may be stored in the handshake information storage unit 304 in advance, where the handshake request information refers to information to be verified, and may obtain handshake encryption information after being encrypted by handshake encryption key information.
And the handshake information checking circuit 309 is configured to obtain the handshake response information and the handshake encryption information, and determine whether the handshake response information and the handshake encryption information are matched, and if yes, output the key output information through checking. The handshake response information refers to the check standard information that is stored in the handshake information storage unit 304 in advance and is obtained after the handshake request information is encrypted. By comparing the handshake response information with the handshake encryption information, whether the current key output information is tampered or not can be deduced, and if the current key output information is matched with the handshake encryption information, the key output information can be output.
As shown in fig. 3, in order to enable the different users to use the function of different authorities when using the chip to be tested, in this embodiment, different levels may also be set for the key information when different users use the chip to be tested, that is, the key generating device may generate the key information to be tested of the corresponding level according to the security level of the user, and the higher the level, the higher the security of the key information to be tested.
Taking three security levels as key levels for example, the apparatus comprises a key selection unit 310. The decryption operation units comprise a primary decryption operation unit 3061, a secondary decryption operation unit 3062 and a tertiary decryption operation unit 3063. The handshake decryption operation circuit includes a primary handshake decryption operation circuit 3071, a secondary handshake decryption operation circuit 3072, and a tertiary handshake decryption operation circuit 3073. The handshake encryption operation circuit comprises a primary handshake encryption operation circuit 3081, a secondary handshake encryption operation circuit 3082 and a tertiary handshake encryption operation circuit 3083. The algorithm information storage unit 303 is provided with a plurality of encryption and decryption algorithms, including a primary encryption and decryption algorithm, a secondary encryption and decryption algorithm, and a tertiary encryption and decryption algorithm, and sequentially selects by a primary algorithm selection unit 3111, a secondary algorithm selection unit 3112, and a tertiary algorithm selection unit 3113. The hierarchical key information includes a first layer source key, a second layer source key, and a third layer source key.
The key generation device 30 described in fig. 3 operates as follows: the key generating device 30 obtains the current user class, and outputs a test key matched with the user class to the key recording unit 40 through the key selecting unit 310, and if the user class has three classes, the key selecting unit 310 sequentially selects a primary key, a secondary key and a tertiary key for output, wherein the security class of the tertiary key is greater than that of the secondary key, and the security class of the secondary key is greater than that of the primary key.
The primary key is generated as follows:
The source data decryption unit 302 obtains the source key and the hierarchical key encryption and decryption algorithm encrypted in the source data storage unit 301 to decrypt, obtains the source key and the hierarchical key encryption and decryption algorithm decrypted, sends the source key decrypted to the root key operation unit 305, and stores the hierarchical key encryption and decryption algorithm decrypted in the algorithm information storage unit 303. And the root key operation unit acquires the user verification information and the decrypted source key, and carries out hash operation on the user verification information according to the decrypted source key to obtain root key information.
The next-stage decryption operation unit 3061 receives the first-layer source key of the hierarchical information storage unit 304, and the first-stage algorithm selection unit 3111 selects a first-stage key encryption and decryption algorithm to the first-stage decryption operation unit 3061, so that the first-stage decryption operation unit 3061 decrypts the first-layer source key by applying the root key information with the first-stage key encryption and decryption algorithm, and obtains the first-stage key. The key selection unit 310 may select the primary key output if the security level of the current user is primary.
Before outputting, in order to prevent the primary key from being tampered in the transmission process, the generated primary key needs to be checked, specifically, the primary key is encrypted once by the primary handshake decryption operation circuit 3071, so as to obtain primary handshake encryption key information. And then, the first-layer handshake request data transmitted by the hierarchical information storage unit 304 is received by the first-layer handshake encryption operation circuit 3081, and the first-layer handshake request data is encrypted by adopting the first-layer handshake encryption key information, so as to obtain first-layer handshake encryption information. And then receiving the first-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the first-layer handshake response data with the first-layer handshake encryption information, if the first-layer handshake response data and the first-layer handshake encryption information are matched, the first-layer handshake encryption information indicates that the primary secret key is not tampered, the first-layer handshake encryption information can be output through the secret key selection unit 310, otherwise, prompt information can be sent.
The secondary key is generated as follows:
The generation process of the secondary key is similar to that of the primary key, except that the primary key is used as an input parameter (corresponding to a root key input during generation of the primary key) of the secondary key generation, specifically, the secondary decryption operation unit 3062 receives the second layer source key of the hierarchical information storage unit 304, and the secondary algorithm selection unit 3112 selects a secondary key encryption and decryption algorithm to the secondary decryption operation unit 3062, so that the secondary decryption operation unit 3062 uses the secondary key encryption and decryption algorithm to decrypt the second layer source key by applying the primary key to obtain the secondary key. The key selection unit 310 may select the secondary key output if the security level of the current user is secondary.
Before outputting, in order to prevent the secondary key from being tampered in the transmission process, the generated secondary key needs to be checked, specifically, the secondary key is encrypted once by using the secondary key through the secondary handshake decryption operation circuit 3072, so as to obtain secondary handshake encryption key information. And then, the second-layer handshake request data transmitted by the hierarchical information storage unit 304 is received by the second-layer handshake encryption operation circuit 3082, and the second-layer handshake request data is encrypted by adopting the second-layer handshake encryption key information, so as to obtain second-layer handshake encryption information. And then receiving the second-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the second-layer handshake response data with the second-layer handshake encryption information, if the second-layer handshake response data and the second-layer handshake encryption information are matched, the second-layer handshake encryption information indicates that the second-layer secret key is not tampered, the second-layer handshake encryption information can be output through the secret key selection unit 310, otherwise, prompt information can be sent.
The three-level key generation process is as follows:
The generation process of the tertiary key is similar to that of the secondary key, except that the secondary key is used as an input parameter (corresponding to the primary key input during the generation of the secondary key) of the tertiary key generation, specifically, the tertiary decryption operation unit 3063 receives the third layer source key of the hierarchical information storage unit 304, and the tertiary algorithm selection unit 3113 selects the tertiary key encryption and decryption algorithm to the tertiary decryption operation unit 3063, so that the tertiary decryption operation unit 3063 uses the tertiary key encryption and decryption algorithm to decrypt the third layer source key by applying the secondary key to obtain the tertiary key. The key selection unit 310 may select the tertiary key output if the security level of the current user is tertiary.
Before outputting, in order to prevent the tertiary key from being tampered in the transmission process, the generated tertiary key needs to be checked, specifically, the tertiary key is encrypted once by the tertiary handshake decryption operation circuit 3073 by using the tertiary key, so as to obtain the information of the tertiary handshake encryption key. And then, the third-layer handshake request data transmitted by the hierarchical information storage unit 304 is received by the three-layer handshake encryption operation circuit 3083, and the third-layer handshake request data is encrypted by adopting the three-layer handshake encryption key information, so as to obtain third-layer handshake encryption information. And then receiving the third-layer handshake response data transmitted by the hierarchical information storage unit 304, comparing the third-layer handshake response data with the third-layer handshake encryption information, if the third-layer handshake response data and the third-layer handshake encryption information are matched, the third-layer handshake encryption information indicates that the third-layer secret key is not tampered, the third-layer handshake encryption information can be output through the secret key selection unit 310, and otherwise, prompt information can be sent.
Of course, in other embodiments, the number of the user levels may also be other values, such as two security levels or more than four security levels, and correspondingly, the level of the key output information may also be other numbers, which are set according to actual needs. When the level of the key output information is other, the generation manner may refer to the circuit application process shown in fig. 3, which is not described herein.
In some embodiments, the key output information generated by the key generating device 30 may be stored in the key recording unit 40, so as to wait for the selective call of other subsequent functional modules, for example, the key output information may be used for encrypting and decrypting different operation data in the chip circuit process.
As shown in fig. 4, the second aspect of the present application further provides a key generation method, which is applied to the apparatus according to the first aspect of the present application, the method comprising the steps of:
Firstly, entering a step S401, wherein a source data decryption unit obtains encrypted source data for decryption, and a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm are obtained;
then, step S402 is carried out, and a root key operation unit calculates and obtains root key information according to the decrypted source key;
And then, the step S403 is carried out, the hierarchical decryption operation unit obtains the hierarchical key information, the hierarchical key encryption and decryption algorithm and the root key information, and the hierarchical key information is decrypted by adopting the root key information according to the hierarchical key encryption and decryption algorithm, so that the key output information is obtained.
In general, the key generating device needs to be set up by a factory before being put into use, specifically, some verification data needed in the process of generating the key is solidified inside the key generating device, so as shown in fig. 5, the method includes the following steps:
first, step S501 is entered to preset a user security level, and the set user security level is stored in the user level storage unit.
And then proceeds to step S502 to set the source key.
Step S503 may be performed after step S502 to obtain the hierarchical key information and the handshake request information according to the source key through a derivation algorithm. In synchronization, step S505 may be entered to set a corresponding security level for the current user and user authentication information corresponding to the user.
Step S504 may be performed after step S503 to store the hierarchical key information and the handshake request information in a hierarchical information storage unit;
And then proceeds to step S506 to complete the user key initial setting.
As shown in fig. 6, in some embodiments, the key generation method includes the steps of:
first, step S601 is performed, where the source data storage unit stores encrypted source data, where the source data includes a source key and a hierarchical key encryption and decryption algorithm.
And then, the step S602 of the source data decryption unit obtaining the encrypted source data to decrypt, obtaining a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm, sending the decrypted source key to the root key operation unit, and storing the decrypted hierarchical key encryption and decryption algorithm in the algorithm information storage unit.
In parallel with step S601 and step S602, the step S603 of storing the hierarchical key information by the hierarchical information storage unit may be entered; the user authentication information storage unit stores user authentication information.
Step S602 and step S603 may be followed by entering step S604, where the root key operation unit obtains the user authentication information and the decrypted source key, and performs hash operation on the user authentication information according to the decrypted source key, to obtain root key information.
Step S604 may be followed by entering step S605, where the hierarchical decryption operation unit obtains the hierarchical key encryption and decryption algorithm, the hierarchical key information and the root key information, and uses the hierarchical key encryption and decryption algorithm to decrypt the hierarchical key information by applying the root key information, so as to obtain key output information.
It should be noted that, although the foregoing embodiments have been described herein, the scope of the present invention is not limited thereby. Therefore, based on the innovative concepts of the present invention, alterations and modifications to the embodiments described herein, or equivalent structures or equivalent flow transformations made by the present description and drawings, apply the above technical solution, directly or indirectly, to other relevant technical fields, all of which are included in the scope of the invention.

Claims (7)

1. A key generation apparatus, comprising:
The source data decryption unit is used for obtaining encrypted source data for decryption to obtain a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
The root key operation unit is used for calculating root key information according to the decrypted source key, and specifically comprises the following steps: the root key operation unit is used for acquiring user verification information and a decrypted source key, carrying out hash operation on the user verification information according to the decrypted source key to obtain root key information, wherein the user verification information is an ID for distinguishing different users;
A hierarchical information storage unit for storing hierarchical key information;
The user grade storage unit is used for storing the user security grade;
The algorithm information storage unit is used for storing the decrypted hierarchical key encryption and decryption algorithm;
The algorithm selection unit is used for selecting different hierarchical key encryption and decryption algorithms to the hierarchical decryption operation unit according to the security level of the user;
The main control chip is used for acquiring corresponding hierarchical key information from the hierarchical information storage unit according to the security level corresponding to the current user and transmitting the acquired hierarchical key information to the hierarchical decryption operation unit;
The hierarchical decryption operation unit is used for acquiring hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, decrypting the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm, and obtaining key output information.
2. The key generation apparatus of claim 1, further comprising:
The biological characteristic information acquisition unit is used for acquiring biological characteristic information of the current user;
The main control chip is used for comparing the collected biological characteristic information with preset biological characteristic information so as to determine the security level corresponding to the current user.
3. The key generation apparatus of claim 1, wherein the hierarchical decryption operation unit comprises a primary decryption operation unit and a secondary decryption operation unit; the hierarchical key information comprises primary hierarchical key information and secondary hierarchical key information; the hierarchical key encryption and decryption algorithm comprises a primary hierarchical key encryption and decryption algorithm and a secondary hierarchical key encryption and decryption algorithm;
The main control chip is used for acquiring the primary level key information from the level information storage unit and transmitting the primary level key information to the primary decryption operation unit; the hierarchical information storage unit is used for acquiring the secondary hierarchical key information from the hierarchical information storage unit and transmitting the secondary hierarchical key information to the secondary decryption operation unit;
The primary decryption operation unit is used for decrypting the primary level key information by adopting the root key information according to the primary level key encryption and decryption algorithm to obtain a primary key;
and the secondary decryption operation unit is used for acquiring the primary key, and decrypting the secondary level key information by adopting the primary key according to the secondary level key encryption and decryption algorithm to obtain a secondary key.
4. The key generation apparatus of claim 1, further comprising:
and the user authentication information storage unit is used for storing the user authentication information.
5. The key generation apparatus of claim 1, wherein the hierarchical information storage unit is further configured to store handshake request information and handshake response information;
The key generation apparatus includes:
The handshake decryption operation circuit is used for decrypting the key output information by adopting the key output information to obtain handshake encryption key information;
The handshake encryption operation circuit is used for receiving the handshake request information and encrypting the handshake request information by adopting the handshake encryption key information to obtain handshake encryption information;
and the handshake information checking circuit is used for acquiring the handshake response information and the handshake encryption information, judging whether the handshake response information and the handshake encryption information are matched, and outputting the key output information if the handshake response information and the handshake encryption information are matched.
6. The key generation apparatus of claim 1, further comprising:
The source data storage unit is used for storing encrypted source data, and the source data comprises a source key and a hierarchical key encryption and decryption algorithm; the source data storage unit is an OTP storage unit.
7. A key generation method, characterized in that the method is applied to a key generation apparatus as defined in any one of claims 1 to 6, the method comprising the steps of:
the source data decryption unit obtains encrypted source data to decrypt, and obtains a decrypted source key and a decrypted hierarchical key encryption and decryption algorithm;
the root key operation unit calculates and obtains root key information according to the decrypted source key;
the hierarchical decryption operation unit obtains hierarchical key information, a hierarchical key encryption and decryption algorithm and root key information, and decrypts the hierarchical key information by adopting the root key information according to the hierarchical key encryption and decryption algorithm to obtain key output information.
CN202011166625.7A 2020-10-27 2020-10-27 Key generation method and device Active CN112272090B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011166625.7A CN112272090B (en) 2020-10-27 2020-10-27 Key generation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011166625.7A CN112272090B (en) 2020-10-27 2020-10-27 Key generation method and device

Publications (2)

Publication Number Publication Date
CN112272090A CN112272090A (en) 2021-01-26
CN112272090B true CN112272090B (en) 2024-04-19

Family

ID=74341313

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011166625.7A Active CN112272090B (en) 2020-10-27 2020-10-27 Key generation method and device

Country Status (1)

Country Link
CN (1) CN112272090B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112968904B (en) * 2021-03-16 2022-09-06 中国科学院深圳先进技术研究院 Block chain data protection method and system
CN113254959A (en) * 2021-05-20 2021-08-13 海信(广东)空调有限公司 Voice information processing method and device, household appliance and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8892865B1 (en) * 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108599930A (en) * 2018-04-02 2018-09-28 湖南国科微电子股份有限公司 Firmware encrypting and deciphering system and method
CN110098924A (en) * 2019-04-19 2019-08-06 深圳华中科技大学研究院 Support can search for the level cipher key technique of transparent encryption
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW201243643A (en) * 2011-04-22 2012-11-01 Inst Information Industry Hierarchical encryption/decryption device and method thereof

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8892865B1 (en) * 2012-03-27 2014-11-18 Amazon Technologies, Inc. Multiple authority key derivation
CN107276756A (en) * 2017-07-27 2017-10-20 深圳市金立通信设备有限公司 A kind of method and server for obtaining root key
CN108599930A (en) * 2018-04-02 2018-09-28 湖南国科微电子股份有限公司 Firmware encrypting and deciphering system and method
CN110098924A (en) * 2019-04-19 2019-08-06 深圳华中科技大学研究院 Support can search for the level cipher key technique of transparent encryption
CN110502918A (en) * 2019-07-09 2019-11-26 杭州电子科技大学 A kind of electronic document access control method and system based on classification safety encryption

Also Published As

Publication number Publication date
CN112272090A (en) 2021-01-26

Similar Documents

Publication Publication Date Title
US11824991B2 (en) Securing transactions with a blockchain network
US8930700B2 (en) Remote device secure data file storage system and method
US9740849B2 (en) Registration and authentication of computing devices using a digital skeleton key
US11544365B2 (en) Authentication system using a visual representation of an authentication challenge
EP3114793A1 (en) Methods and apparatus for migrating keys
CN101291224A (en) Method and system for processing data in communication system
CN110310392B (en) Vehicle unlocking method and device, computer equipment and storage medium
WO2003065169A2 (en) Access system utilizing multiple factor identification and authentication
CN112272090B (en) Key generation method and device
CN112887085B (en) Method, device and system for generating security key of SSD (solid State disk) main control chip
US10785193B2 (en) Security key hopping
CN213817804U (en) Secret key generating device
CN112364323A (en) High-security storage access method and device based on user iris recognition
CN213814671U (en) High-security-level data access device based on structured light array recognition
CN112364316B (en) High-security-level data access method and device based on structured light array identification
CN112364324A (en) High-security-level data access method and device based on voiceprint recognition
CN213876728U (en) SSD solid state hard drives main control chip security key generation device and system
CN213126079U (en) High security level data access device based on voiceprint recognition
CN109120589B (en) Terminal information protection method and device based on encryption password
CN213780963U (en) High-safety storage access device based on user iris recognition
CN213876726U (en) Multi-security-level storage access device based on user face recognition
CN213814673U (en) Multi-security-level storage access device based on user fingerprint identification
CN112906071B (en) Data protection method and device based on page temperature dynamic cold-hot switching
CN113162766B (en) Key management method and system for key component
CN112329076B (en) Storage area protection method and device based on data temperature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant