CN113408017B - Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory - Google Patents

Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory Download PDF

Info

Publication number
CN113408017B
CN113408017B CN202110744345.8A CN202110744345A CN113408017B CN 113408017 B CN113408017 B CN 113408017B CN 202110744345 A CN202110744345 A CN 202110744345A CN 113408017 B CN113408017 B CN 113408017B
Authority
CN
China
Prior art keywords
data
area
encrypted
otp
otp memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110744345.8A
Other languages
Chinese (zh)
Other versions
CN113408017A (en
Inventor
唐伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Goke Microelectronics Co Ltd
Original Assignee
Hunan Goke Microelectronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Goke Microelectronics Co Ltd filed Critical Hunan Goke Microelectronics Co Ltd
Priority to CN202110744345.8A priority Critical patent/CN113408017B/en
Publication of CN113408017A publication Critical patent/CN113408017A/en
Priority to PCT/CN2022/100710 priority patent/WO2023274011A1/en
Application granted granted Critical
Publication of CN113408017B publication Critical patent/CN113408017B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device, equipment and a storage medium for protecting data in an OTP memory. The method comprises the following steps: acquiring a target secret key after receiving a programming request sent by the OTP memory; acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm; and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory. Therefore, the OTP controller encrypts the security sensitive data and programs the encrypted security sensitive data into the security data area, and performs hardware selection on the encryption and decryption algorithms to realize processing of different encryption and decryption keys and selection of the encryption and decryption algorithms, so that the security and confidentiality of the security data encryption are improved, the security and confidentiality of the programmed OTP data can be enhanced, and the data can be prevented from being tampered or important sensitive data can be prevented from being illegally stolen.

Description

Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory
Technical Field
The present invention relates to the field of OTP memories, and in particular, to a method, an apparatus, a device, and a storage medium for protecting data in an OTP memory.
Background
At present, the requirement on the security performance of products is higher and higher, and in order to meet the protection requirement of security sensitive data in a hardware system, for example, sensitive data with higher security requirements such as a security root key and identity information in a chip, an OTP (One Time Programmable) memory can meet the requirements of high confidentiality and high reliability to a certain extent due to the non-volatility and high reliability of the stored data, however, how to further improve the security and reliability of the OTP memory is a problem of wide attention at present. In the prior art, through research on an OTP memory, data stability of the OTP memory is improved in a physical manufacturing level, but data is not protected, and security of data storage is reduced.
Disclosure of Invention
In view of this, the present invention provides a method, an apparatus, a device and a medium for protecting data in an OTP memory, which can enhance the security and confidentiality after OTP data programming. The specific scheme is as follows:
in a first aspect, the present application discloses a method for protecting data in an OTP memory, comprising:
acquiring a target key after receiving a programming request sent by the OTP memory;
acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm;
and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory.
Optionally, the obtaining the target key includes:
and reading a preset fixed key in a key configuration field in the parameter configuration area of the OTP memory, and taking the fixed key as the target key.
Optionally, the target encryption algorithm includes an advanced data encryption standard, a triple data encryption standard, and an SM4 encryption algorithm.
Optionally, the obtaining the target key includes:
sending a random number request to a random number generator, and acquiring a random number value fed back by the random number generator;
and taking the random number value as the target key and storing the target key in a random data area of the OTP memory.
Optionally, after storing the encrypted secure data to the secure data area of the OTP memory, the method further includes:
and respectively carrying out latch configuration of read operation and/or write operation on the random data area, the safety data area and the parameter configuration area by utilizing the latch state configuration area of the OTP memory.
Optionally, the method for protecting data in an OTP memory further includes:
when a starting signal sent by the random number generator after the system is reset is received, reading a random number flag bit of the random data area in the OTP memory to judge whether a random number value exists in the random data area;
if the random data area, the safety data area, the parameter configuration area and the latch state configuration area exist, data information in the random data area, the safety data area, the parameter configuration area and the latch state configuration area is read, and the data information is stored to the local;
judging whether the data in the safety data area is encrypted or not according to an algorithm configuration field in the parameter configuration area;
and if the data information is not encrypted, sending the locally stored data information to a system external module through a local interface output module so that the system external module can generate a key by using the data information.
Optionally, after determining whether the data in the secure data area is encrypted, the method further includes:
if the encrypted data is encrypted, decrypting the encrypted data in the secure data area according to a target key corresponding to a key configuration field in the parameter configuration area and a target encryption algorithm corresponding to the algorithm configuration field to obtain decrypted secure data;
and sending the data information in the locally stored random data area, the parameter configuration area and the latch state configuration area and the decrypted safety data to the system external module through a local interface output module.
In a second aspect, the present application discloses an apparatus for protecting data in an OTP memory, comprising:
the target key acquisition module is used for acquiring a target key after receiving a programming request sent by the OTP memory;
the data and encryption algorithm acquisition module is used for acquiring the security data to be encrypted and reading the parameter configuration area of the OTP memory to determine a target encryption algorithm;
and the encryption storage module is used for encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data and storing the encrypted security data to a security data area of the OTP memory.
In a third aspect, the present application discloses an electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the aforementioned OTP memory data protection method.
In a fourth aspect, the present application discloses a computer readable storage medium for storing a computer program; wherein the computer program when executed by the processor implements the OTP memory data protection method as described above.
In the application, a target key is obtained after a programming request sent by the OTP memory is received; acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm; and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory. Therefore, the OTP controller is used for encrypting the security sensitive data and programming the encrypted security sensitive data to the security data area, and selecting the encryption and decryption algorithms through hardware, so that different encryption and decryption keys are processed and the encryption and decryption algorithms are selected, the security and confidentiality of the security data encryption are improved, the security and confidentiality after the OTP data programming can be enhanced, and the data is prevented from being tampered or the important sensitive data is prevented from being illegally stolen.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for protecting data in an OTP memory according to the present disclosure;
FIG. 2 is a specific target algorithm configuration provided by the present application;
FIG. 3 is a flow chart of a specific OTP memory data protection method provided herein;
fig. 4 is a specific target key configuration manner provided in the present application;
FIG. 5 is a diagram illustrating a hardware architecture of an OTP memory system and a hardware architecture of an OTP controller according to an embodiment of the present invention;
FIG. 6 is a flowchart of OTP initialization provided herein;
FIG. 7 is a flowchart illustrating a specific OTP initialization process provided herein;
FIG. 8 is a flowchart of a specific random number obtaining method provided herein;
FIG. 9 is a schematic structural diagram of an OTP memory data protection apparatus according to the present application;
fig. 10 is a block diagram of an electronic device provided in the present application.
Detailed Description
In the prior art, through research on the OTP memory, the data stability of the OTP memory is improved in a physical manufacturing level, but the data is not protected, and the security of data storage is reduced. In order to overcome the technical problem, the application provides a method for protecting data in an OTP memory, which can enhance the security and confidentiality of OTP data after programming.
The embodiment of the application discloses a method for protecting data in an OTP memory, which is applied to an OTP controller and can comprise the following steps:
step S11: and acquiring a target key after receiving a programming request sent by the OTP memory.
In this embodiment, after receiving a programming request sent by the OTP memory, the target key is obtained, it can be understood that the OTP memory initiates the programming request to the OTP controller through the external serial port, and the OTP controller actively obtains the target key after receiving the programming request. In this embodiment, the obtaining the target key may include: reading a fixed key preset in a key configuration field in a parameter configuration area of the OTP memory, and using the fixed key as the target key, that is, storing a fixed key in the key configuration field in the parameter configuration area of the OTP memory in advance, after receiving a programming request sent by the OTP memory, the OTP controller reads the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and uses the fixed key as the target key to encrypt the secure data.
Step S12: and acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm.
In this embodiment, to-be-encrypted security data is obtained, where the to-be-encrypted security data includes, but is not limited to, data with high security requirements, such as a security root key and identity information, and a parameter configuration area of the OTP memory is read to determine a target encryption algorithm, and specifically, a corresponding target encryption algorithm may be determined according to a field of the parameter configuration area. In this embodiment, the target Encryption algorithm includes, but is not limited to, advanced Encryption Standard (AES), triple Data Encryption Standard (TDES), and SM4 Encryption algorithm, it can be understood that a character string having a mapping relationship and a corresponding algorithm type are stored in the parameter configuration area in advance, a specific algorithm configuration MODE is, for example, as shown in fig. 2, a PROGRAM _ MODE field is set as the target algorithm configuration field, and when the PROGRAM _ MODE value is 2' b00, the security Data to be encrypted is not encrypted; when the PROGRAM _ MODE is 2' b01, encrypting by using an AES algorithm; when PROGRAM _ MODE is 2' b10, encrypting by using SM4 algorithm; when PROGRAM _ MODE is 2' b11, encryption is performed using the TDES algorithm.
Step S13: and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory.
In this embodiment, the secure data to be encrypted is encrypted according to the determined target encryption algorithm and the target key to obtain encrypted secure data, and the encrypted secure data is stored in the secure data area of the OTP memory.
As can be seen from the above, in this embodiment, the target key is obtained after the programming request sent by the OTP memory is received; acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm; and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory. Therefore, the OTP controller is used for encrypting the security sensitive data and programming the encrypted security sensitive data to the security data area, and selecting the encryption and decryption algorithms through hardware, so that different encryption and decryption keys are processed and the encryption and decryption algorithms are selected, the security confidentiality of the security data encryption is improved, the security and the confidentiality of the programmed OTP data can be enhanced, the data is prevented from being tampered or important sensitive data is prevented from being illegally stolen, and a safe and effective data security protection mechanism is added by means of the safety and the reliability of the OTP at present so as to effectively protect the security sensitive data and improve the data security and the data confidentiality of the security sensitive data in a product or a system.
The embodiment of the application discloses a specific method for protecting data in an OTP memory, and referring to fig. 3, the method may include the following steps:
step S21: after receiving a programming request sent by the OTP memory, sending a random number request to a random number generator, and acquiring a random number value fed back by the random number generator.
In this embodiment, after receiving a programming request sent by the OTP memory, a Random Number request is sent to a Random Number Generator (TRNG) and a Random Number fed back by the Random Number Generator is obtained.
Step S22: and taking the random number value as a target key and storing the target key in a random data area of the OTP memory.
In this embodiment, the random number is used as a target key and is stored in a random data area of the OTP memory. It is understood that, instead of using a fixed KEY as the target KEY, a random number may be used as the encryption KEY of the secure data, and specifically, for example, as shown in fig. 4, a PROGRAM _ KEY _ SEL configuration field may be set in a parameter configuration area of the OTP memory, when the field is 0, a fixed KEY OTP _ KEY in the OTP interval may be selected as the target KEY, and when the field value is 1, a random number may be selected as the target KEY.
Step S23: and acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm.
Step S24: and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory.
Step S25: and respectively carrying out latch configuration of read operation and/or write operation on the random data area, the safety data area and the parameter configuration area by utilizing the latch state configuration area of the OTP memory.
In this embodiment, at the end of the programming configuration flow, the latch state configuration area of the OTP memory is used to perform programming configuration, and the latch configuration of the read operation and/or the write operation is performed on the random data area, the secure data area, and the parameter configuration area, respectively. In particular, the programming operation of the parameter configuration area, the secure data area, may be latched to prevent a second programming of the area. And latching the read operation of the random data area to ensure that the area cannot be read by other external modules such as a host and the like, so as to ensure the randomness and unpredictability of the value of the area, and improve the confidentiality and the security of encryption and decryption.
For example, as shown in fig. 5, there is provided a hardware architecture of an OTP memory system and a hardware architecture in an OTP controller, HOST is used as a HOST to initiate a request for programming or reading OTP, TRNG is a true random number generator, and during OTP factory production, during an OTP system initialization phase, the OTP controller sends a random number request to a TRNG module to apply for a set of 128BIT random number data and program the set of data into a secure data area of OTP; the OTP _ WRAPPER is an OTP controller, wherein the OTP _ ASYNC is a synchronization module for programming or reading the OTP by an external host; the OTP _ CTRL is a main control module of the OTP controller, and it can be understood that, in this embodiment, the programming address and the programming data are sent to the OTP _ ASYNC module, and then sent to the OTP main control module OTP _ CTRL after synchronization; the OTP _ INIT is an OTP initialization control module and is responsible for reading each region in OTP in stages after the OTP is powered on, completing initialization of an OTP OUTPUT value of the whole system, sending security sensitive data generated by initialization to OTP _ OUTPUT and finally sending the security sensitive data to other modules outside the system; OTP _ PROGRAM is a programming interface module of OTP; the OTP _ READ module is a READ operation interface module of OTP; the OTP _ ALGO module is an encryption and decryption algorithm operation module in the OTP controller and internally comprises an SM4, AES and TDES encryption and decryption algorithm hardware realization module. The module is used for carrying out encryption operation on the sensitive security data and then sending the encrypted data to the OTP _ PROGRAM module. During the system initialization phase, the OTP _ ALGO module is used to provide decryption of secure data. And the OTP _ OUTPUT module is an interface module of the OTP _ WRAPPER and an external module and OUTPUTs the security sensitive data.
It can be understood that, in the embodiment, the OTP memory is divided into four regions, the RANDOM data region OTP _ TRNG _ RANDOM _ AREA is used for programming the RANDOM number for storing 128 BITs, and is generated by the external true RANDOM number generation module TRNG for the subsequent encryption and decryption operation, and after the latch state is programmed to be 1, the region is ensured to be invisible to both the external HOST and the external module; the secure data AREA OTP _ Security _ AREA is used for programming and storing SECURITY-sensitive data; the parameter configuration AREA OTP _ CONFIG _ AREA is used for programming the configuration data of the storage hardware, for example, 2 bits of PROGRAM _ MODE field for configuring the encryption and decryption algorithm, and 1bit of PROGRAM _ KEY _ SEL field for selecting and configuring the encryption and decryption KEY; the latch state configuration region OTP _ LOCK _ AREA is used to program and store latch state information.
For the specific processes of step S23 and step S24, reference may be made to corresponding contents disclosed in the foregoing embodiments, and details are not repeated herein.
As can be seen from the above, in this embodiment, a series of security protection measures, such as performing random number processing on the encryption and decryption keys and performing data decryption after encryption only by the OTP controller in the OTP initialization stage, improve the security and confidentiality of the security sensitive data programmed into the OTP. The random value provided by the true random number generator ensures the randomness and uncertainty of the value programmed into the security data area, i.e. the randomness of the key used for encrypting the security data, and improves the unpredictability of the encryption and decryption processing of the confidential data. On the basis, the invisibility of the random key and the data validity of the security sensitive data programming area are ensured in the using process of the data through a data latching mechanism. Therefore, when an external host reads the sensitive data programmed in the secure data area, the read value is the encrypted data, and the security and confidentiality of the data are improved.
The embodiment of the present application discloses an OTP initialization process, which, as shown in fig. 6, may include the following steps:
step S31: when a starting signal sent by the random number generator after the system is reset is received, the random number zone bit of the random data area in the OTP memory is read to judge whether a random numerical value exists in the random data area.
In this embodiment, for example, in the OTP initialization process shown in fig. 7, after the system reset is released, the true RANDOM number generator automatically completes the initialization configuration and pulls the signal TRNG _ READY to 1, after receiving the signal, the OTP controller initiates a read operation of the OTP memory of the first stage OTP _ INIT _ STEP1, in which other non-sensitive data regions and a RANDOM number flag TRNG _ RANDOM _ KEY _ READY field are read, if the flag is 1, it indicates that a 128BIT RANDOM number has been programmed into the secure data region of the OTP memory in the production stage, and if the flag is 0, it indicates that the RANDOM storage region is not programmed with OTP, the initialization process jumps to end OTP _ INIT _ finnish, that is, in the OTP initialization process, the read process of the secure data region is skipped, and the entire OTP initialization process is directly ended. In this case, the valid signal for sensitive data will remain low all the time since the secure data area was not programmed and initially read.
Step S32: and if so, reading data information in a random data area, a safety data area, a parameter configuration area and a latch state configuration area in the OTP memory, and storing the data information to the local.
In this embodiment, if the random number exists, that is, the flag bit of the random number is 0, the OTP is powered on and initialized to enter the second stage OTP _ INIT _ STEP2, and the OTP controller reads data information in the random data area, the secure data area, the parameter configuration area, and the latch state configuration area in the OTP memory, and stores the data information in the local memory. If the flag BIT of the random number is 0, after the initialization process is completed, a request for programming the random number needs to be initiated to the OTP controller through an external serial port, for example, as shown in fig. 8, after the OTP controller receives the request, the OTP controller requests a set of 128BIT random numbers to the random number module, and programs the requested true random number into the random data area, and after the programming is completed, the flag BIT of the random number is programmed to 1. Namely, a random number programming request starting register of the OTP controller is configured through an external serial port, and the whole random number request and programming operation are initiated.
Step S33: and judging whether the data in the safe data area is encrypted or not according to the algorithm configuration field in the parameter configuration area.
In this embodiment, after data is stored, the third phase OTP _ INIT _ STEP3 of the OTP power-on initialization process is entered, the algorithm configuration field in the parameter configuration area is read, and whether the data in the security data area is encrypted is determined, that is, whether the security data is encrypted or a corresponding encryption algorithm is determined by reading the algorithm configuration field PROGRAM _ MODE shown in fig. 2.
Step S34: and if the encrypted data is encrypted, decrypting the encrypted data in the secure data area according to the target key corresponding to the key configuration field in the parameter configuration area and the target encryption algorithm corresponding to the algorithm configuration field to obtain the decrypted secure data.
In this embodiment, if the encrypted data is encrypted, the encrypted data in the secure data area is decrypted according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field, so as to obtain the decrypted secure data. Namely, the read security data is processed by decryption operation, the decryption algorithm is selected through the PROGRAM _ MODE field, and the decryption KEY is selected through the PROGRAM _ KEY _ SEL field.
Step S35: and sending the data information in the random data area, the parameter configuration area and the latch state configuration area which are locally stored and the decrypted safety data to the system external module through a local interface output module so that the system external module can generate a secret key by using the data information.
In this embodiment, after the decryption is completed, the OUTPUT stage is entered, the decrypted secure sensitive data in the third stage and the other data obtained by initializing and reading in the second stage are sent to the OTP _ OUTPUT module and OUTPUT to the system external module, so that the system external module generates a key by using the root key and the identity information in the secure data in the data information, and raises the valid signal of the sensitive data to 1. If the data information is not encrypted, the data information which is read in the initialization mode in the second stage and is locally stored is directly sent to the system external module through the local interface output module, and then the system external module can generate a corresponding key by using a root key, identity information and the like in the secure data area.
As can be seen from the above, in this embodiment, when a start signal sent by the random number generator after the system is reset is received, the random number flag bit of the random data area in the OTP memory is read to determine whether a random number exists in the random data area. And if so, reading data information in a random data area, a safety data area, a parameter configuration area and a latch state configuration area in the OTP memory, and storing the data information to the local. And then, judging whether the data in the safe data area is encrypted or not according to the algorithm configuration field in the parameter configuration area. And if the encrypted data is encrypted, decrypting the encrypted data in the secure data area according to the target key corresponding to the key configuration field in the parameter configuration area and the target encryption algorithm corresponding to the algorithm configuration field to obtain the decrypted secure data. And sending the data information in the random data area, the parameter configuration area and the latch state configuration area which are locally stored and the decrypted safety data to the system external module through a local interface output module so that the system external module can generate a secret key by using the data information. Therefore, the decryption of the secure data in the embodiment only occurs in the OTP initialization stage after the system is powered on, the decryption control of the part is controlled by hardware, and the part such as the external host cannot control the decryption control, so that the independence and the security of the part are ensured.
Correspondingly, an embodiment of the present application further discloses an apparatus for protecting data in an OTP memory, as shown in fig. 9, the apparatus includes:
a target key obtaining module 11, configured to obtain a target key after receiving a programming request sent by the OTP memory;
the data and encryption algorithm obtaining module 12 is configured to obtain security data to be encrypted, and read a parameter configuration area of the OTP memory to determine a target encryption algorithm;
and the encryption storage module 13 is configured to encrypt the to-be-encrypted secure data by using the target encryption algorithm and the target key to obtain encrypted secure data, and store the encrypted secure data in a secure data area of the OTP memory.
As can be seen from the above, in this embodiment, the target key is obtained after the programming request sent by the OTP memory is received; acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm; and encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory. Therefore, the OTP controller is used for encrypting the security sensitive data and programming the encrypted security sensitive data to the security data area, and selecting the encryption and decryption algorithms through hardware, so that different encryption and decryption keys are processed and the encryption and decryption algorithms are selected, the security and confidentiality of the security data encryption are improved, the security and confidentiality after the OTP data programming can be enhanced, and the data is prevented from being tampered or the important sensitive data is prevented from being illegally stolen.
In some specific embodiments, the target key obtaining module 11 may specifically include:
a first key obtaining unit, configured to read a fixed key preset in a key configuration field in the parameter configuration area of the OTP memory, and use the fixed key as the target key;
the second key acquisition unit is used for sending a random number request to the random number generator and acquiring a random number value fed back by the random number generator; and taking the random number value as the target key and storing the target key in a random data area of the OTP memory.
In some specific embodiments, the data protection device in the OTP memory may specifically include:
and the latch module is used for respectively carrying out latch configuration of read operation and/or write operation on the random data area, the safety data area and the parameter configuration area by utilizing a latch state configuration area of the OTP memory.
In some specific embodiments, the data protection device in the OTP memory may specifically include:
the initialization module is used for reading a random number flag bit of the random data area in the OTP memory when receiving a starting signal sent by the random number generator after system reset so as to judge whether a random numerical value exists in the random data area; if the random data area, the safety data area, the parameter configuration area and the latch state configuration area exist, data information in the random data area, the safety data area, the parameter configuration area and the latch state configuration area is read, and the data information is stored to the local; judging whether the data in the safe data area is encrypted or not according to the algorithm configuration field in the parameter configuration area; if the data information is not encrypted, the data information stored locally is sent to a system external module through a local interface output module, so that the system external module can generate a key by using the data information.
In some specific embodiments, the initialization module may specifically include:
the decryption module is used for decrypting the encrypted data in the secure data area according to a target key corresponding to a key configuration field in the parameter configuration area and a target encryption algorithm corresponding to the algorithm configuration field to obtain decrypted secure data if the data in the secure data area is encrypted; and sending the data information in the locally stored random data area, the parameter configuration area and the latch state configuration area, and the decrypted safety data to the system external module through a local interface output module.
Further, the embodiment of the present application also discloses an electronic device, which is shown in fig. 10, and the content in the drawing cannot be considered as any limitation to the application scope.
Fig. 10 is a schematic structural diagram of an electronic device 20 according to an embodiment of the present disclosure. The electronic device 20 may specifically include: at least one processor 21, at least one memory 22, a power supply 23, a communication interface 24, an input output interface 25, and a communication bus 26. Wherein, the memory 22 is used for storing a computer program, and the computer program is loaded and executed by the processor 21 to implement the relevant steps in the OTP memory data protection method disclosed in any of the foregoing embodiments.
In this embodiment, the power supply 23 is configured to provide a working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and an external device, and a communication protocol followed by the communication interface is any communication protocol applicable to the technical solution of the present application, and is not specifically limited herein; the input/output interface 25 is configured to obtain external input data or output data to the outside, and a specific interface type thereof may be selected according to specific application requirements, which is not specifically limited herein.
In addition, the storage 22 is used as a carrier for storing resources, and may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., the resources stored thereon include an operating system 221, a computer program 222, and data 223 including security data to be encrypted, etc., and the storage manner may be a transient storage or a permanent storage.
The operating system 221 is used for managing and controlling each hardware device and the computer program 222 on the electronic device 20, so as to realize the operation and processing of the mass data 223 in the memory 22 by the processor 21, and may be Windows Server, netware, unix, linux, and the like. The computer program 222 may further include a computer program that can be used to perform other specific tasks in addition to the computer program that can be used to perform the OTP memory data protection method disclosed in any of the foregoing embodiments and executed by the electronic device 20.
Further, an embodiment of the present application further discloses a computer storage medium, where computer-executable instructions are stored in the computer storage medium, and when the computer-executable instructions are loaded and executed by a processor, the steps of the method for protecting data in an OTP memory disclosed in any of the foregoing embodiments are implemented.
In the present specification, the embodiments are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same or similar parts between the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element.
The method, apparatus, device and medium for protecting data in an OTP memory provided by the present invention are described in detail above, and specific examples are applied herein to illustrate the principle and implementation of the present invention, and the description of the above embodiments is only used to help understanding the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (7)

1. The method for protecting the data in the OTP memory is applied to an OTP controller and comprises the following steps:
acquiring a target key after receiving a programming request sent by the OTP memory;
acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory to determine a target encryption algorithm;
encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data to a security data area of the OTP memory;
the obtaining of the target key includes:
sending a random number request to a random number generator, and acquiring a random number value fed back by the random number generator;
taking the random number value as the target key and storing the target key in a random data area of the OTP memory;
after the storing the encrypted secure data to the secure data area of the OTP memory, the method further includes:
utilizing a latch state configuration area of the OTP memory to respectively carry out latch configuration of read operation and/or write operation on the random data area, the secure data area and the parameter configuration area;
when a starting signal sent by the random number generator after system reset is received, reading a random number zone bit of the random data area in the OTP memory to judge whether a random numerical value exists in the random data area;
if the random data area, the safety data area, the parameter configuration area and the latch state configuration area exist, data information in the random data area, the safety data area, the parameter configuration area and the latch state configuration area is read, and the data information is stored to the local;
judging whether the data in the safe data area is encrypted or not according to the algorithm configuration field in the parameter configuration area;
and if the data information is not encrypted, sending the locally stored data information to a system external module through a local interface output module so that the system external module can generate a key by using the data information.
2. The method of claim 1, wherein the obtaining a target key comprises:
and reading a preset fixed key in a key configuration field in the parameter configuration area of the OTP memory, and taking the fixed key as the target key.
3. The method of claim 1, wherein the target encryption algorithm comprises an advanced data encryption standard, a triple data encryption standard, and an SM4 encryption algorithm.
4. The method for protecting data in an OTP memory according to claim 1, wherein after determining whether the data in the secure data area is encrypted, the method further comprises:
if the encrypted data is encrypted, decrypting the encrypted data in the secure data area according to a target key corresponding to a key configuration field in the parameter configuration area and a target encryption algorithm corresponding to the algorithm configuration field to obtain decrypted secure data;
and sending the data information in the locally stored random data area, the parameter configuration area and the latch state configuration area, and the decrypted safety data to the system external module through a local interface output module.
5. An OTP in-memory data protection device, applied to an OTP controller, comprises:
the target key acquisition module is used for acquiring a target key after receiving a programming request sent by the OTP memory; the obtaining of the target key includes: sending a random number request to a random number generator, and acquiring a random number value fed back by the random number generator; taking the random number value as the target key and storing the target key in a random data area of the OTP memory;
the data and encryption algorithm acquisition module is used for acquiring the security data to be encrypted and reading the parameter configuration area of the OTP memory to determine a target encryption algorithm;
the encrypted storage module is configured to encrypt the to-be-encrypted secure data by using the target encryption algorithm and the target key to obtain encrypted secure data, store the encrypted secure data in a secure data area of the OTP memory, and after storing the encrypted secure data in the secure data area of the OTP memory, the encrypted storage module further includes: utilizing a latch state configuration area of the OTP memory to respectively carry out latch configuration of read operation and/or write operation on the random data area, the secure data area and the parameter configuration area;
the initialization module is used for reading a random number flag bit of the random data area in the OTP memory to judge whether a random number value exists in the random data area or not when receiving a starting signal sent by the random number generator after system reset; if the random data area, the safety data area, the parameter configuration area and the latch state configuration area exist, data information in the random data area, the safety data area, the parameter configuration area and the latch state configuration area is read, and the data information is stored to the local; judging whether the data in the safety data area is encrypted or not according to an algorithm configuration field in the parameter configuration area; and if the data information is not encrypted, sending the locally stored data information to a system external module through a local interface output module so that the system external module can generate a key by using the data information.
6. An electronic device, comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the OTP in-memory data protection method of any of claims 1 to 4.
7. A computer-readable storage medium for storing a computer program; wherein the computer program when executed by a processor implements the method of in-OTP memory data protection according to any of claims 1 to 4.
CN202110744345.8A 2021-06-30 2021-06-30 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory Active CN113408017B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110744345.8A CN113408017B (en) 2021-06-30 2021-06-30 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory
PCT/CN2022/100710 WO2023274011A1 (en) 2021-06-30 2022-06-23 Method and apparatus for protecting data in otp memory, and device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110744345.8A CN113408017B (en) 2021-06-30 2021-06-30 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Publications (2)

Publication Number Publication Date
CN113408017A CN113408017A (en) 2021-09-17
CN113408017B true CN113408017B (en) 2022-10-14

Family

ID=77680859

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110744345.8A Active CN113408017B (en) 2021-06-30 2021-06-30 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Country Status (2)

Country Link
CN (1) CN113408017B (en)
WO (1) WO2023274011A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113408017B (en) * 2021-06-30 2022-10-14 湖南国科微电子股份有限公司 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory
CN114629643B (en) * 2022-03-25 2024-06-14 山东云海国创云计算装备产业创新中心有限公司 Key processing method, device and medium
CN116011041B (en) * 2022-12-07 2024-06-18 成都海光集成电路设计有限公司 Key management method, data protection method, system, chip and computer equipment
CN116455572B (en) * 2023-06-16 2023-08-29 北京华安天成智能技术有限公司 Data encryption method, device and equipment

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704871B1 (en) * 1997-09-16 2004-03-09 Safenet, Inc. Cryptographic co-processor
US20010032318A1 (en) * 1999-12-03 2001-10-18 Yip Kun Wah Apparatus and method for protecting configuration data in a programmable device
US20070050622A1 (en) * 2005-09-01 2007-03-01 Rager Kent D Method, system and apparatus for prevention of flash IC replacement hacking attack
US8127130B2 (en) * 2006-04-18 2012-02-28 Advanced Communication Concepts, Inc. Method and system for securing data utilizing reconfigurable logic
CN103378966A (en) * 2012-04-26 2013-10-30 Nxp股份有限公司 Secret key programming on safety dynamic piece
CN106650510B (en) * 2016-12-26 2019-10-08 湖南国科微电子股份有限公司 A kind of otp memory data guard method, system and OTP controller
CN110287708B (en) * 2018-03-19 2023-07-04 扬智科技股份有限公司 One-time programmable encryption device and encryption method thereof
US20200076591A1 (en) * 2018-09-05 2020-03-05 Bprk Llc Systems and Methods for Automated Generation and Update of Cipher Parameters
CN109670344A (en) * 2018-12-05 2019-04-23 珠海全志科技股份有限公司 Encryption device, method and system on chip
CN113408017B (en) * 2021-06-30 2022-10-14 湖南国科微电子股份有限公司 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Also Published As

Publication number Publication date
WO2023274011A1 (en) 2023-01-05
CN113408017A (en) 2021-09-17

Similar Documents

Publication Publication Date Title
CN113408017B (en) Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory
US8107621B2 (en) Encrypted file system mechanisms
US9043610B2 (en) Systems and methods for data security
US20080285747A1 (en) Encryption-based security protection method for processor and apparatus thereof
JP2001514834A (en) Secure deterministic cryptographic key generation system and method
US11405202B2 (en) Key processing method and apparatus
US11606206B2 (en) Recovery key for unlocking a data storage device
EP4064084A1 (en) Password management method and related device
US11533172B2 (en) Apparatus and method for securely managing keys
US20120096280A1 (en) Secured storage device with two-stage symmetric-key algorithm
CN111488630A (en) Storage device capable of configuring safe storage area and operation method thereof
WO2023240866A1 (en) Cipher card and root key protection method therefor, and computer readable storage medium
US20140108818A1 (en) Method of encrypting and decrypting session state information
CN113094718A (en) File encryption method and related device
WO2021141623A1 (en) Initializing a data storage device with a manager device
US20020083332A1 (en) Creation and distribution of a secret value between two devices
US11334677B2 (en) Multi-role unlocking of a data storage device
US9076002B2 (en) Stored authorization status for cryptographic operations
CN110932853B (en) Key management device and key management method based on trusted module
CN109995508B (en) Encryption and decryption device and method for FPGA code stream
EP3920066B1 (en) Electronic device capable of protecting confidential data
US11232219B1 (en) Protection of electronic designs
CN108921561B (en) Digital hot wallet based on hardware encryption
KR20220000537A (en) System and method for transmitting and receiving data based on vehicle network
CN110837627A (en) Software copyright authentication method, system and equipment based on hard disk serial number

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant