CN112565282A - Data encryption method, terminal equipment and electronic equipment - Google Patents
Data encryption method, terminal equipment and electronic equipment Download PDFInfo
- Publication number
- CN112565282A CN112565282A CN202011462927.9A CN202011462927A CN112565282A CN 112565282 A CN112565282 A CN 112565282A CN 202011462927 A CN202011462927 A CN 202011462927A CN 112565282 A CN112565282 A CN 112565282A
- Authority
- CN
- China
- Prior art keywords
- file
- encrypted
- service application
- interface service
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Abstract
The embodiment of the application provides a data encryption method, terminal equipment and electronic equipment, after a file to be encrypted is obtained from other application programs or ports, a ciphertext file is obtained by encrypting the file to be encrypted, a signature verification module is further arranged in transmission channel outlet equipment of a mobile terminal, namely a Modem, so that data sent by the Modem are guaranteed to be encrypted data according to a preset format, and finally the ciphertext file is sent to the corresponding application program, an external connection device or a remote end. Therefore, the technical scheme in the embodiment of the application can ensure that the sent data are all encrypted according to the preset mode, and has the technical effects of improving the information transmission safety, and reducing the feasibility of malicious stealing and analysis of the information.
Description
Technical Field
The present application relates to network security technologies, and in particular, to a data encryption method, a terminal device, and an electronic device.
Background
Currently, the REE driving system is a general operating environment for all mobile terminal devices, and a general os (operating system), such as an Android system and an IOS system, may be operated in the general operating environment. However, it is very easy to implement App isolation to be bypassed based on OS, and meanwhile, OS code is usually very bulky, vulnerabilities are frequent, and it is difficult to verify and authenticate; further, all data inside the App can be seen by the OS, and an attacker can exploit the REE drive system by relying on a large amount of malicious code and advanced attack techniques. With the increasing degree of intellectualization of mobile terminals and the increasing abundance of applications, more and more sensitive information related to business secrets or personal privacy is easily stolen or damaged through an REE driving system, and the information security faces serious security threats.
Therefore, in the prior art, a lawless person can use security holes in a general operating system (REE) of a mobile terminal to break an information security barrier, and network information stealing or transmission of various malicious and illegal information is achieved.
Disclosure of Invention
The embodiment of the application provides a data encryption method, terminal equipment and electronic equipment.
According to a first aspect of embodiments of the present application, there is provided a data encryption method, including:
a client-side interface service application acquires a file to be encrypted;
the encryption chip encrypts the file to be encrypted to obtain a ciphertext file;
judging whether the ciphertext file contains data which is not encrypted in a designated mode or not through a Modem;
and if not, the Modem sends the ciphertext file.
Optionally, the encrypting the file to be encrypted by the encrypting chip to obtain the ciphertext file includes:
encrypting the file to be encrypted through an encryption chip to obtain an encrypted file;
the IP protocol stack carries out package processing on the encrypted file based on an IP protocol to obtain IP packet data;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
Optionally, the obtaining, by the client interface service application, a file to be encrypted includes:
the method comprises the steps that a client interface service application obtains a file to be encrypted from a general operating system environment and stores the file to be encrypted in a shared memory, wherein the client interface service application runs in the general operating system environment;
the encryption chip encrypts the file to be encrypted to obtain a ciphertext file and obtain the file to be encrypted, and the method comprises the following steps:
a trusted interface service application running in a trusted execution environment obtains the file to be encrypted from the shared memory;
the trusted interface service application sends the file to be encrypted to an encryption chip running in a trusted execution environment;
the encryption chip encrypts the file to be encrypted to obtain the encrypted file;
the encryption chip sends the encrypted file to the trusted interface service application so that the trusted interface service application stores the encrypted file in the shared memory;
and the client interface service application obtains the encrypted file from the shared memory and forwards the encrypted file to the IP protocol stack.
Optionally, the encrypting the IP packet data by the encryption chip to obtain a ciphertext file includes:
the client interface service application stores IP packet data in the shared memory, wherein the IP packet data is the IP protocol stack, packages the encrypted file based on an IP protocol and then forwards the encrypted file to the client interface service application;
the trusted interface service application obtains the IP packet data from the shared memory and forwards the IP packet data to the encryption chip;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
According to a second aspect of embodiments of the present application, there is provided a terminal device, including:
the client-side interface service application receiving module is used for acquiring a file to be encrypted;
a sending module for sending data;
the encryption chip is used for encrypting the file to be encrypted to obtain a ciphertext file;
the Modem signature checking module is used for judging whether the ciphertext file contains data which is not encrypted in a specified mode; and if not, sending the ciphertext file.
Optionally, the terminal device further includes:
the IP protocol stack is used for carrying out package processing on the encrypted file based on an IP protocol to obtain IP packet data;
the encryption chip is used for encrypting the file to be encrypted to obtain the encrypted file; and encrypting the IP packet data to obtain the ciphertext file.
Optionally, the terminal device further includes:
sharing a memory;
the client interface service application is used for acquiring the file to be encrypted from a general operating system environment and storing the file to be encrypted in the shared memory, acquiring the encrypted file from the shared memory and forwarding the encrypted file to the IP protocol stack, storing the IP packet data in the shared memory, acquiring the ciphertext file from the shared memory and forwarding the ciphertext file to the sending module;
the trusted interface service application is used for acquiring a file to be encrypted from the shared memory and forwarding the file to the encryption chip, storing the encrypted file to the shared memory, acquiring IP packet data from the shared memory and forwarding the IP packet data to the encryption chip, and storing the ciphertext file to the shared memory;
the encryption chip is used for forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption, and forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption;
wherein the client interface service application, the IP protocol stack, the sending module and the signature verification module run in a general operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
According to a third aspect of the embodiments of the present application, there is provided a Modem, including:
sharing a memory;
a sending module for sending data;
the client interface service application is used for acquiring IP packet data, storing the IP packet data in the shared memory, acquiring a ciphertext file from the shared memory and forwarding the ciphertext file to the signature verification module;
the trusted interface service application is used for acquiring IP packet data from the shared memory, forwarding the IP packet data to an encryption chip and storing the ciphertext file to the shared memory;
the encryption chip is used for encrypting the IP packet data to obtain a ciphertext file and forwarding the ciphertext file to the trusted interface service application;
the signature verification module is used for judging whether the ciphertext file contains data which is not encrypted in a designated mode, and if not, forwarding the ciphertext file to the sending module;
wherein the client interface service application, the sending module and the signature verification module run in a common operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
According to a third aspect of embodiments of the present application, there is provided an electronic device, comprising a storage device, a processing device and a computer program stored on the storage device and operable on the processing device, wherein the processing device implements the steps in the data encryption method according to the first aspect when executing the computer program.
According to a fourth aspect of embodiments of the present application, there is provided a computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps in the data encryption method according to the first aspect.
The embodiment of the application provides a data encryption method, terminal equipment and electronic equipment, after a file to be encrypted is obtained from other application programs or ports, a ciphertext file is obtained by encrypting the file to be encrypted, a signature verification module is further arranged in transmission channel outlet equipment of a mobile terminal, namely a Modem, so that data sent by the Modem are guaranteed to be encrypted data according to a preset format, and finally the ciphertext file is sent to the corresponding application program, an external connection device or a remote end. Therefore, the technical scheme in the embodiment of the application can ensure that the sent data are all encrypted according to the preset mode, and has the technical effects of improving the information transmission safety, and reducing the feasibility of malicious stealing and analysis of the information.
The embodiment of the application at least has the following technical effects or advantages:
furthermore, the technical scheme in the embodiment of the application can perform IP protocol packet processing on the encrypted data to obtain IP packet data, further perform second encryption processing on the IP packet data to obtain a ciphertext file, and ensure that the output data are the encrypted data through twice encryption processing, thereby further improving the technical effect of data transmission safety.
Further, according to the technical scheme in the embodiment of the application, the relevant processing modules are respectively arranged in different driving systems. The distributed network data encryption method not only reduces the load of the TEE system, but also reduces the development complexity and cost on the basis of ensuring the system safety, improves the system efficiency and forms a novel network data encryption architecture of the mobile terminal. The method has the technical effect of further improving the safety and stability of the data transmission environment of the mobile terminal.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a data transmission method according to an embodiment of the present application;
fig. 2 is a structural diagram of a terminal device according to an embodiment of the present application;
fig. 3 is a structural diagram of a Modem according to an embodiment of the present application.
Detailed Description
In the process of implementing the application, the inventor finds that in the prior art, lawless persons can use security holes in a general operating system of the mobile terminal to break an information security barrier, and network information stealing or transmission of various malicious and illegal information is achieved.
In order to solve the problems, a data encryption method, terminal equipment and electronic equipment are provided, after files to be encrypted are obtained from other application programs or ports, after ciphertext files are obtained by encrypting the files to be encrypted, a signature verification module is further arranged in transmission channel outlet equipment of a mobile terminal, namely a Modem, so that data sent by the Modem are guaranteed to be encrypted data according to a preset format, and finally the ciphertext files are sent to corresponding application programs, external equipment or remote ends. Therefore, the technical scheme in the embodiment of the application can ensure that the sent data are all encrypted according to the preset mode, and has the technical effects of improving the information transmission safety, and reducing the feasibility of malicious stealing and analysis of the information.
In order to make the technical solutions and advantages of the embodiments of the present application more apparent, the following further detailed description of the exemplary embodiments of the present application with reference to the accompanying drawings makes it clear that the described embodiments are only a part of the embodiments of the present application, and are not exhaustive of all embodiments. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
Example one
Referring to fig. 1, an embodiment of the present application provides a data transmission method, including:
step 101: the client interface service application obtains a file to be encrypted.
The file to be encrypted may be sent from another application program of the mobile terminal, may be obtained by local downloading, may also be sent from another external device, and as long as the data can be encrypted, the file to be encrypted may be all used as the file to be encrypted.
Step 102: the encryption chip encrypts the file to be encrypted to obtain a ciphertext file;
in this step, the file to be encrypted may be processed in a plurality of encryption manners or encryption algorithms, for example: symmetric encryption algorithms (AES, DES, 3DES), asymmetric encryption algorithms (RSA, DSA, ECC), linear hash algorithm algorithms (MD5, SHA1, HMAC), and even hybrid encryption algorithms. The technical solution of the embodiments of the present application is not further limited, and the technical solution can be set by a person skilled in the art as needed.
Step 103: judging whether the ciphertext file contains data which is not encrypted in a designated mode or not through a Modem;
in order to ensure that the data sent from the mobile terminal are all encrypted data and the encryption mode is a designated mode, therefore, the signature verification processing can be performed on the file to be sent, that is, whether the ciphertext file contains data which is not encrypted in the designated mode or not is judged, if yes, the sending of the ciphertext file can be stopped, and the ciphertext file is discarded or re-encrypted and the like; if not, the ciphertext file is sent.
It should be noted that the main execution unit in this step may be a main processing module in the terminal device, or may be an egress device on a data transmission path of the terminal device (that is, an independent processing device may be provided in the egress device that transmits the ciphertext file), and of course, the egress device is preferably the only egress device on the data transmission path.
The specific detection and determination method may be various, for example, it may be determined whether the transmitted data format is a preset encryption format, or whether the transmitted data includes an identifier of a predetermined format (e.g., an authentication code, a packet header, etc.) at a predetermined location. The technical solutions in the embodiments of the present application are not further limited.
Step 104: and if not, the Modem sends the ciphertext file.
In this step, the ciphertext file may be sent to other applications of the mobile terminal, to other external devices, to a remote end through a network, and so on.
It can be seen that, in the technical solution in this embodiment of the application, after a file to be encrypted is obtained from another application program or port, a ciphertext file is obtained by encrypting the file to be encrypted, and then a signature verification module is further arranged in a transmission channel exit device of the mobile terminal, that is, a Modem, so as to ensure that data sent by the Modem are data encrypted according to a predetermined format, and finally, the ciphertext file is sent to the corresponding application program, an external connection device or a remote end. Therefore, the technical scheme in the embodiment of the application can ensure that the sent data are all encrypted according to the preset mode, and has the technical effects of improving the information transmission safety, and reducing the feasibility of malicious stealing and analysis of the information.
Further, the encrypting chip encrypts the file to be encrypted to obtain a ciphertext file includes:
encrypting the file to be encrypted through an encryption chip to obtain an encrypted file;
the IP protocol stack carries out package processing on the encrypted file based on an IP protocol to obtain IP packet data;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
The IP protocol stack may specifically be a TCP/IPSec protocol stack, and in this step, the encrypted file obtained by first encrypting the file to be encrypted may be subjected to packet processing based on the TCP/IPSec protocol to obtain IP packet data conforming to the IP protocol format, and then the IP packet data is further subjected to encryption processing to obtain a ciphertext file.
Similarly, in this step, a plurality of encryption methods may be used to encrypt the IP packet data to obtain a ciphertext file. It should be noted that the encryption processing performed in this step may be different from the encryption processing performed at the time of the first encryption (the encryption algorithm is different and/or the encryption processing is different). Through twice encryption processing (especially further encrypting the IP packet data), the transmitted data can be ensured to be the encrypted data processed according to a preset form, and the technical effect of improving the information transmission safety is achieved.
Therefore, the technical scheme in the embodiment of the application can perform IP protocol packet processing on the encrypted data to obtain IP packet data, further perform second encryption processing on the IP packet data to obtain a ciphertext file, and ensure that the output data are encrypted data through twice encryption processing, so that the technical effect of further improving the data transmission safety is achieved.
Further, the step of obtaining the file to be encrypted by the client interface service application includes:
the method comprises the steps that a client interface service application obtains a file to be encrypted from a general operating system environment and stores the file to be encrypted in a shared memory, wherein the client interface service application runs in the general operating system environment;
the encryption chip encrypts the file to be encrypted to obtain a ciphertext file, and the encrypting process comprises the following steps:
a trusted interface service application running in a trusted execution environment obtains the file to be encrypted from the shared memory;
the encrypting the file to be encrypted to obtain the encrypted file comprises the following steps:
the trusted interface service application sends the file to be encrypted to an encryption chip running in a trusted execution environment;
the encryption chip encrypts the file to be encrypted to obtain the encrypted file;
the encryption chip sends the encrypted file to the trusted interface service application so that the trusted interface service application stores the encrypted file in the shared memory;
and the client interface service application obtains the encrypted file from the shared memory and forwards the encrypted file to an IP protocol stack.
Still further, the encrypting chip encrypts the IP packet data to obtain a ciphertext file includes:
the client interface service application stores IP packet data in the shared memory, wherein the IP packet data is the IP protocol stack, packages the encrypted file based on an IP protocol and then forwards the encrypted file to the client interface service application;
the trusted interface service application obtains the IP packet data from the shared memory and forwards the IP packet data to the encryption chip;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
In contrast to the REE-driven system, the TEE-driven system can trust the execution environment, which can guarantee computations that are not disturbed by a conventional operating system, and is therefore referred to as "trusted". In general terms, TEE is an independent execution environment running in parallel with Rich OS, providing security services for Rich OS environments. The TEE is implemented based on ARM TrustZone and can access hardware and software security resources independently of Rich OS and applications thereon. Meanwhile, the TEE driving system has the following characteristics: the TEE is isolated from the REE and can only communicate with the TEE through a specific portal; TEE run-time uses the full performance of the CPU (Exclusive); the memory of the REE can be accessed, and the REE cannot access the TEE memory; multiple mutually isolated Trusted Applications (TAs) may be run simultaneously in the TEE.
Because the TEE system has a very safe processing environment, according to the technical scheme in the embodiment of the application, each related processing module is respectively arranged in different driving systems, and the encryption processing process is completely carried out in an independent and highly-isolated environment through the mutual coordination flow of the trusted interface service application and the client interface service application in the shared memory, so that the interference and the intervention of the general operating system environment on the encryption processing process are isolated from a hardware layer, and the effect of data transmission safety protection is achieved.
Example two
Referring to fig. 2, a second embodiment of the present application provides a terminal device, including:
a client interface service application 201 for obtaining a file to be encrypted;
the encryption chip 203 is used for encrypting the file to be encrypted to obtain a ciphertext file;
the Modem204 is used for judging whether the ciphertext file contains data which is not encrypted in a specified mode; and if not, sending the ciphertext file.
Further, the terminal device further includes:
an IP protocol stack 205, configured to perform packet processing on the encrypted file based on an IP protocol to obtain IP packet data;
the encryption chip 203 is configured to encrypt the file to be encrypted to obtain the encrypted file; and encrypting the IP packet data to obtain the ciphertext file.
Further, the terminal device further includes:
a shared memory 206;
the client interface service application 201 is configured to obtain the file to be encrypted from a general operating system environment and store the file in the shared memory, obtain the encrypted file from the shared memory and forward the encrypted file to the IP protocol stack, store the IP packet data in the shared memory, obtain the ciphertext file from the shared memory and forward the ciphertext file to the sending module;
the trusted interface service application 202 is configured to obtain a file to be encrypted from the shared memory and forward the file to the encryption chip, store the encrypted file in the shared memory, obtain IP packet data from the shared memory and forward the IP packet data to the encryption chip, and store the ciphertext file in the shared memory;
the encryption chip is used for forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption, and forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption;
wherein the client interface service application, the IP protocol stack, the sending module and the signature verification module run in a general operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
Various changes and specific examples in the data encryption method in the foregoing embodiment of fig. 1 are also applicable to the terminal device in this embodiment, and those skilled in the art can clearly know the implementation method of the terminal device in this embodiment through the foregoing detailed description of the data encryption method, so that details are not described here for brevity of the description.
EXAMPLE III
Referring to fig. 3, an embodiment of the present application further provides a Modem, including:
a shared memory 301;
a sending module 302 for sending data;
the client interface service application 303 is used for acquiring the IP packet data, storing the IP packet data in the shared memory, acquiring the ciphertext file from the shared memory, and forwarding the ciphertext file to the signature verification module;
the trusted interface service application 304 is configured to obtain IP packet data from the shared memory, forward the IP packet data to an encryption chip, and store the ciphertext file in the shared memory;
the encryption chip 305 is configured to encrypt the IP packet data to obtain a ciphertext file, and forward the ciphertext file to the trusted interface service application;
the signature verification module 306 is configured to determine whether the ciphertext file contains data that is not encrypted in a designated manner, and if not, forward the ciphertext file to the sending module;
wherein the client interface service application, the sending module and the signature verification module run in a common operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
A mobile terminal in the prior art usually includes two processors, an operating system, a user interface and an Application program are executed by an AP (Application Processor, Application chip), and the AP generally adopts a CPU of an ARM chip. The mobile phone radio frequency communication control software runs on another independent CPU, and the CPU is called BP (base band Processor, Baseband chip). Cellular Modem is used as Modem module in mobile communication terminal, radio frequency communication control module mainly responsible for modulation and demodulation in BP includes all digital components required for communication with network, and is the only path in up and down packet transmission of network data. That is to say, most of the data egress devices of the mobile terminal are modems at present, and different processing modules in the modems are placed in different driving system environments for operation, so that the mobile terminal data transmission environment has higher security and stability.
According to the technical scheme of the embodiment of the application, the data verification operation is added in the Modem driver, so that the security of the verification process is further ensured, the Modem with the only data outlet becomes a data verification entrance guard, and the problem of uplink and downlink packet data verification is solved in the aspect of safe operation of the system.
Further, in the design, an IPSec core component (note: the IPSec core component may have encryption and decryption related functions based on an IP protocol, but is not the IP protocol stack in the embodiment of the present application) that can be customized in the TEE and a specific encryption card (i.e., the encryption chip) complete encryption of data, and ensure security of data encryption. The distributed network data encryption method not only reduces the load of the TEE system, but also reduces the development complexity and cost on the basis of ensuring the system safety, improves the system efficiency and forms a novel network data encryption architecture of the mobile terminal.
Various changes and specific examples in the data encryption method in the foregoing embodiment in fig. 1 are also applicable to the Modem in this embodiment, and a person skilled in the art can clearly know the implementation method of the Modem in this embodiment through the foregoing detailed description of the data encryption method, so that details are not described here for brevity of the description.
An embodiment of the present application further provides an electronic device, which includes a storage device, a processing device, and a computer program stored on the storage device and executable on the processing device, where the processing device implements the steps in the data encryption method according to the first aspect when executing the computer program.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the data encryption method according to the first aspect.
Therefore, according to the technical scheme in the embodiment of the application, after the file to be encrypted is obtained from other application programs or ports, the file to be encrypted is encrypted to obtain a ciphertext file, a signature verification step is further arranged in transmission channel outlet equipment of the mobile terminal, so that the sent data are the data encrypted according to the preset format, and finally the ciphertext file is sent to the corresponding application program, the external connection equipment or the remote end. Therefore, the data output by the technical scheme in the embodiment of the application are all data encrypted according to the preset requirements, so that the technical effects of improving information transmission safety, and reducing feasibility of malicious stealing and analysis of information are achieved.
The embodiment of the application at least has the following technical effects or advantages:
furthermore, the technical scheme in the embodiment of the application can perform IP protocol packet processing on the encrypted data to obtain IP packet data, further perform second encryption processing on the IP packet data to obtain a ciphertext file, and ensure that the output data are the encrypted data through twice encryption processing, thereby further improving the technical effect of data transmission safety.
Further, according to the technical scheme in the embodiment of the application, the relevant processing modules are respectively arranged in different driving systems. The distributed network data encryption method not only reduces the load of the TEE system, but also reduces the development complexity and cost on the basis of ensuring the system safety, improves the system efficiency and forms a novel network data encryption architecture of the mobile terminal. The method has the technical effect of further improving the safety and stability of the data transmission environment of the mobile terminal.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (10)
1. A method for data encryption, comprising:
a client-side interface service application acquires a file to be encrypted;
the encryption chip encrypts the file to be encrypted to obtain a ciphertext file;
judging whether the ciphertext file contains data which is not encrypted in a designated mode or not through a Modem;
and if not, the Modem sends the ciphertext file.
2. The data encryption method of claim 1, wherein the encrypting chip performs encryption processing on the file to be encrypted to obtain a ciphertext file comprises:
encrypting the file to be encrypted through an encryption chip to obtain an encrypted file;
the IP protocol stack carries out package processing on the encrypted file based on an IP protocol to obtain IP packet data;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
3. The data encryption method of claim 2, wherein the client interface service application obtaining the file to be encrypted comprises:
the method comprises the steps that a client interface service application obtains a file to be encrypted from a general operating system environment and stores the file to be encrypted in a shared memory, wherein the client interface service application runs in the general operating system environment;
the encryption chip encrypts the file to be encrypted to obtain a ciphertext file, and the encrypting process comprises the following steps:
a trusted interface service application running in a trusted execution environment obtains the file to be encrypted from the shared memory;
the trusted interface service application sends the file to be encrypted to an encryption chip running in a trusted execution environment;
the encryption chip encrypts the file to be encrypted to obtain the encrypted file;
the encryption chip sends the encrypted file to the trusted interface service application so that the trusted interface service application stores the encrypted file in the shared memory;
and the client interface service application obtains the encrypted file from the shared memory and forwards the encrypted file to the IP protocol stack.
4. The data encryption method of claim 3, wherein the encrypting chip encrypts the IP packet data to obtain a ciphertext file comprises:
the client interface service application stores IP packet data in the shared memory, wherein the IP packet data is the IP protocol stack, packages the encrypted file based on an IP protocol and then forwards the encrypted file to the client interface service application;
the trusted interface service application obtains the IP packet data from the shared memory and forwards the IP packet data to the encryption chip;
and the encryption chip encrypts the IP packet data to obtain the ciphertext file.
5. A terminal device, comprising:
the client-side interface service application is used for acquiring a file to be encrypted;
the encryption chip is used for encrypting the file to be encrypted to obtain a ciphertext file;
the Modem is used for judging whether the ciphertext file contains data which is not encrypted in a specified mode; and if not, sending the ciphertext file.
6. The terminal device according to claim 5, wherein the terminal device further comprises:
the IP protocol stack is used for carrying out package processing on the encrypted file based on an IP protocol to obtain IP packet data;
the encryption chip is used for encrypting the file to be encrypted to obtain the encrypted file; and encrypting the IP packet data to obtain the ciphertext file.
7. The terminal device according to claim 6, wherein the terminal device further comprises:
sharing a memory;
the client interface service application is used for acquiring the file to be encrypted from a general operating system environment and storing the file to be encrypted in the shared memory, acquiring the encrypted file from the shared memory and forwarding the encrypted file to the IP protocol stack, storing the IP packet data in the shared memory, acquiring the ciphertext file from the shared memory and forwarding the ciphertext file to the sending module;
the trusted interface service application is used for acquiring a file to be encrypted from the shared memory and forwarding the file to the encryption chip, storing the encrypted file to the shared memory, acquiring IP packet data from the shared memory and forwarding the IP packet data to the encryption chip, and storing the ciphertext file to the shared memory;
the encryption chip is used for forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption, and forwarding the encrypted file to the trusted interface service application after the encrypted file is obtained through encryption;
wherein the client interface service application, the IP protocol stack, the sending module and the signature verification module run in a general operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
8. A Modem, comprising:
sharing a memory;
a sending module for sending data;
the client interface service application is used for acquiring IP packet data, storing the IP packet data in the shared memory, acquiring a ciphertext file from the shared memory and forwarding the ciphertext file to the signature verification module;
the trusted interface service application is used for acquiring IP packet data from the shared memory, forwarding the IP packet data to an encryption chip and storing the ciphertext file to the shared memory;
the encryption chip is used for encrypting the IP packet data to obtain a ciphertext file and forwarding the ciphertext file to the trusted interface service application;
the signature verification module is used for judging whether the ciphertext file contains data which is not encrypted in a designated mode, and if not, forwarding the ciphertext file to the sending module;
wherein the client interface service application, the sending module and the signature verification module run in a common operating system environment; the trusted interface service application and the cryptographic chip operate in a trusted execution environment.
9. An electronic device comprising storage means, processing means and a computer program stored on said storage means and executable on said processing means, characterized in that said processing means, when executing said computer program, implement the steps in the data encryption method according to any one of claims 1 to 4.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the data encryption method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011462927.9A CN112565282A (en) | 2020-12-14 | 2020-12-14 | Data encryption method, terminal equipment and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011462927.9A CN112565282A (en) | 2020-12-14 | 2020-12-14 | Data encryption method, terminal equipment and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112565282A true CN112565282A (en) | 2021-03-26 |
Family
ID=75062803
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011462927.9A Pending CN112565282A (en) | 2020-12-14 | 2020-12-14 | Data encryption method, terminal equipment and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112565282A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969441A (en) * | 2010-10-28 | 2011-02-09 | 鸿富锦精密工业(深圳)有限公司 | Publishing server, terminal equipment and transmission method for digital content transmission |
| CN102306255A (en) * | 2011-08-29 | 2012-01-04 | 飞天诚信科技股份有限公司 | Document protection method and system |
| CN105656920A (en) * | 2016-02-03 | 2016-06-08 | 深圳支付界科技有限公司 | Method and system for encryption and decryption of mailing data based on expressage |
| CN105681365A (en) * | 2016-04-18 | 2016-06-15 | 北京小米移动软件有限公司 | File transmission method and device |
| CN106332017A (en) * | 2016-08-31 | 2017-01-11 | 安徽拓通信科技集团股份有限公司 | Method for implementing voice short message on basis of internet telephony |
| US20190080078A1 (en) * | 2017-09-12 | 2019-03-14 | Sophos Limited | Secure management of process properties |
| CN109560932A (en) * | 2017-09-25 | 2019-04-02 | 北京云海商通科技有限公司 | The recognition methods of identity data, apparatus and system |
| US20200266996A1 (en) * | 2019-02-14 | 2020-08-20 | Carrott Richard F | Systems for producing and maintaining verified electronic signatures |
-
2020
- 2020-12-14 CN CN202011462927.9A patent/CN112565282A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969441A (en) * | 2010-10-28 | 2011-02-09 | 鸿富锦精密工业(深圳)有限公司 | Publishing server, terminal equipment and transmission method for digital content transmission |
| CN102306255A (en) * | 2011-08-29 | 2012-01-04 | 飞天诚信科技股份有限公司 | Document protection method and system |
| CN105656920A (en) * | 2016-02-03 | 2016-06-08 | 深圳支付界科技有限公司 | Method and system for encryption and decryption of mailing data based on expressage |
| CN105681365A (en) * | 2016-04-18 | 2016-06-15 | 北京小米移动软件有限公司 | File transmission method and device |
| CN106332017A (en) * | 2016-08-31 | 2017-01-11 | 安徽拓通信科技集团股份有限公司 | Method for implementing voice short message on basis of internet telephony |
| US20190080078A1 (en) * | 2017-09-12 | 2019-03-14 | Sophos Limited | Secure management of process properties |
| CN109560932A (en) * | 2017-09-25 | 2019-04-02 | 北京云海商通科技有限公司 | The recognition methods of identity data, apparatus and system |
| US20200266996A1 (en) * | 2019-02-14 | 2020-08-20 | Carrott Richard F | Systems for producing and maintaining verified electronic signatures |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11432150B2 (en) | Method and apparatus for authenticating network access of terminal | |
| JP6612322B2 (en) | Data processing method and data processing apparatus | |
| JP6723263B2 (en) | System and method for delegation of cloud computing processes | |
| TWI643508B (en) | Smart routing system for IoT smart devices | |
| US20170208049A1 (en) | Key agreement method and device for verification information | |
| JP6896940B2 (en) | Symmetrical mutual authentication method between the first application and the second application | |
| US9219709B2 (en) | Multi-wrapped virtual private network | |
| EP3283964B1 (en) | Method of operating a computing device, computing device and computer program | |
| CN103843303A (en) | Management control method, device and system for virtual machine | |
| Yu et al. | Analysis of IoT platform security: A survey | |
| US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| Isa et al. | A lightweight and secure TFTP protocol for smart environment | |
| US9524394B2 (en) | Method and apparatus for providing provably secure user input/output | |
| Bugiel et al. | TruWalletM: Secure web authentication on mobile platforms | |
| EP3720042B1 (en) | Method and device for determining trust state of tpm, and storage medium | |
| WO2019109942A1 (en) | Method and apparatus for establishing virtual network function instance | |
| US8356175B2 (en) | Methods and apparatus to perform associated security protocol extensions | |
| KR101847636B1 (en) | Method and apprapatus for watching encrypted traffic | |
| CN115001744B (en) | Cloud platform data integrity verification method and system | |
| KR101979157B1 (en) | Non-address network equipment and communication security system using it | |
| CN112580056B (en) | Terminal device, data encryption method, decryption method and electronic device | |
| Alam et al. | Mobile Edge Computing: Security and privacy issues, challenges and countermeasures | |
| Malila et al. | Security architecture for a 5G mHealth system | |
| CN112565282A (en) | Data encryption method, terminal equipment and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210326 |