CN114826752B - Signal encryption method, signal encryption device and terminal equipment - Google Patents
Signal encryption method, signal encryption device and terminal equipment Download PDFInfo
- Publication number
- CN114826752B CN114826752B CN202210479158.6A CN202210479158A CN114826752B CN 114826752 B CN114826752 B CN 114826752B CN 202210479158 A CN202210479158 A CN 202210479158A CN 114826752 B CN114826752 B CN 114826752B
- Authority
- CN
- China
- Prior art keywords
- mask
- signal
- data signal
- module
- encoded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 112
- 238000001514 detection method Methods 0.000 claims abstract description 152
- 230000005540 biological transmission Effects 0.000 claims abstract description 109
- 230000000873 masking effect Effects 0.000 claims abstract description 64
- 230000008569 process Effects 0.000 abstract description 39
- 230000008054 signal transmission Effects 0.000 abstract description 38
- 238000012795 verification Methods 0.000 abstract description 20
- 238000002347 injection Methods 0.000 description 33
- 239000007924 injection Substances 0.000 description 33
- 238000010586 diagram Methods 0.000 description 30
- 230000003993 interaction Effects 0.000 description 18
- 238000012545 processing Methods 0.000 description 18
- 230000004044 response Effects 0.000 description 14
- 230000000977 initiatory effect Effects 0.000 description 11
- 238000012937 correction Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 239000000243 solution Substances 0.000 description 6
- 238000004364 calculation method Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013478 data encryption standard Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 1
- 239000000654 additive Substances 0.000 description 1
- 230000000996 additive effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005670 electromagnetic radiation Effects 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/40—Bus networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a signal encryption method, a signal encryption device and a mobile terminal, and specifically the signal encryption method comprises the following steps: the first device generating a data signal for transmission to the second device; the first device and the second device are connected through a bus; in the process of data signal transmission, the data signal is subjected to masking operation to obtain a masking data signal; the mask data signal is subjected to error detection code encoding operation to obtain an encoded mask data signal; the encoded mask data signal is used for decoding and checking operations by the second device to obtain a mask data signal; the verification operation refers to judging whether the data signal is attacked in the transmission process according to the coded mask data signal.
Description
Technical Field
The present disclosure relates to the field of security technologies, and in particular, to a signal encryption method, a signal encryption device, and a terminal device.
Background
In this information explosion age, information security is particularly important. In the design of the encryption device, in order to protect sensitive data in the device from leakage, a designer may take various protection means to resist various attacks, so as to reduce the risk of sensitive data leakage.
The hardware attack means related to the encryption device mainly comprises: 1. side channel attack; 2. error injection attacks. The 1 side channel attack mainly obtains sensitive data through various leakage information generated during the running of hardware or software in the device. The leakage information includes energy consumption caused by circuit signal overturn, operation time of different software or hardware flows, electromagnetic radiation caused by antenna effect when circuit signals are transmitted by interconnection lines, and the like. 2. Error injection attacks primarily cause a device to produce erroneous results or behavior by various means while the device is running. An attacker can obtain relevant sensitive data or rights from these erroneous results or actions.
Therefore, a technique for improving the security of the encryption device is demanded.
Disclosure of Invention
In view of the above, it is necessary to provide a signal encryption method, a signal encryption device, and a mobile terminal.
In a first aspect, a method for encrypting a signal is provided, including:
the first device generating a data signal for transmission to the second device; the first device and the second device are connected through a bus;
in the process of data signal transmission, the data signal is subjected to masking operation to obtain a masking data signal;
The mask data signal is subjected to error detection code encoding operation to obtain an encoded mask data signal;
the encoded mask data signal is used for decoding and checking operations by the second device to obtain the mask data signal; the verification operation refers to judging whether the data signal is attacked in the transmission process according to the coded mask data signal.
In some optional embodiments, during the data signal transmission, the data signal is subjected to a masking operation, and obtaining the masked data signal includes:
the first device obtains a mask signal, and obtains a mask data signal according to the mask signal and the data signal;
the mask data signal is subjected to an error detection code encoding operation, and the obtaining of the encoded mask data signal includes:
the first device performs an error detection code encoding operation on the mask data signal to obtain the encoded mask data signal.
In some optional embodiments, during the data signal transmission, the data signal is subjected to a masking operation, and obtaining the masked data signal includes:
The bus acquires a mask signal, and obtains a mask data signal according to the mask signal and the data signal;
the mask data signal is subjected to an error detection code encoding operation, and the obtaining of the encoded mask data signal includes:
and the bus performs error detection code encoding operation on the mask data signals to obtain encoded mask data signals.
In some optional embodiments, the first device is a master device, and the second device is a slave device; the first device obtaining a mask signal, the mask data signal according to the mask signal and the data signal comprising:
the master device obtains the mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain the mask data signal.
In some alternative embodiments, the first device is a slave device, and the second device is a master device; the first device obtaining a mask signal, the mask data signal according to the mask signal and the data signal comprising:
the slave device obtaining an encoded mask signal from the bus;
The slave device decodes and verifies the coded mask signal to obtain a mask signal;
the slave device performs exclusive-or and/or addition arithmetic operations on the mask signal and the data signal to obtain the mask data signal.
In some optional embodiments, the first device is a master device, and the second device is a slave device; the bus acquiring a mask signal, and obtaining the mask data signal according to the mask signal and the data signal includes:
the bus acquires the mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain the mask data signal.
In some alternative embodiments, before the slave device obtains the encoded mask signal from the bus, the method includes:
the bus acquires the mask signal from the random number generation module, and performs error detection code encoding operation on the mask signal to obtain the encoded mask signal.
In some alternative embodiments, before the slave device obtains the encoded mask signal from the bus, the method includes:
The master device obtains the mask signal from a random number generation module;
the master device performs error detection code encoding operation on the mask signal to obtain the encoded mask signal, and transmits the encoded mask signal to the bus;
the bus decodes and verifies the encoded mask signal.
In some alternative embodiments, the master device generates address signals for transmission to the slave device;
the master device performs error detection code encoding operation on the address signals and sends the encoded address signals to the slave device;
the bus decodes and verifies the encoded address signals;
and the slave equipment decodes and verifies the encoded address signals to obtain the address signals.
In some alternative embodiments, the master device sends an address signal to the slave device;
the bus performs error detection code encoding operation on the address signals to obtain encoded address signals;
and the slave equipment decodes and verifies the encoded address signals to obtain the address signals.
In some alternative embodiments, after the first device performs an error detection code encoding operation on the mask data signal to obtain the encoded mask data signal, the method includes: the bus decodes and verifies the encoded mask data signal.
In a second aspect, there is provided an encryption apparatus for a signal, comprising:
a first device that generates a data signal for transmission to a second device;
a second device; for receiving the data signal;
a bus for connecting the first device and the second device and for transmitting the data signal;
a masking module, configured to perform masking operation on the data signal to obtain a masked data signal;
the data coding module is used for performing error detection code coding operation on the mask data signals to obtain coded mask data signals;
the second device further comprises a data decoding module, wherein the data decoding module is used for decoding and checking the coded mask data signal to obtain the mask data signal; the verification operation refers to judging whether the data signal is attacked in the transmission process according to the coded mask data signal.
In some alternative embodiments, the masking module includes a logic operation module; the apparatus further includes a random number generation module;
the random number generation module is used for generating a mask signal;
the logic operation module comprises an exclusive OR logic operation module and/or an addition arithmetic operation module; the logic operation module is used for obtaining the mask signal and obtaining the mask data signal according to the data signal and the mask signal.
In some alternative embodiments, the first device includes the masking module and the data encoding module.
In some alternative embodiments, the bus includes the mask module and the data encoding module.
In some optional embodiments, the first device is a master device and the second device is a slave device; the first device includes the random number generation module.
In some optional embodiments, the first device is a slave device and the second device is a master device; the slave device comprises a mask decoding module, wherein the mask decoding module is used for acquiring the coded mask signal from the bus and performing decoding and checking operations to obtain the mask signal.
In some alternative embodiments, the bus includes the random number generation module and a mask encoding module, where the mask encoding module is configured to perform an error detection code encoding operation on the mask signal to obtain the encoded mask signal.
In some alternative embodiments, the master device includes the random number generation module and a mask encoding module, where the mask encoding module is configured to perform an error detection code encoding operation on the mask signal, obtain the encoded mask signal, and transmit the encoded mask signal to the bus.
In a third aspect, there is provided a terminal device comprising:
a processor; and
a memory for storing a program for execution by the processor, the program comprising instructions to cause the processor to perform the method of any one of the first aspects.
According to the scheme provided by the embodiment of the application, in the process of data signal transmission, after the data signal is subjected to mask operation, clear text data transmission cannot occur in the data in the transmission process, and side channel attacks can be resisted; the data signal is subjected to error detection code encoding operation and decoding and checking operation by the second equipment in the transmission process, so that the encryption method has error detection capability, and can detect error injection attack of an attacker on the data signal in the transmission process, thereby improving the safety of the encryption method.
Drawings
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.
FIG. 1 is a schematic diagram of an encryption device for signals;
FIG. 2 is a flow chart of an encryption method provided in an embodiment of the present application;
FIG. 3 is a schematic interaction diagram of a masking operation and an error detection code encoding operation for a data signal provided by an embodiment of the present application;
FIG. 4 is a schematic interaction diagram of another masking operation and error detection code encoding operation for a data signal provided by an embodiment of the present application;
FIG. 5 is a schematic interaction diagram of acquiring a mask signal according to an embodiment of the present application;
FIG. 6 is a schematic interaction diagram of another acquire mask signal provided by an embodiment of the present application;
FIG. 7 is a schematic interaction diagram of another acquire mask signal provided by an embodiment of the present application;
FIG. 8 is a schematic interaction diagram of an embodiment of the present application for acquiring an encoded mask signal;
FIG. 9 is a schematic interaction diagram of another acquisition of encoded mask signals provided by embodiments of the present application;
FIG. 10 is a schematic interaction diagram of address signaling provided by an embodiment of the present application;
FIG. 11 is a schematic interaction diagram of another address signaling provided by an embodiment of the present application;
Fig. 12 is a schematic structural diagram of an encryption device for signals according to an embodiment of the present application;
FIG. 13 is a circuit logic diagram of a security chip according to an embodiment of the present disclosure when a master device initiates a write operation;
FIG. 14 is a circuit logic diagram of a security chip according to an embodiment of the present disclosure when a master device initiates a data read operation;
FIG. 15 is a circuit logic diagram of a master device of another security chip according to an embodiment of the present application when initiating a write data operation;
fig. 16 is a circuit logic structure diagram of a master device of another security chip according to an embodiment of the present application when initiating a data reading operation.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the accompanying drawings.
It should be understood that the specific examples herein are intended only to facilitate a better understanding of the embodiments of the present application by those skilled in the art and are not intended to limit the scope of the embodiments of the present application.
It should also be understood that the formulas in the embodiments of the present application are only examples, and not limiting the scope of the embodiments of the present application, and that each formula may be modified and these modifications shall also fall within the scope of protection of the present application.
It should also be understood that, in various embodiments of the present application, the size of the sequence number of each process does not mean that the execution sequence of each process should be determined by its functions and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
It should also be understood that the various embodiments described in this specification may be implemented alone or in combination, and that the examples herein are not limited in this regard.
Unless defined otherwise, all technical and scientific terms used in the examples of this application have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in the present application is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
Fig. 1 is a schematic diagram of a signal encryption device. As shown in fig. 1, the connection between the first device 100 and the second device 300 is collectively referred to as a bus 200. The signals on the general bus 200 may include control signals, response signals, address signals, data signals, and the like. It can be seen that a typical Bus 200 is an AHB Bus (Advanced High-performance Bus) and an APB Bus (Advanced Peripheral Bus, low-speed Bus), and that the data transfers on both buses 200 are all plain text data transfers. On one hand, an attacker can acquire related data through energy information in the transmission process and combining a side channel attack means; on the other hand, the general bus 200 does not have a self-checking function, and cannot detect an error injection attack. It will be appreciated that the fault injection attack includes various attack means for causing abnormality in the transmission signal, such as electromagnetic attack, voltage attack, temperature attack, optical attack, etc.
In order to cope with various attack means and reduce the risk of sensitive data leakage, a protection mode is needed to resist and detect the corresponding attack means.
In view of this, embodiments of the present application provide a signal encryption method, a signal encryption device, and a mobile terminal.
The first aspect of the present application provides an encryption method. Referring to fig. 2, fig. 2 is a flowchart of an encryption method according to an embodiment of the present application. The encryption method may be performed by an encryption device or a terminal apparatus or the like. Wherein the encryption device may be a security chip. The encryption method comprises the following steps:
s100: the first device generates a data signal for transmission to the second device, wherein the first device and the second device are connected by a bus.
Specifically, the first device may be a master device in a security chip, for example: a central processing unit (Central Processing Unit, CPU), direct memory access (Direct Memory Access, DMA), etc.; the second device may be a slave device in the security chip, for example: data encryption standard (Data Encryption Standard, DES), timer (Timer), etc.
Alternatively, the first device may be a slave device in the security chip, and the second device may be a master device in the security chip, which will not be described in detail herein.
Alternatively, the first device may be a central processing unit (Central Processing Unit, CPU) or the like of a terminal device (such as a mobile terminal or a Non-mobile terminal), and the second device may be a Non-volatile Memory (NVM), a random access Memory (Random Access Memory, RAM) or the like of the terminal device.
Alternatively, the first device may be a non-volatile memory, a random access memory, etc. of the terminal device, and the second device may be a central processor, etc. of the terminal device.
S200: in the process of data signal transmission, the data signal is subjected to masking operation to obtain a masking data signal.
Specifically, for example, the data signal may be denoted as data, and the resulting mask data signal may be denoted as data_mask after the masking operation. It can be understood that the data signal is converted from plaintext data into ciphertext data after the masking operation, so that the leakage of energy related to the plaintext data can be prevented, and the ciphertext data has the capability of resisting side channel attack.
S300: the mask data signal is subjected to an error detection code encoding operation to obtain an encoded mask data signal.
In particular, the error-detecting Code encoding operation may be based on a variety of error-detecting codes, such as the error-detecting Code may include One or more of a parity Code, one-hot Code (One-hot Code), error-detecting Code (Error Detecting Code, EDC), error-correcting Code (Error Correcting Code, ECC), and the like. Meanwhile, when the error detection code is selected, the error detection code can be selected by combining factors such as system resource occupation, hardware resource consumption and the like.
In a preferred embodiment, the error detection code encoding operation comprises: an error detection code encoding operation and/or an error correction code encoding operation. For example, the mask data signal is subjected to an error detection code encoding operation, and the obtained encoded mask data signal can be denoted as data_mask_edc; alternatively, the mask data signal is subjected to an error correction code encoding operation, and the resulting encoded mask data signal may be denoted as data_mask_ecc; or the mask data signal is subjected to an error detection code encoding operation and an error correction code encoding operation, and the resulting encoded mask data signal may be denoted as data_mask_edc_ecc or the like.
S400: the encoded mask data signal is used for decoding and checking operations by the second device, resulting in the mask data signal.
Specifically, the verification operation refers to judging whether the data signal is attacked in the transmission process according to the encoded mask data signal.
Specifically, the verification operation may be to perform an operation on the whole encoded mask data signal, to obtain an operation result. The operation result may include a determination result of whether the mask data signal is correct. When the judging result is correct, judging that the data signal is not attacked in the transmission process; and when the judging result is wrong, judging that the data signal is attacked in the transmission process.
In the scheme, in the process of data signal transmission, after the data signal is subjected to mask operation, clear text data transmission cannot occur in the data in the transmission process, and side channel attacks can be resisted; the data signal is subjected to error detection code encoding operation, decoding and checking operation in the transmission process, so that the encryption method has error detection capability, and can detect error injection attack of an attacker on the data signal in the transmission process, thereby improving the safety of the encryption method.
Fig. 3 is a schematic interaction diagram of a masking operation and an error detection code encoding operation for a data signal according to an embodiment of the present application, as shown in the drawing, in an alternative implementation, the step S200 may include the following:
s201a: the first device obtains a mask signal and obtains a mask data signal based on the mask signal and the data signal.
The step S300 may include the following:
s301a: the first device performs an error detection code encoding operation on the mask data signal to obtain an encoded mask data signal.
In the above scheme, the masking operation is performed in the first device, so that the first device can send ciphertext data to the second device, and leakage of energy related to plaintext data can be prevented, so that the ciphertext data can resist side channel attack; the error detection code encoding operation is performed in the first device, so that the mask data signal can be obtained in the first device, and then the error detection code encoding operation can be performed to obtain an encoded mask data signal, the encoded mask data signal has error detection capability, and the signal can detect error injection attack in a subsequent transmission process, namely, the security is improved in the subsequent transmission process. Therefore, the error detection capability of the encryption method can be improved, and the security of the encryption method can be further improved.
Fig. 4 is a schematic interaction diagram of another masking operation and an error detection code encoding operation for a data signal according to an embodiment of the present application. In another alternative embodiment, as shown in fig. 4, the step S200 may include the following:
s201b: the bus acquires a mask signal, and a mask data signal is obtained according to the mask signal and the data signal;
the step S300 may include the following:
s301b: the bus performs an error detection code encoding operation on the mask data signal to obtain an encoded mask data signal.
In the above scheme, the first device transmits plaintext data to the second device. After the clear text data is subjected to mask operation on the bus, mask data signals, namely ciphertext data, are transmitted on the bus, so that the leakage of related energy of the clear text data is prevented, and the ciphertext data can resist side channel attacks; the error detection code encoding operation is performed in the bus to obtain an encoded mask data signal in the bus, the encoded mask data signal has error detection capability and can detect error injection attacks of attackers, and the security of the encoded mask data signal in the subsequent transmission process is improved.
Fig. 5 is a schematic interaction diagram of acquiring a mask signal according to an embodiment of the present application. As shown in the figure, in an alternative embodiment, the first device is a master device, and the second device is a slave device, where the master device and the slave device may be the master device and the slave device in the security chip, and specific reference may be made to the related description of the corresponding embodiment of fig. 2, which is not repeated herein. It should be appreciated that the process of the master device generating a data signal for transmission to the slave device is the process of the master device initiating a write data operation. Step S201a described above: the first device obtaining the mask signal, and obtaining the mask data signal from the mask signal and the data signal may include:
S2011a: the master device acquires a mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain a mask data signal.
Specifically, the random number generation module may include a true random number generation module and a pseudo random number generation module; the mask signal may include a random number signal, and the use of the random number signal as the mask signal may improve the ability of the data signal to resist side channel attacks, thereby improving the security of the encryption method.
Specifically, in an alternative embodiment, a random number generation module may be configured in the bus, from which the master device obtains the mask signal.
In a preferred embodiment, the master device includes a random number generation module, and the master device acquires the mask signal from the random number generation module configured inside the master device, so that the security of the process of acquiring the mask signal can be improved, and the risk of the mask signal being attacked by error injection in the transmission process can be reduced.
In the above embodiment, after the master device acquires the mask signal, it may preferably perform an exclusive-or logic operation according to the mask signal and the data signal to obtain the mask data signal. The operation process is as follows: mask data signal = data signal =mask signal, where "" represents exclusive or logic operation procedure.
In the scheme, the mask data signal is obtained by exclusive OR operation, so that the consumption of system or hardware resources can be reduced under the condition of ensuring the security of the encryption method of the signal.
Alternatively, in an alternative embodiment, after the master device acquires the mask signal, an addition arithmetic operation may be performed according to the mask signal and the data signal to obtain the mask data signal. The operation process is as follows: mask data signal = data signal + mask signal, where "+" represents the addition arithmetic operation procedure.
Alternatively, in an alternative embodiment, after the master device acquires the mask signal, the mask data signal may be obtained by performing an exclusive-or operation and an addition operation according to the mask signal and the data signal. For example, the above operation process is as follows: mask data signal= (data signal+mask signal) = mask signal. Where # "indicates exclusive or logical operation, and" + "indicates addition arithmetic operation.
The mask data signal obtained by the operation of the data signal in the master device is ciphertext data, namely the master device sends the ciphertext data to the slave device, so that the leakage of the related energy of the plaintext data can be prevented, the ciphertext data can resist side channel attack, and the safety of data signal transmission is improved.
Further, in this embodiment, the slave device may further restore the mask data signal to a data signal, that is, plaintext data, so as to perform subsequent computation or processing on the data signal, where the restoring process may include the following steps:
s700a: the master device performs error detection code encoding operation on the mask signal to obtain an encoded mask signal;
s701a: obtaining the coded mask signal from equipment, and decoding and checking the coded mask signal to obtain the mask signal;
s702a: the slave device obtains the data signal from the mask signal and the mask data signal. Specifically, the slave device may obtain the data signal by performing a demask operation based on the mask signal and the mask data signal. For example, the data signal may be represented by data, the mask data signal may be represented by data_mask, and the mask signal may be represented by mask, and the above operation procedure may be represented as: data=data_mask, where "ζ" denotes a demask operation.
It should be appreciated that the masking signal is the same masking signal that the master device performs the masking operation on the data signal, so that the slave device may perform the demapping operation based on the masking signal to obtain the demasked data signal.
In other embodiments, the slave device may directly perform subsequent calculations or processing on the mask data signal without recovering the mask data signal as a data signal. For example, the slave device may calculate or process the mask data signal based on an algorithm implementing the mask data signal and the mask signal correlation.
In the scheme, the random number signal generated by the random number generation module is used as the mask signal, so that the capability of the data signal for resisting the side channel attack can be improved, and the security of the encryption method is improved; and the exclusive OR logic operation and/or the addition arithmetic operation are/is carried out on the mask signal and the data signal in the master device, so that the master device can send ciphertext data to the slave device, further the side channel attack can be resisted, and the safety of data signal transmission is improved.
Fig. 6 is a schematic interaction diagram of another capturing mask signal according to an embodiment of the present application. As shown in the figure, in another optional implementation manner, the first device is a slave device, and the second device is a master device, where the master device and the slave device may be the master device and the slave device in the security chip, and specific reference may be made to the related description of the corresponding embodiment of fig. 2, which is not repeated herein. It should be appreciated that the process of the slave device generating a data signal for transmission to the master device is the process of the master device initiating a read data operation. Step S201a described above: the first device obtaining the mask signal, and obtaining the mask data signal from the mask signal and the data signal may include:
S2011b: the slave device obtains the coded mask signal from the bus;
s2012b: the slave device decodes and verifies the coded mask signal to obtain a mask signal;
specifically, the slave device decodes and verifies the coded mask signal, so that whether the mask signal is attacked by error injection when the mask signal is transmitted on the bus can be judged, and the safety of mask signal transmission is improved.
S2013b: the slave device performs exclusive-or and/or addition arithmetic operations on the mask signal and the data signal to obtain a mask data signal.
Specifically, in the embodiment corresponding to fig. 5, the process of performing the exclusive-or operation and/or the addition arithmetic operation on the mask signal and the data signal to obtain the mask data signal has been described, which will not be described herein.
In the scheme, the slave device acquires the coded mask signal from the bus, and the coded mask signal is decoded and checked in the slave device to judge whether the mask signal is attacked by error injection when being transmitted on the bus, so that the safety of mask signal transmission is improved; and the slave device performs mask operation on the data signal, so that the slave device can send ciphertext data to the master device, and the ciphertext data can resist side channel attack, thereby improving the safety of data signal transmission.
Fig. 7 is a schematic interaction diagram of another capturing mask signal according to an embodiment of the present application. As shown in the figure, in another optional implementation manner, the first device is a master device, and the second device is a slave device, where the master device and the slave device may be the master device and the slave device in the security chip, and specific reference may be made to the related description of the corresponding embodiment of fig. 2, which is not repeated herein. It should be appreciated that the process of the master device generating a data signal for transmission to the slave device is the process of the master device initiating a write data operation; step S201b described above: the bus acquiring the mask signal, and obtaining the mask data signal according to the mask signal and the data signal may include:
s2011c: the bus acquires a mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain a mask data signal.
Specifically, the master device generates a data signal that is transmitted to the bus, i.e., the master device sends the plaintext data. The bus acquires a mask signal from the random number generation module, and carries out exclusive OR logic operation and/or addition arithmetic operation according to the mask signal and the data signal to obtain a mask data signal, so that data transmitted on the bus are ciphertext data, side channel attack can be resisted, and the safety of data signal transmission is improved. Exclusive or and/or additive arithmetic operations have been described in the corresponding embodiment of fig. 5 and are not described here.
Further, in this embodiment, the slave device may further restore the mask data signal to a data signal, and perform subsequent calculation or processing on the data signal, where the restoration process to the data signal may include the following:
s700b: the bus performs error detection code encoding operation on the mask signal to obtain an encoded mask signal;
s701b: the slave device obtains the coded mask signal, and decodes and verifies the coded mask signal to obtain the mask signal;
s702b: the slave device obtains the data signal from the mask signal and the mask data signal.
Specifically, the process of obtaining the data signal by the slave device through the demapping operation based on the mask signal and the mask data signal is described in the corresponding embodiment of fig. 5, which is not described herein.
It should be appreciated that the masking signal is the same masking signal that masks the data signal with the bus, so that the slave device may implement the demapping operation based on the masking signal to obtain the demapped data signal.
In other embodiments, referring to the related description of the corresponding embodiment of fig. 5, the slave device may directly perform subsequent computation or processing on the mask data signal, without recovering the mask data signal into a data signal, which is not described herein.
Fig. 8 is a schematic interaction diagram of acquiring an encoded mask signal according to an embodiment of the present application. As shown, in an alternative embodiment, in step S2011b described above: the slave device may include the following before fetching the encoded mask signal from the bus:
s2010a: the bus acquires a mask signal from the random number generation module, and performs error detection code encoding operation on the mask signal to obtain an encoded mask signal.
Specifically, the bus performs error detection code encoding operation on the mask signal to obtain an encoded mask signal, the encoded mask signal has error detection capability, and the signal can be decoded and checked by the slave device, so that an attacker can detect error injection attack on the mask signal transmitted on the bus, and the security of the encryption method is improved.
It should be understood that the bit width of the mask signal may be the same as the bit width of the data signal, and the bit width of the mask signal may be generally 32 bits or 64 bits, and the proportion of the bit width occupied by the mask signal is larger in all signals transmitted on the bus, so that the error detection code encoding operation of the mask signal by the bus may be performed, thereby improving the error detection capability of the encryption method and further improving the security of the transmission of the mask signal.
Further, in this embodiment, the master device may further restore the mask data signal to a data signal, and perform subsequent calculation or processing on the data signal, where the process of restoring to the data signal may include the following:
s700b: the master device obtains the coded mask signal from the bus, and decodes and verifies the coded mask signal to obtain the mask signal;
s701b: the master device obtains the data signal from the mask signal and the mask data signal.
Specifically, the process of obtaining the data signal by the master device through the demapping operation based on the mask signal and the mask data signal is similarly described in the corresponding embodiment of fig. 5, and will not be described herein.
It should be appreciated that the masking signal is the same masking signal that the slave device performs the masking operation on the data signal, so that the master device may perform the demapping operation based on the masking signal to obtain the demasked data signal.
In other embodiments, referring to the corresponding embodiment of fig. 5, similarly, the master device may directly perform subsequent computation or processing on the mask data signal, without recovering the mask data signal into a data signal, which is not described herein.
Fig. 9 is a schematic interaction diagram of another method for acquiring encoded mask signals according to an embodiment of the present application. As shown, in an alternative embodiment, in step S2011b described above: the slave device may include the following before fetching the encoded mask signal from the bus:
s2008b: the master device obtains a mask signal from the random number generation module;
s2009b: the master device performs an error detection code encoding operation on the mask signal to obtain an encoded mask signal, and transmits the encoded mask signal to the bus.
Specifically, the master device performs an error detection code encoding operation on the mask signal, so that the error detection capability of the encryption method on the mask signal can be improved. Because the error detection code encoding operation is performed in the master device, the mask signal can be subjected to the error detection code encoding operation after being generated to obtain an encoded mask signal, and the encoded mask signal has error detection capability, so that an error injection attack can be detected in a subsequent transmission process, namely, the security is improved in the subsequent transmission process.
Optionally, step S2010b may be further included after step S2009b described above: the bus decodes and verifies the encoded mask signal.
Specifically, the bus decodes and verifies the coded mask signal, so that whether the mask signal is attacked in the transmission process can be judged on the bus, and the safety of mask signal transmission is improved.
Further, in this embodiment, the master device may further restore the mask data signal to a data signal, and perform subsequent computation or processing on the data signal, where the restoration process to the data signal may include the following:
s700b: the master device obtains the mask signal from the random number generation module;
s701b: the master device obtains the data signal from the mask signal and the mask data signal.
Specifically, the master device may obtain the mask data signal by performing a demask operation based on the mask signal and the mask data signal, which is similarly described in the corresponding embodiment of fig. 5, and is not described herein.
It should be appreciated that the masking signal is the same masking signal that the slave device performs the masking operation on the data signal, so that the master device may perform the demapping operation based on the masking signal to obtain the demasked data signal.
In other embodiments, referring to the embodiment corresponding to fig. 5, the master device may directly perform subsequent computation or processing on the mask data signal, without recovering the mask data signal into a data signal, which is not described herein.
Fig. 10 is a schematic interaction diagram of address signal transmission according to an embodiment of the present application. As shown, in an alternative embodiment, the steps of the embodiments corresponding to fig. 5 and 9 may further include the following:
s500a: the master device generating an address signal for transmission to the slave device;
in particular, address signals may be used to select a given memory cell and I/O device port.
S501a: the master device performs error detection code encoding operation on the address signals and sends the encoded address signals to the slave device;
s503a: the slave device decodes and verifies the encoded address signal to obtain the address signal.
Specifically, the slave device decodes and verifies the encoded address signal, so that whether the address signal is attacked by error injection before being transmitted to the slave device can be judged, and the safety of address signal transmission is improved.
Optionally, step S502a may be further included after step S501a described above: the bus decodes and verifies the address signal after encoding;
Specifically, the bus decodes and verifies the encoded address signals, so that whether the address signals are attacked in the transmission process can be judged on the bus, and the safety of the address signal transmission is further improved.
In the above scheme, the bit width of the address signal can be 32 bits or 64 bits generally, and the proportion of the occupied bit width of the address signal is large in all signals transmitted on the bus, so that the error detection code encoding operation is performed on the address signal, the error detection capability of the encryption method can be improved, and the safety of the address signal transmission is improved.
Fig. 11 is a schematic interaction diagram of another address signal transmission provided in an embodiment of the present application. As shown, in another alternative embodiment, the steps of the embodiments corresponding to fig. 7 and 8 may further include the following:
s500b: the master device sends an address signal to the slave device;
in particular, address signals may be used to select a given memory cell and I/O device port.
S501b: performing error detection code encoding operation on the address signals by the bus to obtain encoded address signals;
s502b: the slave device decodes and verifies the encoded address signal to obtain the address signal.
In the above scheme, the bit width of the address signal can be 32 bits or 64 bits generally, and the proportion of the occupied bit width of the address signal is larger in all signals transmitted on the bus, so that the bus performs error detection code encoding operation on the address signal, thereby improving the error detection capability of the encryption method and improving the security of address signal transmission.
It will be appreciated that in the above scheme, generation (transmission) of the address signal and the data signal is not limited in timing, and the address signal may be generated (transmitted) first to regenerate (transmit) the data signal; alternatively, the address signal may be regenerated (transmitted) by first generating (transmitting) the data signal; alternatively, the address signal and the data signal may be generated (transmitted) at the same time.
Further, in an alternative embodiment, step S301a in the examples corresponding to fig. 3, 5, 6, 8 and 9: the first device performs an error detection code encoding operation on the mask data signal to obtain an encoded mask data signal, and the method may further include:
s600: the bus decodes and verifies the encoded mask data signal.
Specifically, the bus decodes and checks the encoded mask data signals, so that the bus can check the encoded mask data signals transmitted on the bus in real time, whether the data signals are attacked in the transmission process is judged on the bus, and the safety of data signal transmission is further improved.
Further, when the bus judges that the data signal is attacked in the transmission process through the verification operation, the bus generates an alarm signal.
In another embodiment, the second device generates an alarm signal when the second device determines that the data signal is attacked in the transmission process through the verification operation.
Further, the encryption device may respond according to the alarm signal, and the response may include: resetting the encryption device, interrupting the operation of the encryption device, or erasing the encryption device-related storage, etc.
Optionally, the master device may also send a control signal to the slave device, and the slave device may send a response signal to the master device;
further, the control signal may undergo an error detection code encoding operation (the error detection code encoding operation may occur in the bus or the master device), and then undergo decoding and verification operations by the slave device; the response signal may undergo an error detection code encoding operation (the error detection code encoding operation may occur in the bus or the slave device), and then the master device performs decoding and checking operations, so as to improve the error detection capability of the two signals, and detect an error injection attack, thereby improving the security of the two signal transmissions.
According to the signal encryption method, in the data signal transmission process, after the data signal is subjected to mask operation, plaintext data transmission cannot occur in the data in the transmission process, and side channel attacks can be resisted; the data signal is subjected to error detection code encoding operation and decoding and checking operation by the second equipment in the transmission process, so that the encryption method has error detection capability, and can detect error injection attack of an attacker on the data signal in the transmission process, thereby improving the safety of the encryption method.
Performing masking operation on the bus to enable ciphertext data to be transmitted on the bus, wherein the ciphertext data can resist side channel attack; the error detection code encoding operation is performed on the bus, and an encoded mask data signal with error detection capability can be obtained on the bus, and the safety of the signal is improved in the subsequent transmission process;
masking operation is carried out in the first device, so that the first device sends ciphertext data to the second device, and the ciphertext data can resist side channel attack; the error detection code encoding operation is performed in the first device, so that the error detection code encoding operation can be performed after the mask data signal is obtained in the first device to obtain an encoded mask data signal with error detection capability, and the safety of the signal is improved in the subsequent transmission process;
The random number signal generated by the random number generation module is used as a mask signal, so that the capability of the data signal for resisting side channel attack can be improved, and the security of an encryption scheme is improved; the master device comprises a random number generation module, so that the security of the process of acquiring the mask signal by the master device can be improved;
the bus decodes and checks the coded mask data signals, so that the bus can check the coded mask data signals transmitted on the bus in real time, whether the data signals are attacked in the transmission process is judged on the bus, and the safety of data signal transmission is further improved.
A second aspect of the present application provides an encryption device 20 for a signal. Referring to fig. 12, fig. 12 is a schematic structural diagram of an encryption device 20 for signals according to an embodiment of the present application, including:
the first device 100 generates a data signal for transmission to the second device 300;
a second device 300 for receiving a data signal;
a bus 200 for connecting the first device 100 and the second device 300 and for transmitting data signals;
a masking module 201, configured to perform a masking operation on the data signal to obtain a masked data signal;
A data encoding module 202, configured to perform an error detection code encoding operation on the mask data signal, to obtain an encoded mask data signal;
in particular, the data encoding module may include One or more of a parity Code module and a One-hot Code module, an error detection Code (Error Detecting Code, EDC) encoding module, an error correction Code (Error Correcting Code, ECC) encoding module, and the like. Meanwhile, when the data coding module is selected, the data coding module can be selected by combining factors such as system resource occupation, hardware resource consumption and the like.
In a preferred embodiment, the data encoding module may include an error detection code encoding module, an error correction code encoding module. The error detection code encoding module can perform error detection code encoding operation on the data signal; the error correction code encoding module may perform error correction code encoding operations on the data signal, where the two operations are described in the corresponding embodiment of fig. 1, and are not described herein.
The second device 300 further comprises a data decoding module 203, where the data decoding module 203 is configured to perform decoding and checking operations on the encoded mask data signal to obtain a mask data signal; the verification operation refers to judging whether the data signal is attacked in the transmission process according to the coded mask data signal.
In the above scheme, during the transmission of the data signal, after the data signal passes through the masking operation of the masking module 201, the data in the transmission process will not be transmitted in the clear, so that the side channel attack can be resisted; the data signal is subjected to the error detection code encoding operation of the data encoding module 202 and the decoding and checking operation of the data decoding module 203 configured in the second device 300 in the transmission process, so that the encryption device of the signal has error detection capability, and can detect the error injection attack of an attacker on the data signal in the transmission process, thereby improving the security of the encryption device.
Further, the mask module 201 may include a logic operation module, where the logic operation module may include an exclusive or logic operation module and an addition arithmetic operation module; the encryption means 20 of the signal comprise a random number generation module for generating a masking signal. It will be appreciated that the random number generation module may include a true random number generation module and a pseudo random number generation module, and the random number generation module is described in the corresponding embodiment of fig. 5, and is not described herein.
The logic operation module is used for obtaining a mask signal and obtaining a mask data signal according to the data signal and the mask signal. The exclusive-or logic operation module included in the logic operation module can perform exclusive-or logic operation on the mask signal and the data signal; the logic operation module includes an addition arithmetic operation module that performs an addition arithmetic operation on the mask signal and the data signal. The above operation process is described in the corresponding embodiment of fig. 5, and is not described herein.
In an alternative embodiment, the first device 100 includes a masking module 201 and a data encoding module 202.
The mask module 201 is configured in the first device 100, so that the masking operation can be performed in the first device 100, and further, the first device 100 sends ciphertext data to the second device 300, so that leakage of related energy of plaintext data can be prevented, and therefore, the ciphertext data can resist side channel attack;
the data encoding module 202 is configured in the first device 100, so that the error detection code encoding operation can be performed in the first device, so that the mask data signal can be obtained in the first device 100, and then the error detection code encoding operation can be performed to obtain an encoded mask data signal, and the encoded mask data signal has an error detection capability, and can detect an error injection attack in a subsequent transmission process, that is, the security is improved in the subsequent transmission process. Therefore, the error detection capability of the encryption device 20 can be improved, and the security of the encryption device 20 can be further improved.
Further, the bus 200 may include a data decoding module 203. Specifically, the data decoding module 203 configured on the bus 200 decodes and verifies the encoded mask data signal, so that the bus 200 can verify the encoded mask data signal transmitted on the bus 200 in real time, thereby implementing that whether the data signal is attacked in the transmission process on the bus 200, and improving the security of data signal transmission.
Further, in an alternative embodiment, the first device 100 is a master device, and the second device 300 is a slave device, where the master device and the slave device may be a master device and a slave device in a security chip, and specific reference may be made to an embodiment corresponding to fig. 2, which is not described herein. The first device 100 comprises a random number generation module. Specifically, the random number generating module is configured in the main device, so that the main device can acquire the mask signal from the random number generating module configured in the main device, the security of the process of acquiring the mask signal can be improved, and the risk of error injection attack on the mask signal in the transmission process is reduced.
In another alternative embodiment, the first device 100 is a slave device, and the second device 300 is a master device, where the master device and the slave device may be a master device and a slave device in a security chip, and specific reference may be made to an embodiment corresponding to fig. 2, which is not described herein. The slave device includes a mask decoding module, which is configured to obtain the encoded mask signal from the bus 200, and perform decoding and checking operations to obtain the mask signal. It should be appreciated that the process of the slave device generating a data signal for transmission to the master device is the process of the master device initiating a read data operation.
Specifically, the mask decoding module is configured in the slave device, and decodes and verifies the encoded mask signal to obtain the mask signal, so as to determine whether the mask signal is attacked by error injection when transmitted on the bus 200, thereby improving the security of mask signal transmission.
Further, in an alternative embodiment, bus 200 includes a random number generation module and a mask encoding module, where the mask encoding module is configured to perform an error detection code encoding operation on the mask signal to obtain the encoded mask signal.
Specifically, the mask encoding module on the bus 200 performs an error detection code encoding operation on the mask signal to obtain an encoded mask signal, where the encoded mask signal has an error detection capability, and the encoded mask signal can be decoded and checked by the slave device, so that an attacker can detect an error injection attack on the mask signal transmitted on the bus 200, and the security of the encryption device 20 is improved.
Further, in another alternative embodiment, the master device includes a random number generating module 205 and a mask encoding module 208, where the mask encoding module 208 is configured to perform an error detection encoding operation on the mask signal to obtain an encoded mask signal, and transmit the encoded mask signal to the bus 200.
Specifically, the random number generating module 205 configured in the master device generates a mask signal, and the mask encoding module 208 configured in the master device performs an error detection code encoding operation on the mask signal, so that the error detection capability of the encryption device on the mask signal can be improved. Because the error detection code encoding operation is performed in the master device, the mask signal can be generated in the master device, and then the error detection code encoding operation can be performed to obtain an encoded mask signal, and the encoded mask signal has error detection capability, so that an error injection attack can be detected in a subsequent transmission process, that is, the security is improved in the subsequent transmission process.
Further, in an alternative implementation manner, the foregoing embodiment may further include the following:
the master device generating an address signal for transmission to the slave device;
in particular, address signals may be used to select a given memory cell and I/O device port.
The master device comprises an address coding module;
specifically, the address coding module is used for performing error detection code coding operation on the address signals to obtain coded address signals; transmitting the encoded address signals to the bus;
The slave device comprises an address decoding module;
specifically, the address decoding module configured in the slave device acquires the encoded address signal from the bus, and decodes and verifies the signal, so that whether the signal is attacked by error injection before being transmitted to the address decoding module can be judged, and the safety of address signal transmission is improved.
Optionally, the bus includes an address decoding module;
specifically, the bus decodes and verifies the encoded address signals, so that whether the address signals are attacked in the transmission process can be judged on the bus, and the safety of the address signal transmission is further improved.
In another alternative embodiment, bus 200 includes a mask module 201 and a data encoding module 202.
Wherein the first device 100 sends plaintext data to the second device 300. After the plaintext data is subjected to the masking operation of the masking module 201 on the bus 200, a masking data signal, i.e. ciphertext data, is transmitted on the bus 200, so that the leakage of the related energy of the plaintext data is prevented, and the ciphertext data can resist side channel attack.
The data encoding module 202 is configured in the bus 200, that is, the error detection code encoding operation is performed in the bus, so that an encoded mask data signal can be obtained in the bus, the signal has error detection capability and can detect error injection attack of an attacker, and the security of the signal in the subsequent transmission process is improved.
Further, in an alternative embodiment, the first device 100 is a master device, and the second device 300 is a slave device, the above embodiments may further include the following:
the master device sends an address signal to the slave device;
in particular, address signals may be used to select a given memory cell and I/O device port.
The bus comprises an address coding module;
specifically, the address coding module performs error detection code coding operation on the address signal to obtain a coded address signal;
the slave device includes an address decoding module.
Specifically, the address decoding module configured in the slave device decodes and verifies the encoded address signal, so that whether the signal is attacked in the process of transmitting the signal on the bus can be judged, and the safety of address signal transmission is improved.
Optionally, in the foregoing embodiments, when the data decoding module 203 determines that the data signal is attacked during transmission through the verification operation, the data decoding module 203 generates an alarm signal.
Further, the encryption device 20 of the signal may respond according to the alarm signal, and the response may include: resetting the encryption device, interrupting the operation of the encryption device, or erasing the encryption device-related storage, etc.
Optionally, similar to the encryption method provided in the first aspect, the master device may further send a control signal to the slave device, and the slave device may send a response signal to the master device, which is not described herein.
In the signal encryption device 20 provided in the second aspect of the present application, after the data signal is subjected to the masking operation of the masking module 201 in the data signal transmission process, the data in the transmission process will not be transmitted in plaintext, so that the side channel attack can be resisted; the data signal is subjected to the error detection code encoding operation of the data encoding module 202 and the decoding and checking operation of the data decoding module 203 configured in the second device 300 in the transmission process, so that the encryption device of the signal has error detection capability, and can detect the error injection attack of an attacker on the data signal in the transmission process, thereby improving the security of the encryption device 20;
the masking module 201 is configured in the first device 100, so that the masking operation can be performed in the first device 100, and further the first device 100 sends ciphertext data to the second device 300, where the ciphertext data can resist side channel attack; the data encoding module 202 is configured in the first device 100, so that the error detection code encoding operation can be performed in the first device, so that the mask data signal can be obtained in the first device 100, and then the error detection code encoding operation can be performed to obtain an encoded mask data signal, which has an error detection capability, that is, the security in the subsequent transmission process is improved, and the security of the encryption device 20 is improved;
The mask module 201 is configured on the bus 200, so that ciphertext data can be transmitted on the bus 200, and the ciphertext data can resist side channel attack; the data encoding module 202 is configured in the bus 200, that is, the error detection code encoding operation is performed in the bus, so that an encoded mask data signal can be obtained in the bus, the signal has an error detection capability, the security in the subsequent transmission process is improved, and the security of the encryption device 20 is improved;
the random number signal generated by the random number generation module is used as a mask signal, so that the capability of the data signal for resisting side channel attack can be improved, and the security of an encryption scheme is improved; the security of the process of the master device obtaining the mask signal can be improved by the master device comprising the random number generation module, and the security of the encryption device 20 is improved;
bus 200 may include a data decoding module 203, which decodes and verifies the encoded mask data signal, so that bus 200 performs real-time verification on the encoded mask data signal transmitted on bus 200, thereby implementing the determination on bus 200 whether the data signal is attacked during transmission, improving the security of data signal transmission, and improving the security of encryption device 20.
The application of the encryption method provided in the first aspect of the present application to the encryption device 20 for signals provided in the second aspect of the present application will be described in detail below in connection with several specific embodiments, and in particular, the encryption device 20 for signals may include a security chip 30.
First embodiment:
referring to fig. 13, fig. 13 is a circuit logic structure diagram of a master device of a security chip according to an embodiment of the present application when initiating a data writing operation. Optionally, as a first specific embodiment, the first device 100 is a master device, and the second device 300 is a slave device, and descriptions of the master device and the slave device may refer to the corresponding embodiments in fig. 2, which are not described herein again; the master device is connected to the slave device through the bus 200, and the master device is configured to generate a data signal to be transmitted to the slave device.
As shown in fig. 13, the bus 200 includes a data encoding module 202, a masking module 201, and a random number generation module 205. The master generates a data signal and sends the data signal to the mask module 201; the random number generating module 205 generates a mask signal, the mask signal is transmitted to the mask module 201, the mask module 201 obtains a mask data signal according to the data signal and the mask signal, the mask data signal is transmitted to the data encoding module 202, and the encoded mask data signal is obtained through error detection code encoding operation;
The slave device may comprise a data decoding module 203, the data decoding module 203 receiving the encoded mask data signal and performing a decoding and checking operation on the encoded mask data signal to obtain a mask data signal. The verification operation refers to judging whether the data signal is attacked in the transmission process according to the coded mask data signal.
In the above scheme, after the data signal is subjected to the mask operation of the mask module 201 configured on the bus 200, the signal transmitted on the bus 200 is ciphertext data, so that the leakage of the related energy of the plaintext data can be effectively prevented, and the side channel attack can be further resisted; and, the mask data signal is subjected to the error detection code encoding operation of the data encoding module 202 configured on the bus 200 to obtain an encoded mask data signal, and the encoded mask data signal is subjected to the decoding and checking operation of the data decoding module 203 configured in the slave device, so that whether the data signal is attacked by error injection in the transmission process can be judged, and the safety of data signal transmission is improved.
Optionally, with continued reference to fig. 13, the master device may also send address signals to the slave devices. Bus 200 may further include an address encoding module 209, where the address signal is encoded by an error detection code of address encoding module 209 to obtain an encoded address signal; the slave device may further comprise an address decoding module 210, where the address decoding module 210 receives the encoded address signal, decodes and verifies the encoded address signal, so as to determine whether the address signal is attacked during transmission, i.e. the bus 200 has an error detection capability for the address signal, and is capable of detecting an error injection attack of an attacker on the address signal transmitted on the bus 200.
Optionally, with continued reference to fig. 13, the bus 200 may further include a mask encoding module 208, and the mask signal generated by the random number generating module 205 may be sent to the mask encoding module 208, and subjected to an error detection code encoding operation to obtain an encoded mask signal; the slave device may include a mask decoding module 207, where the mask decoding module 207 obtains the encoded mask signal, decodes and verifies the encoded mask signal to obtain a mask signal, so as to determine whether the mask signal is attacked during transmission, that is, the bus 200 has an error detection capability for the mask signal, and can detect an error injection attack of an attacker on the mask signal transmitted on the bus 200.
Optionally, with continued reference to fig. 13, for performing subsequent computation or processing on the mask data signal, the slave device may include a demasking module 211, where the demasking module 211 may obtain the mask signal and the mask data signal, and perform a demasking operation on the mask data signal, where the demasking operation may specifically refer to a related description of the corresponding embodiment of fig. 5, which is not repeated herein.
In other embodiments, the slave device may include a mask operation module that may directly perform subsequent calculations or processing, etc., on the received mask data signal without recovering the mask data signal as a data signal. Reference may be made specifically to the relevant description of the corresponding embodiment of fig. 5, which is not repeated here.
Optionally, when the address decoding module 210 or the data decoding module 203 or the mask decoding module 207 determines that the address signal or the data signal or the mask signal is attacked in the transmission process through the verification operation, the address decoding module 210 or the data decoding module 203 or the mask decoding module 207 gives an alarm signal, and the security chip 30 responds according to the alarm signal, for example: resetting the chip, interrupting the operation of the chip, or erasing the chip-related memory, etc.
Second embodiment
As a second specific embodiment, optionally, the first device 100 is a slave device, and the second device 300 is a master device, and the description of the master device and the slave device may refer to the corresponding embodiment of fig. 2, which is not repeated herein; the master device is connected to the slave device through the bus 200, and the slave device is configured to generate a data signal to be transmitted to the master device.
Fig. 14 is a circuit logic structure diagram of a master device of the security chip 30 according to an embodiment of the present application when initiating a data reading operation, as shown in fig. 14, as a second specific embodiment, a slave device includes a mask module 201, a data encoding module 202, and a mask decoding module 207a.
It should be understood that in the embodiments described below, the modules that are identical in function, but are disposed at different locations of the security chip 30, are distinguished by the english letters a and b on the reference numerals. For example, the reference number of the mask encoding module configured in the slave device may be 207a, and the reference number of the mask encoding module configured in the master device may be 207b, which will not be described in detail.
Bus 200 includes a random number generation module 205 and a mask encoding module 208; the random number generation module 205 generates a mask signal, the mask signal is transmitted to the mask encoding module 208, and the encoded mask signal is obtained through an error detection code encoding operation;
the mask decoding module 207a configured in the slave device obtains the encoded mask signal, decodes and verifies the encoded mask signal to obtain a mask signal, and the verification operation can determine whether the mask signal is attacked in the transmission process, that is, the bus 200 has error detection capability on the mask signal in this embodiment, so that an attacker can detect an error injection attack on the mask signal transmitted on the bus 200.
The mask module 201 provided in the slave device acquires the data signal and the mask signal, and obtains the mask data signal from the data signal and the mask signal. Specifically, the mask module 201 is configured in the slave device, so that the slave device can send ciphertext data to the master device, and leakage of energy related to the plaintext data can be prevented, so that the ciphertext data can resist side channel attack;
The data encoding module 202 configured in the slave device acquires the mask data signal and performs an error detection code encoding operation on the mask data signal to obtain an encoded mask data signal. Specifically, the data encoding module is configured in the slave device, so that the error detection capability of the security chip 30 on the data signal can be improved. Because the data encoding module is configured in the slave device, the error detection code encoding operation can be performed in the slave device, that is, the mask data signal can be obtained in the slave device, and then the error detection code encoding operation can be performed to obtain an encoded mask data signal, which has error detection capability and can detect error injection attack in the subsequent transmission process, that is, the security is improved in the subsequent transmission process. Thus, the error detection capability and security of the data signal by the security chip 30 are improved.
The master device may include a data decoding module 203a, where the data decoding module 203a obtains the encoded mask data signal, and performs decoding and checking operations on the encoded mask data signal to obtain a mask data signal;
optionally, the bus 200 includes a data decoding module 203b, where the data decoding module 203b decodes and verifies the encoded mask data signal, so that the bus 200 can verify the encoded mask data signal transmitted on the bus 200 in real time, thereby implementing that whether the data signal is attacked in the transmission process on the bus 200 is judged, and improving the security of data signal transmission.
In the above-described scheme, the slave device includes a mask decoding module 207a that can determine whether the mask signal is attacked during transmission; after the data signal is subjected to the mask operation of the mask module 201 configured in the slave device, the data sent by the slave device can be ciphertext data, and the data transmitted on the bus 200 is also ciphertext data, so that the leakage of the related energy of the plaintext data can be effectively prevented, and the side channel attack can be further resisted; the mask data signal is subjected to an error detection code encoding operation of the data encoding module 202 provided in the slave device to obtain an encoded mask data signal having an error detection capability, which is subjected to a decoding and checking operation of the data decoding module 203a provided in the master device to determine whether the data signal is attacked during transmission.
Similar to the first embodiment, the master device may optionally also send an address signal to the slave device, which will not be described here.
Similar to the first embodiment, optionally, for performing subsequent computation or processing on the mask data signal, the master device may include a demasking module 211 and a mask decoding module 207b, which are not described herein.
Similar to the first embodiment, in other embodiments, a mask operation module may be included in the master device, which is not described herein.
Alternatively, similar to the first embodiment, the address decoding module 210, the data decoding module 203, and the mask decoding module 207 may give an alarm signal, which is not described herein.
Detailed description of the preferred embodiments
As a third specific embodiment, optionally, the first device 100 is a master device, and the second device 300 is a slave device, and the description of the master device and the slave device may refer to the corresponding embodiment of fig. 2, which is not repeated herein; the master and the slave are connected by a bus 200, the master being configured to generate a data signal for transmission to the slave, it being understood that the process of generating the data signal for transmission to the slave by the master is the process of initiating a write data operation by the master.
Fig. 15 is a circuit logic structure diagram of a host device of another security chip 30 according to an embodiment of the present application when initiating a data writing operation, where, as shown in fig. 15, the host device includes a mask module 201, a data encoding module 202, and a random number generating module 205.
Wherein, the random number generating module 205 generates a mask signal, the mask module 201 obtains a data signal and the mask signal, and performs a mask operation on the data signal to obtain a mask data signal; specifically, the master device includes the random number generation module 205, and the master device obtains the mask signal from the random number generation module 205 configured inside the master device, so that the security of the process of obtaining the mask signal can be improved, and the risk of the mask signal being attacked by error injection in the transmission process can be reduced.
The mask data signal is subjected to an error detection code encoding operation of the data encoding module 202 configured in the host device, resulting in an encoded mask data signal. Specifically, the data encoding module 202 is configured in the host device, so as to improve the error detection capability of the security chip 30 for data signals. Because the data encoding module 202 is configured in the host device, the error detection code encoding operation can be performed in the host device, so that the mask data signal can be obtained in the host device, and then the error detection code encoding operation can be performed to obtain an encoded mask data signal, which has error detection capability, and can detect an error injection attack in a subsequent transmission process, that is, the security is improved in the subsequent transmission process.
The slave device may include a data decoding module 203a, where the data decoding module 203a obtains an encoded mask data signal, decodes and verifies the encoded mask data signal to obtain a mask data signal, and the verification operation refers to determining whether the data number is attacked in the transmission process according to the encoded mask data signal.
In the above scheme, the master device includes the random number generation module 205, which can improve the security of the master device for obtaining the mask signal, and after the data signal is subjected to the mask operation of the mask module 201 configured in the master device, the data sent by the master device can be ciphertext data, and the data transmitted on the bus 200 is also ciphertext data, so that the leakage of the energy related to the plaintext data can be effectively prevented, and the side channel attack can be further resisted; the mask data signal is subjected to an error detection code encoding operation of the data encoding module 202 configured in the master device to obtain an encoded mask data signal having an error detection capability, and the encoded mask data signal is subjected to a decoding and checking operation of the data decoding module 203a configured in the slave device to determine whether the data signal is attacked during transmission.
Further, the master device includes an address encoding module 209, and the slave device includes an address decoding module 210a; the master device generates an address signal for transmission to the slave device, the address encoding module 209 performs an error detection code encoding operation on the address signal, and transmits the encoded address signal to the address decoding module 210a provided in the slave device through the bus, and the address decoding module 210a performs a decoding and checking operation on the encoded address signal to obtain the address signal.
Specifically, the address decoding module 210a configured in the slave device decodes and verifies the encoded address signal, so as to determine whether the address signal is attacked by error injection before being transmitted to the slave device, thereby improving the security of address signal transmission. Optionally, similar to the embodiment, the bus 200 includes a data decoding module 203b, which is not described herein.
Optionally, the bus 200 may further include a mask decoding module 207b, configured to receive the encoded mask signal, and perform decoding and verification operations on the encoded mask signal, so that the bus 200 may perform real-time verification on the encoded mask signal transmitted on the bus 200, to determine whether the mask signal is attacked in the transmission process, thereby improving the security of mask signal transmission; the bus 200 may further include an address decoding module 210b, configured to receive the encoded address signal, and decode and verify the encoded address signal, so that the bus 200 may perform real-time verification on the encoded address signal transmitted on the bus 200, and determine whether the address signal is attacked in the transmission process, thereby improving the security of address signal transmission.
Optionally, similar to the first embodiment, the slave device may include a demasking module 211 and a mask decoding module 207a for performing subsequent computation or processing on the mask data signal, which will not be described herein.
Optionally, similar to the first embodiment, the slave device may include a mask operation module, which is not described herein.
Alternatively, similar to the first embodiment, the address decoding module 210, the data decoding module 203, and the mask decoding module 207 may give an alarm signal, which is not described herein.
Detailed description of the preferred embodiments
As a fourth embodiment, optionally, the first device 100 is a slave device, and the second device 300 is a master device, and the description of the master device and the slave device may refer to the corresponding embodiment of fig. 2, which is not repeated herein; the master device is connected to the slave device through the bus 200, and the slave device is configured to generate a data signal to be transmitted to the master device.
Fig. 16 is a circuit logic structure diagram of a master device of another security chip 30 according to an embodiment of the present application when initiating a data reading operation, where, as shown in fig. 16, a slave device includes a mask module 201, a data encoding module 202, and a mask decoding module 207a; the master device includes a random number generation module 205 and a mask encoding module 208.
Wherein, the random number generation module 205 configured in the master device generates a mask signal, the mask signal is transmitted to the mask encoding module 208, and the encoded mask signal is obtained through the error detection code encoding operation; the encoded mask signal is transmitted to bus 200;
a mask decoding module 207a configured in the slave device receives the encoded mask signal and performs decoding and checking operations thereon to obtain a mask signal; specifically, the checking operation may determine whether the mask signal is attacked in the transmission process;
a mask module 201 configured in the slave device acquires the data signal and the mask signal, and performs a mask operation on the data signal to obtain a mask data signal;
the data encoding module 202 configured in the slave device acquires the mask data signal, performs an error detection code encoding operation on the mask data signal, and obtains an encoded mask data signal, and the encoded mask data signal is transmitted to the bus 200;
the master device includes a data decoding module 203a, and the data decoding module 203a obtains the encoded mask data signal, decodes and verifies the encoded mask data signal, and obtains the mask data signal.
In the above-described scheme, the slave device includes a mask decoding module 207a that can determine whether the mask signal is attacked during transmission; after the data signal is subjected to the mask operation of the mask module 201 configured in the slave device, the data sent by the slave device can be ciphertext data, and the data transmitted on the bus 200 is also ciphertext data, so that the leakage of the related energy of the plaintext data can be effectively prevented, and the side channel attack can be further resisted; the mask data signal is subjected to an error detection code encoding operation of the data encoding module 202 arranged in the slave device to obtain an encoded mask data signal, which has error detection capability, and the encoded mask data signal is subjected to a decoding and checking operation of the data decoding module 203a arranged in the master device to determine whether the data signal is attacked during transmission.
Further, similar to the third embodiment, the master device includes an address encoding module 209, and the slave device includes an address decoding module 210a, which is not described herein. Optionally, similar to the third embodiment, the bus 200 may include a data decoding module 203b, a mask decoding module 207b and an address decoding module 210b, which are not described herein.
Optionally, similar to the second embodiment, the master device may include a demasking module 211 for performing subsequent computation or processing on the mask data signal, which is not described herein.
Optionally, similar to the second embodiment, a mask operation module may be included in the master device, which is not described herein.
Optionally, similar to the first embodiment, the address decoding module 210, the data decoding module 203, and the mask decoding module 207 may give an alarm signal, which is not described herein.
Alternatively, in the above four embodiments, the master device may send a control signal to the slave device, and the slave device may send a response signal to the master device, similar to the encryption method provided in the first aspect;
optionally, the bus 200 may include a control encoding module, configured to perform an error detection code encoding operation on the control signal to obtain an encoded control signal; the slave device may include a control decoding module for decoding and verifying the encoded control signal to obtain a control signal; the verification operation refers to judging whether the control signal is attacked in the transmission process according to the encoded control signal; specifically, the encoded control signal has error detection capability, and the signal can be decoded and checked by a control decoding module configured in the slave device to judge whether the control signal is attacked in the process of transmitting on the bus, so that the safety of the control signal transmission is improved.
Alternatively, bus 200 may include a response encoding module, similar to bus 200 described above, where a slave may include a control decoding module; the master device may include a response decoding module, which is not described in detail herein.
Alternatively, and optionally, similar to the encryption method provided in the first aspect, in the above four specific embodiments, the master device may generate a control signal for sending a control signal to the slave device, and the slave device may generate a response signal for sending a response signal to the master device;
alternatively, the master device may include a control encoding module and the slave device may include a control decoding module.
Specifically, the main equipment generates a control signal, and the encoded control signal is obtained through the error detection code encoding operation of the control encoding module; the signal is decoded and checked by a control decoding module to obtain a control signal, and the checking operation refers to judging whether the control signal is attacked in the transmission process according to the encoded control signal;
in this embodiment, the control coding module is configured in the master device, so that the error detection code coding operation can be performed after the control signal is generated in the master device, and a coded control signal is obtained, and the signal has error detection capability, so that the security in the subsequent transmission process is improved;
Alternatively, similar to the above-mentioned master device may include a control encoding module, the slave device may include a control decoding module, the slave device may include a response encoding module, and the master device may include a response decoding module, which will not be described herein.
Further, bus 200 may include a control decode module. Specifically, the control decoding module configured on the bus 200 may decode and verify the encoded control signal, so that the bus 200 may perform real-time verification on the encoded control signal transmitted on the bus 200, thereby implementing that whether the control signal is attacked in the transmission process on the bus 200, and improving the security of the control signal transmission.
Further, similar to the bus 200 may include a control decoding module, the bus 200 may include a response decoding module, which is not described herein.
A third aspect of the present application provides a terminal device comprising a processor, and a memory for storing a program for execution by the processor, the program comprising instructions to cause the processor to perform the method of any one of the first aspects.
The functions, the beneficial effects and the like achieved by the method according to any one of the first aspect may be referred to by the terminal device, and the details thereof are not repeated herein.
Those of ordinary skill would appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the present application may be embodied in essence or a part contributing to the prior art or a part of the technical solutions, or in the form of a software product, which is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (22)
1. A method of encrypting a signal, the method comprising:
the first device generating a data signal for transmission to the second device; the first device and the second device are connected through a bus;
the first device obtains a mask signal and obtains a mask data signal according to the mask signal and the data signal;
when the first device is a master device and the second device is a slave device, the master device performs error detection code encoding operation on the mask signal to obtain an encoded mask signal;
when the first device is a slave device and the second device is a master device; the first device acquiring a mask signal includes:
the slave device retrieving the encoded mask signal from the bus;
the slave device decodes the coded mask signal and performs a first check operation to obtain the mask signal, wherein the first check operation is to judge whether the mask signal is attacked in the transmission process according to the coded mask signal;
The mask data signal is subjected to error detection code encoding operation to obtain an encoded mask data signal;
the encoded mask data signal is used for decoding and second checking operations by the second device to obtain the mask data signal; the second checking operation refers to judging whether the data signal is attacked in the transmission process according to the encoded mask data signal.
2. The method of claim 1, wherein,
the mask data signal is subjected to an error detection code encoding operation, and the obtaining of the encoded mask data signal includes:
the first device performs an error detection code encoding operation on the mask data signal to obtain the encoded mask data signal.
3. The method of claim 1, wherein when the first device is a master device and the second device is a slave device; the first device obtaining a mask signal, the obtaining a mask data signal according to the mask signal and the data signal comprising:
the master device obtains the mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain the mask data signal.
4. The method of claim 1, wherein when the first device is a slave device and the second device is a master device; the first device obtaining a mask signal, the obtaining a mask data signal according to the mask signal and the data signal comprising:
the slave device performs exclusive-or and/or addition arithmetic operations on the mask signal and the data signal to obtain the mask data signal.
5. The method of claim 3, wherein prior to the slave device retrieving the encoded mask signal from the bus, the method comprises:
the master device obtains the mask signal from the random number generation module;
the master device performs error detection code encoding operation on the mask signal to obtain the encoded mask signal, and transmits the encoded mask signal to the bus;
the bus decodes and verifies the encoded mask signal.
6. The method of claim 1, wherein the method further comprises:
the master device generating an address signal for transmission to the slave device;
the master device performs error detection code encoding operation on the address signals and sends the encoded address signals to the slave device;
The bus decodes and verifies the encoded address signals;
and the slave equipment decodes and verifies the encoded address signals to obtain the address signals.
7. The method of claim 2, wherein the first device performs an error detection code encoding operation on the mask data signal to obtain the encoded mask data signal, the method comprising: the bus decodes and verifies the encoded mask data signal.
8. A method of encrypting a signal, the method comprising:
the first device generating a data signal for transmission to the second device; the first device and the second device are connected through a bus;
when the first device is a master device and the second device is a slave device:
the bus acquires a mask signal, and a mask data signal is obtained according to the mask signal and the data signal;
the bus performs error detection code encoding operation on the mask signal to obtain an encoded mask signal;
when the first device is a slave device and the second device is a master device:
The first device obtains a mask signal, and obtains a mask data signal according to the mask signal and the data signal; the first device acquiring a mask signal includes:
the slave device retrieving the encoded mask signal from the bus; the slave device decodes the coded mask signal and performs a first check operation to obtain the mask signal, wherein the first check operation is to judge whether the mask signal is attacked in the transmission process according to the coded mask signal;
the mask data signal is subjected to error detection code encoding operation to obtain an encoded mask data signal;
the encoded mask data signal is used for decoding and second checking operations by the second device to obtain the mask data signal; the second checking operation refers to judging whether the data signal is attacked in the transmission process according to the encoded mask data signal.
9. The method of claim 8, wherein the masking data signal is subjected to an error detection code encoding operation, resulting in an encoded masking data signal comprising:
When the first device is a master device and the second device is a slave device, the bus performs error detection code encoding operation on the mask data signal to obtain an encoded mask data signal;
and when the first equipment is the slave equipment and the second equipment is the master equipment, the slave equipment performs error detection code encoding operation on the mask data signal to obtain an encoded mask data signal.
10. The method of claim 8, wherein when the first device is a master device and the second device is a slave device; the bus acquiring a mask signal, and obtaining a mask data signal according to the mask signal and the data signal includes:
the bus acquires the mask signal from the random number generation module, and performs exclusive OR logic operation and/or addition arithmetic operation on the mask signal and the data signal to obtain the mask data signal.
11. The method of claim 8, wherein prior to the slave device retrieving the encoded mask signal from the bus, the method comprises:
the bus acquires the mask signal from the random number generation module, and performs error detection code encoding operation on the mask signal to obtain the encoded mask signal.
12. The method of claim 8, wherein the method further comprises:
the master device sends an address signal to the slave device;
the bus performs error detection code encoding operation on the address signals to obtain encoded address signals;
and the slave equipment decodes and verifies the encoded address signals to obtain the address signals.
13. The method of claim 9, wherein when the first device is a slave device and the second device is a master device, the slave device performs an error detection code encoding operation on the mask data signal to obtain an encoded mask data signal, and the method comprises: the bus decodes and verifies the encoded mask data signal.
14. An apparatus for encrypting a signal, the apparatus comprising:
a first device for generating a data signal for transmission to a second device, the first device comprising a masking module, a data encoding module;
a second device; for receiving the data signal;
a bus for connecting the first device and the second device and for transmitting the data signal;
The mask module is used for obtaining a mask signal and carrying out mask operation on the data signal to obtain a mask data signal;
when the first device is a master device and the second device is a slave device, the master device comprises a mask encoding module, wherein the mask encoding module is used for performing error detection code encoding operation on the mask signal to obtain an encoded mask signal, and transmitting the encoded mask signal to the bus;
when the first device is a slave device and the second device is a master device, the masking module is configured to obtain a masking signal, where the masking module includes:
the slave device comprises a mask decoding module, wherein the mask decoding module is used for acquiring the coded mask signal from the bus, and performing decoding and first checking operation to obtain the mask signal, and the first checking operation is used for judging whether the mask signal is attacked in the transmission process according to the coded mask signal;
the data coding module is used for performing error detection code coding operation on the mask data signals to obtain coded mask data signals;
the second device further comprises a data decoding module, which is used for decoding and performing a second check operation on the encoded mask data signal to obtain the mask data signal; the second checking operation refers to judging whether the data signal is attacked in the transmission process according to the encoded mask data signal.
15. The apparatus of claim 14, wherein the masking module comprises a logic operation module; the apparatus further includes a random number generation module;
the random number generation module is used for generating a mask signal;
the logic operation module comprises an exclusive OR logic operation module and/or an addition arithmetic operation module; the logic operation module is used for obtaining the mask signal and obtaining the mask data signal according to the data signal and the mask signal.
16. The apparatus of claim 15, wherein the first device is a master device and the second device is a slave device; the first device includes the random number generation module.
17. An apparatus for encrypting a signal, the apparatus comprising:
a first device that generates a data signal for transmission to a second device;
a second device; for receiving the data signal;
a bus for connecting the first device and the second device and for transmitting the data signal;
the mask module is used for obtaining a mask signal and carrying out mask operation on the data signal to obtain a mask data signal;
When the first device is a master device and the second device is a slave device, the bus comprises a mask encoding module, and the mask encoding module is used for performing error detection code encoding operation on the mask signal to obtain an encoded mask signal, and transmitting the encoded mask signal on the bus;
when the first device is a slave device and the second device is a master device, the masking module is configured to obtain a masking signal, where the masking module includes:
the slave device comprises a mask decoding module, wherein the mask decoding module is used for acquiring the coded mask signal from the bus, and performing decoding and first checking operation to obtain the mask signal, and the first checking operation is used for judging whether the mask signal is attacked in the transmission process according to the coded mask signal;
the data coding module is used for performing error detection code coding operation on the mask data signals to obtain coded mask data signals;
the second device further comprises a data decoding module, which is used for decoding and performing a second check operation on the encoded mask data signal to obtain the mask data signal; the second checking operation refers to judging whether the data signal is attacked in the transmission process according to the encoded mask data signal.
18. The apparatus of claim 17, wherein the masking module comprises a logic operation module; the apparatus further includes a random number generation module;
the random number generation module is used for generating a mask signal;
the logic operation module comprises an exclusive OR logic operation module and/or an addition arithmetic operation module; the logic operation module is used for obtaining the mask signal and obtaining the mask data signal according to the data signal and the mask signal.
19. The apparatus of claim 18, wherein the bus comprises the masking module and the data encoding module when the first device is a master device and the second device is a slave device.
20. The apparatus of claim 18, wherein the first device comprises the masking module and the data encoding module when the first device is a slave device and the second device is a master device.
21. The apparatus of claim 19, wherein the bus comprises the random number generation module.
22. A terminal device, comprising:
a processor; and
a memory for storing a program for execution by the processor, the program comprising instructions to cause the processor to perform the method of any one of claims 1-13.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210479158.6A CN114826752B (en) | 2022-04-29 | 2022-04-29 | Signal encryption method, signal encryption device and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210479158.6A CN114826752B (en) | 2022-04-29 | 2022-04-29 | Signal encryption method, signal encryption device and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114826752A CN114826752A (en) | 2022-07-29 |
| CN114826752B true CN114826752B (en) | 2024-02-27 |
Family
ID=82512534
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210479158.6A Active CN114826752B (en) | 2022-04-29 | 2022-04-29 | Signal encryption method, signal encryption device and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114826752B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246588A (en) * | 2013-05-16 | 2013-08-14 | 中国电子科技集团公司第四十一研究所 | Controller and implementation method for self-checking serial bus |
| CN103746791A (en) * | 2013-12-19 | 2014-04-23 | 广东芬尼克兹节能设备有限公司 | Encryption communication device and method applied to the field of industry |
| CN108073837A (en) * | 2016-11-15 | 2018-05-25 | 华为技术有限公司 | A kind of bus safety guard method and device |
| CN113177210A (en) * | 2021-04-20 | 2021-07-27 | 青芯半导体科技(上海)有限公司 | Chip structure and operation method thereof |
| CN113366871A (en) * | 2019-02-05 | 2021-09-07 | 高通股份有限公司 | Error correction of data packets in short-range wireless communication systems |
| CN113495862A (en) * | 2021-06-29 | 2021-10-12 | 山东华芯半导体有限公司 | Bus bridge device with ECC function |
| CN114077383A (en) * | 2020-08-13 | 2022-02-22 | 爱思开海力士有限公司 | Apparatus and method for sharing data in a data processing system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP6810348B2 (en) * | 2016-12-16 | 2021-01-06 | 富士通株式会社 | Cryptographic data processing method, cryptographic data processing device and cryptographic data processing program |
-
2022
- 2022-04-29 CN CN202210479158.6A patent/CN114826752B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103246588A (en) * | 2013-05-16 | 2013-08-14 | 中国电子科技集团公司第四十一研究所 | Controller and implementation method for self-checking serial bus |
| CN103746791A (en) * | 2013-12-19 | 2014-04-23 | 广东芬尼克兹节能设备有限公司 | Encryption communication device and method applied to the field of industry |
| CN108073837A (en) * | 2016-11-15 | 2018-05-25 | 华为技术有限公司 | A kind of bus safety guard method and device |
| CN113366871A (en) * | 2019-02-05 | 2021-09-07 | 高通股份有限公司 | Error correction of data packets in short-range wireless communication systems |
| CN114077383A (en) * | 2020-08-13 | 2022-02-22 | 爱思开海力士有限公司 | Apparatus and method for sharing data in a data processing system |
| CN113177210A (en) * | 2021-04-20 | 2021-07-27 | 青芯半导体科技(上海)有限公司 | Chip structure and operation method thereof |
| CN113495862A (en) * | 2021-06-29 | 2021-10-12 | 山东华芯半导体有限公司 | Bus bridge device with ECC function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114826752A (en) | 2022-07-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101702545B1 (en) | Data authentication method and apparatus thereof | |
| US11301344B2 (en) | Aggregate GHASH-based message authentication code (MAC) over multiple cachelines with incremental updates | |
| US20150082435A1 (en) | Cyclic redundancy check method with protection from side-channel attacks | |
| CN111752743A (en) | Combined secure MAC and device correction using encrypted parity with multiple key domains | |
| US9191030B2 (en) | Memory controller, data storage device, and memory controlling method | |
| US11755406B2 (en) | Error identification in executed code | |
| US20120030543A1 (en) | Protection of application in memory | |
| WO2017053003A1 (en) | Technologies for software attack detection using encoded access intent | |
| CN114826752B (en) | Signal encryption method, signal encryption device and terminal equipment | |
| CN112689837A (en) | Improved detection of laser fault injection attacks on cryptographic devices | |
| US10496301B2 (en) | Sharing a memory between at least two functional entities | |
| US20050289409A1 (en) | Parallel data bus | |
| CN106548098B (en) | Method and system for detecting fault attacks | |
| CN105512560A (en) | Disposable programmable storage chip and control method thereof | |
| CN108572882B (en) | Data storage method and storage device | |
| Ge et al. | Secure memories resistant to both random errors and fault injection attacks using nonlinear error correction codes | |
| US11829231B2 (en) | Methods and systems for generating core dump in a user equipment | |
| US20090024887A1 (en) | Semiconductor storage device, data write method and data read method | |
| EP3907633B1 (en) | System and method for obfuscating opcode commands in a semiconductor device | |
| CN114237492A (en) | Nonvolatile memory protection method and device | |
| CN1210654C (en) | Safety data storage equipment and method for preventing data lest in data transaction system | |
| CN110096909B (en) | Method and system for ensuring stability of EFUSE key | |
| CN109361583B (en) | 1553 bus function safety communication system | |
| CN111752747A (en) | Memory security verification method for enhancing error detection capability | |
| RU2621613C2 (en) | Method and card with chip for information transfer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |