CN114978682A - Data processing method, device and equipment - Google Patents

Data processing method, device and equipment Download PDF

Info

Publication number
CN114978682A
CN114978682A CN202210552587.1A CN202210552587A CN114978682A CN 114978682 A CN114978682 A CN 114978682A CN 202210552587 A CN202210552587 A CN 202210552587A CN 114978682 A CN114978682 A CN 114978682A
Authority
CN
China
Prior art keywords
task
processing result
result
determining
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210552587.1A
Other languages
Chinese (zh)
Inventor
任仕玖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ziguang Zhanrui Communication Technology Co Ltd
Original Assignee
Beijing Ziguang Zhanrui Communication Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ziguang Zhanrui Communication Technology Co Ltd filed Critical Beijing Ziguang Zhanrui Communication Technology Co Ltd
Priority to CN202210552587.1A priority Critical patent/CN114978682A/en
Publication of CN114978682A publication Critical patent/CN114978682A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Algebra (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data processing method, a device and equipment, comprising the following steps: determining a first task to be executed, the first task comprising a plurality of critical logic; executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for random delay time length in a fixed range; performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task; and determining a target processing result of the first task according to the execution result and the redundancy processing result. The effect of resisting fault injection attack is improved.

Description

Data processing method, device and equipment
Technical Field
The embodiment of the application relates to the field of information security, in particular to a data processing method, device and equipment.
Background
The electronic device can be provided with a security chip, and the security chip must have the capability of resisting fault injection attack so as to ensure information security. The fault injection attack is a side channel attack method, and generally includes temperature attack, light attack, electromagnetic attack, and the like.
A number of tasks may be preset in the security chip for the electronic device to invoke. In the related art, the security chip and its firmware may be designed to protect tasks in the security chip from fault injection attacks. However, the above-mentioned hardware-based fault injection resisting method can only resist some fault injection attacks, resulting in poor effect of resisting fault injection attacks.
Disclosure of Invention
The embodiment of the application provides a data processing method, a data processing device and data processing equipment, which are used for improving the effect of resisting fault injection attacks.
In a first aspect, an embodiment of the present application provides a data processing method, including:
determining a first task to be performed, the first task comprising a plurality of critical logic;
executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for the random delay time length in a fixed range;
performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task;
and determining a target processing result of the first task according to the execution result and the redundancy processing result.
In a possible implementation manner, executing the first task to obtain an execution result of the first task includes:
executing the ith operation logic in the first task;
if the ith operation logic is the key logic, after the ith operation logic is executed, waiting for the random delay time length in the ith fixed range;
sequentially taking 1, 2, … … and N from the i, wherein N is the number of operation logics included in the first task, and N is a positive integer;
and obtaining an execution result of the first task after the Nth arithmetic logic in the first task is executed.
In a possible implementation, after the ith arithmetic logic is executed, waiting for the random delay time duration within the ith fixed range includes:
after the ith operation logic is executed, generating a random delay time length value in an ith fixed range by utilizing a random number generator arranged in a security chip;
and waiting for the random delay time duration within the fixed range.
In a possible implementation, waiting for the random delay time duration within the ith fixed range includes:
and calling a preset delay statement according to the random delay time value in the ith fixed range to wait for the random delay time in the fixed range.
In a possible implementation manner, performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task includes:
and carrying out inverse operation or secondary operation on the first task to obtain the redundancy processing result.
In one possible implementation, performing an inverse operation or a quadratic operation on the first task to obtain the redundancy processing result includes:
if the first task is an Advanced Encryption Standard (AES) algorithm, a triple data encryption 3DES algorithm, an RSA algorithm and an elliptic curve encryption ECC algorithm, performing inverse operation on the first task to obtain the redundancy processing result; and/or the presence of a gas in the gas,
and if the first task is a Hash HASH algorithm, a message authentication code (HMAC) algorithm based on Hash and a message authentication CMAC algorithm based on a symmetric encryption mode, performing secondary operation on the first task to obtain the redundancy processing result.
In one possible embodiment, the redundancy process is an inverse operation; determining a target processing result of the first task according to the execution result and the redundancy processing result, including:
and if the input parameters corresponding to the redundant processing result and the execution result are the same, determining that the target processing result is the execution result.
In one possible embodiment, the redundancy process is a quadratic operation; determining a target processing result of the first task according to the execution result and the redundancy processing result, including:
and if the redundant processing result is the same as the execution result, determining the target processing result as the execution result.
In one possible embodiment, determining a first task to be performed includes:
acquiring a service processing request, wherein the service processing request comprises a service identifier;
determining a preset corresponding relationship, wherein the preset corresponding relationship comprises a plurality of service identifiers and task identifiers corresponding to each service identifier;
and determining the first task according to the service processing request and the preset corresponding relation.
In a possible implementation manner, after determining the target processing result of the first task according to the execution result and the redundant processing result, the method further includes:
and determining a service processing result corresponding to the service processing request according to the target processing result.
In a second aspect, an embodiment of the present application provides a data processing apparatus, including: a first determining module, an executing module, a processing module and a second determining module, wherein,
the first determining module is used for determining a first task to be executed, wherein the first task comprises a plurality of key logics;
the execution module is used for executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for random delay time within a fixed range;
the processing module is used for performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task;
and the second determining module is used for determining a target processing result of the first task according to the execution result and the redundancy processing result.
In a possible implementation manner, the execution module is specifically configured to:
executing the ith operation logic in the first task;
if the ith operation logic is the key logic, after the ith operation logic is executed, waiting for the random delay time length in the ith fixed range;
sequentially taking 1, 2, … … and N from the i, wherein N is the number of operation logics included in the first task, and N is a positive integer;
and obtaining an execution result of the first task after the Nth arithmetic logic in the first task is executed.
In a possible implementation manner, the execution module is specifically configured to:
after the ith operation logic is executed, generating a random delay time length value in an ith fixed range by utilizing a random number generator arranged in a security chip;
and waiting for the random delay time length in the ith fixed range.
In a possible implementation manner, the execution module is specifically configured to:
and calling a preset delay statement according to the value of the random delay time length in the ith fixed range to wait for the random delay time length in the ith fixed range.
In a possible implementation, the processing module is specifically configured to:
and carrying out inverse operation or secondary operation on the first task to obtain the redundancy processing result.
In a possible implementation, the processing module is specifically configured to:
if the first task is an Advanced Encryption Standard (AES) algorithm, a triple data encryption 3DES algorithm, an RSA algorithm and an elliptic curve encryption ECC algorithm, performing inverse operation on the first task to obtain the redundancy processing result; and/or the presence of a gas in the gas,
and if the first task is a Hash HASH algorithm, a message authentication code (HMAC) algorithm based on Hash and a message authentication CMAC algorithm based on a symmetric encryption mode, performing secondary operation on the first task to obtain the redundancy processing result.
In a possible implementation manner, the second determining module is specifically configured to:
and if the input parameters corresponding to the redundant processing result and the execution result are the same, determining the target processing result as the execution result.
In a possible implementation manner, the second determining module is specifically configured to:
and if the redundant processing result is the same as the execution result, determining the target processing result as the execution result.
In a possible implementation manner, the first determining module is specifically configured to:
acquiring a service processing request, wherein the service processing request comprises a service identifier;
determining a preset corresponding relationship, wherein the preset corresponding relationship comprises a plurality of service identifiers and task identifiers corresponding to each service identifier;
and determining the first task according to the service processing request and the preset corresponding relation.
In a possible embodiment, the data processing device further comprises a third determining module,
and the third determining module is used for determining a service processing result corresponding to the service processing request according to the target processing result.
In a third aspect, an embodiment of the present application provides an electronic device, including: a memory and a processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory, so that the processor performs the data processing method of any one of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-readable storage medium is configured to implement the data processing method according to any one of the first aspect.
In a fifth aspect, the present application provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the data processing method shown in any one of the first aspect.
In an embodiment of the application, the electronic device may determine a first task to be performed. In the process of executing the first task, after each key logic is executed, the random delay time duration in the fixed range is randomly waited, and then the next key logic is executed until the first task is executed, so that an execution result is obtained. After the first task is executed, redundancy processing may be performed on the first task to obtain a redundancy processing result. The electronic device may determine a target processing result corresponding to the first task according to the execution result and the redundant processing result. Because the first task can be protected by waiting for the random delay time and the redundancy processing, the method can prevent accurate fault injection attack, reduce the risk of being attacked by fault injection, further ensure the data safety when running programs on the safety chip and prevent the attack means of obtaining sensitive information by stealing the corresponding operation result of fault injection. Compared with a method for resisting fault injection based on a pure hardware mode, the method improves the effect of resisting the fault injection attack.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic diagram of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of another data processing method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another data processing method provided in the embodiment of the present application;
fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described figures, if any, are used for distinguishing between similar tasks and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application, please refer to fig. 1, a security chip may be installed in an electronic device, and the security chip may include a plurality of tasks. For example, task-1, task-2, task-3, … …, and task-n may be included in the security chip. Multiple critical logic may be included in each task. For example, task-n may include critical logic-1, critical logic-2, … …, critical logic-n.
The electronic device can obtain the service processing request, determine the task to be executed in the security chip according to the service processing request, obtain the execution result of the task, and further obtain the service processing result. For example, the electronic device may determine, in the security chip, that the task to be executed is task-n according to the service processing request. The task-n can be executed to obtain an execution result of the task-n, and a service processing result is obtained according to the execution result of the task-n.
When a task is executed in a security chip, in order to improve the protection of the task, a random delay time can be set behind a key logic in the task, so that accurate fault injection attack is prevented. For example, after the critical logic-1 in task-n is executed, delay statement-1 may be executed to implement a wait for a random delay duration.
After the electronic device executes the task, the electronic device can perform redundancy processing on the task to obtain a redundancy processing result. Whether the fault injection attack is executed in the task execution process can be judged according to the redundant processing result, and further processing can be carried out. For example, after the execution of task-n is completed, the task-n may be subjected to redundancy processing to obtain a redundancy processing result. Whether fault injection attack is executed in the task execution process can be judged according to the redundancy processing result, and the fault injection attack can be effectively screened.
In the related art, the security chip and the firmware may be designed to protect tasks in the security chip from fault injection attacks. However, the above-mentioned method for resisting fault injection based on hardware can only resist partial fault injection attacks, resulting in poor effect of resisting fault injection attacks, and cannot achieve all-around resistance of fault injection attacks.
In the embodiment of the application, the task execution process can be protected through random time delay and redundancy processing in the security chip, and the safety of the operation process on the security chip is ensured. Compared with a method for resisting fault injection based on pure hardware, the method can expand the protection range and improve the effect of resisting the fault injection attack.
The technical means shown in the present application will be described in detail below with reference to specific examples. It should be noted that the following embodiments may exist alone or in combination with each other, and the description of the same or similar contents is not repeated in different embodiments.
Fig. 2 is a schematic flowchart of a data processing method according to an embodiment of the present application. Referring to fig. 2, the method may include:
s201, determining a first task to be executed.
The execution subject of the embodiment of the present application may be an electronic device, and may also be a data processing apparatus provided in the electronic device. The data processing means may be implemented by software, or by a combination of software and hardware. The data processing apparatus may be a processor in an electronic device. For ease of understanding, the following description will be given taking an execution subject as an electronic device as an example.
The electronic device may run a software program based on the security chip. During the execution of the software program, the electronic device may determine a first task to be performed.
The first task may be an algorithm, for example, the first task may be an Advanced Encryption Standard (AES) algorithm, a Triple Data Encryption Standard (3 DES) algorithm, an RSA algorithm or an elliptic Curve Encryption (ECC) algorithm, a HASH (HASH) algorithm, a HASH-Based Message Authentication Code (HMAC) algorithm, a symmetric Encryption Based Message Authentication Code (CMAC) algorithm, or the like.
In an alternative embodiment, the first task may be determined by: acquiring a service processing request, wherein the service processing request comprises a service identifier; determining a preset corresponding relation, wherein the preset corresponding relation comprises a plurality of service identifications and task identifications corresponding to each service identification; and determining the first task according to the service processing request and the preset corresponding relation.
The service processing request may be a service processing request generated when the electronic device runs a software program of the electronic device, or may be a service processing request sent by the first device. For example, the transaction request may be to decrypt an encrypted file or may be a transfer message sent by the first device.
The service processing request may include an identification of the service. For example, if the service processing request acquired by the electronic device is to decrypt an encrypted file, the service processing request may include a decryption operation identifier.
The preset corresponding relationship may be a corresponding relationship preset in a software program by a worker. The preset corresponding relationship may include a plurality of service identifiers and a task identifier corresponding to each service identifier. The service identifier and the task identifier are in one-to-one correspondence, and the task identifier can be determined according to the service identifier.
For example, if the preset corresponding relationship includes the decryption operation identifier and the decryption algorithm identifier corresponding to the decryption operation identifier, after the electronic device obtains the decryption operation identifier, the electronic device may determine the decryption algorithm identifier according to the preset corresponding relationship.
The electronic device may determine a first task to be executed according to the service processing request and the preset corresponding relationship. For example, if the service processing request is to decrypt an encrypted file, and the service processing request includes an AES decryption operation identifier, the electronic device may determine, according to the AES decryption operation identifier, a corresponding AES decryption algorithm identifier in a preset correspondence, and further may determine, according to the AES decryption algorithm identifier, an AES algorithm to be executed.
S202, executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for the random delay time length in the fixed range.
A plurality of critical logic may be included in the first task. For example, the first task may include critical logic-1, critical logic-2, critical logic-3, … …, and critical logic-n.
The fixed range refers to a range of the delay time, and can be preset by a worker according to the requirement on the first task. For example, the fixed range may be 10 ms.
The delay time period may be in units of milliseconds, for example, the delay time period may be 5 ms.
In the process of executing the first task, the electronic device may randomly wait for the corresponding delay time after executing each key logic, and then execute the next key logic until the whole first task is executed, so as to obtain an execution result of the first task.
For example, if the first task is an algorithm including a key logic-1, a key logic-2, a key logic-3, a key logic-4, and a key logic-5, the electronic device may randomly wait for 5ms after executing the key logic-1; then, executing a key logic-2, and after the execution is finished, randomly waiting for 2 ms; and repeating the steps until the key logic-5 is executed, namely, the whole algorithm is executed, and obtaining the execution result of the algorithm.
And S203, performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task.
The redundancy processing may include an inverse operation and a quadratic operation. The inverse operation means that the input parameters of the first task are obtained through calculation according to the execution result of the first task. The secondary operation refers to performing the operation again on the first task according to the input parameters of the first task.
For example, in this embodiment of the application, the electronic device may determine the redundancy processing corresponding to the first task according to the characteristic of the first task, and further perform the redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task.
For example, the first task may be an algorithm, and the first task may be classified into a reversible algorithm and an irreversible algorithm according to a characteristic of the first task. The reversible algorithm may include: AES algorithm, 3DES algorithm, RSA algorithm and ECC algorithm; the irreversible algorithm may include: HASH algorithm, HMAC algorithm, CMAC algorithm. The electronic device may determine the redundancy processing corresponding to the first task according to whether the first task is reversible, and further perform the redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task.
Optionally, the electronic device may further determine a scene for the important data in the first task, add secondary operation, and increase the capability of discriminating the fault injection attack.
And S204, determining a target processing result of the first task according to the execution result and the redundancy processing result.
The electronic device may compare the execution result and the redundant processing result to determine a target processing result of the first task. If the redundancy processing is inverse operation and the input parameters corresponding to the redundancy processing result and the execution result are the same, determining the target processing result as the execution result; if the redundant processing is a secondary operation and the redundant processing result is the same as the execution result, the target processing result can be determined to be the execution result.
Optionally, after the target processing result is determined, the service processing result corresponding to the service processing request may be determined according to the target processing result.
In this embodiment of the application, the electronic device may determine, according to the service processing request, a first task to be executed. In the process of executing the first task, after each key logic is executed, the delay time length is randomly waited, and then the next key logic is executed until the first task is executed, so that an execution result is obtained. After the first task is executed, redundancy processing may be performed on the first task to obtain a redundancy processing result. The electronic device may determine a target processing result corresponding to the first task according to the execution result and the redundant processing result, and may further determine a service processing result. Because the first task can be protected by randomly waiting for the delay time and the redundancy processing, the method can prevent accurate fault injection attack, reduce the risk of being attacked by the fault injection, further ensure the data security when the program is operated on the security chip, and prevent the attack means of obtaining the sensitive information by stealing the operation result corresponding to the fault injection attack. Compared with a method for resisting fault injection based on a pure hardware mode, the method improves the effect of resisting the fault injection attack.
Next, the above step 202 will be described in further detail with reference to fig. 3 on the basis of the embodiment shown in fig. 2. Fig. 3 is a schematic flow chart of another data processing method according to an embodiment of the present application. Referring to fig. 3, the method may include:
s301, initializing the first task, and initializing i to 1.
The electronic device determines that the parameter in the first task can be initialized before executing the first task, that is, the parameter can be given an initial value to initialize the context of the first task.
The data format of the parameters may be hexadecimal. For example, the parameter-1 may be 0x5a5a5a5 a.
I may be initialized to 1, indicating that execution begins with the 1 st critical logic in the first task.
And S302, executing the ith operation logic in the first task.
The electronic device may determine N arithmetic logics included in the first task, N being a positive integer.
Depending on the order of the arithmetic logic, the ith arithmetic logic to execute may be determined. Wherein, i can be 1, 2, … … and N in sequence. For example, if i is 1, the 1 st arithmetic logic may be executed.
And S303, generating a random delay time length value in the ith fixed range.
The random delay duration value may be generated by: the random delay seed can be generated by a random number generator arranged in the security chip, and the random delay seed can be randomly changed to generate a random delay time length value.
The random number generator is a device that generates random numbers based on physical hardware such as electronic circuits and converters in a chip.
The random delay seed may be used as an initial value of the random delay duration value. For example, the random delay seed may be the current system time.
For example, the current system time 2022/4/2114: 32 may be used as a random delay seed, the hardware random generator may randomly change 2022/4/2114: 32 to obtain a random number 5, and 5 may be used as a value of the random delay duration.
In an optional embodiment, if the ith operation logic is a key logic, after the ith operation logic is executed, a random number generator built in the secure chip may be used to generate a random delay duration value in the ith fixed range. For example, if i is 1, the random delay time duration value 5 corresponding to the 1 st arithmetic logic may be generated after the 1 st arithmetic logic is executed.
It should be noted that, after the same operation logic is executed in different times, the generated random delay time duration value is also random. For example, after the 2 nd arithmetic logic is executed for the 1 st time, the generated random delay time duration value may be 5; after the 2 nd arithmetic logic is executed for the 2 nd time, the generated random delay time duration value may be 3.
S304, calling a preset delay statement, and waiting for the random delay duration in the ith fixed range.
After the electronic device generates the random delay time length value, a preset delay statement can be called according to the random delay time length value, so that the situation that the random delay time length in the ith fixed range corresponding to the ith operation logic is waited is realized. For example, if the generated random delay time duration value is 5, the electronic device may call a preset delay statement according to the random delay time duration value of 5, so as to wait for the random delay time duration of 5 ms.
And S305, updating i to i + 1.
After the electronic device executes the ith arithmetic logic, i may be updated, and i +1 is taken as a new i.
For example, if i is equal to 1, after the 1 st arithmetic logic is executed, i may be updated to 2, which indicates that the 2 nd arithmetic logic is started to be executed.
S306, judging whether i is larger than N.
Since i is 1, 2, … … and N in sequence, the maximum value of i is N. The last arithmetic logic executed by the electronic equipment in the first task is the Nth arithmetic logic.
When the electronic device judges that i is less than or equal to N, executing S302; when the electronic device judges that i is larger than N, the electronic device is indicated to have executed the Nth operation logic, and the execution of the first task is finished, so that an execution result can be obtained.
In an embodiment of the application, the electronic device may determine to initialize the first task and determine an ith operation logic to execute. After the ith operation logic is executed, a random delay time length value in the ith fixed range can be generated, a preset delay statement can be called, the random delay time length in the ith fixed range corresponding to the ith operation logic is waited, and then the next operation logic is executed until the first task is executed, so that an execution result is obtained. The random delay time length value can be generated, the preset delay statement can be called, so that the random delay time length can be waited, the accurate fault injection attack can be resisted, the data safety when the program is operated on the safety chip can be ensured, and the attack means that the corresponding operation result is injected by stealing the fault so as to obtain the sensitive information can be prevented. Compared with a method for resisting fault injection based on a pure hardware mode, the method greatly improves the effect of resisting the fault injection attack.
Next, based on the embodiment shown in fig. 2, step 203 and step 204 will be described in further detail with reference to fig. 4. Fig. 4 is a schematic flowchart of another data processing method according to an embodiment of the present application. Referring to fig. 4, the method may include:
s401, determining redundancy processing corresponding to the first task.
The redundancy processing corresponding to the first task may be determined according to the type of the first task, and specifically may include the following two cases:
case 1: if the first task is a reversible algorithm, the redundancy process corresponding to the first task may be an inverse operation.
For example, if the first task is an AES algorithm, since the AES algorithm is a reversible algorithm, the redundant processing corresponding to the first task may be an inverse operation.
Case 2: if the first task is an irreversible algorithm, the redundancy processing corresponding to the first task may be a quadratic operation.
For example, if the first task is a HASH algorithm, since the HASH algorithm is an irreversible algorithm, the redundancy process corresponding to the first task may be a secondary operation.
S402, carrying out redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task.
After determining the redundancy processing corresponding to the first task, the redundancy processing may be performed on the first task, and a redundancy processing result corresponding to the first task is obtained through calculation.
Calculating the redundancy processing result may include the following two cases:
case 1: if the redundant processing is an inverse operation, the redundant processing result can be calculated according to the execution result corresponding to the first task.
For example, if the first task is the AES algorithm, the corresponding redundancy processing is the inverse operation, and the execution result of the AES algorithm is 1EDC, the inverse operation may be performed on the AES algorithm according to the execution result 1EDC of the AES algorithm. Assuming that the input parameter of the AES algorithm is calculated to be 2AF5, the calculated input parameter 2AF5 may be used as a redundancy processing result.
Case 2: if the redundancy processing is a quadratic operation, the redundancy processing result may be calculated according to the input parameter of the first task.
For example, if the first task is a HASH algorithm, the corresponding redundancy processing is a secondary operation, and the input parameter of the HASH algorithm is 2AF1, the HASH algorithm may be subjected to the secondary operation according to the input parameter 2AF1 of the HASH algorithm to obtain a redundancy processing result.
And S403, determining a target processing result of the first task according to the execution result and the redundancy processing result.
Determining the target processing result of the first task may include the following 4 cases:
case 1: if the redundancy processing is inverse operation, the input parameters corresponding to the redundancy processing result and the execution result are the same.
If the input parameters corresponding to the redundant processing result and the execution result are the same, it indicates that the first task has not been executed with the fault injection attack, and it may be determined that the target processing result of the first task is the execution result.
For example, if the first task is the AES algorithm, the corresponding redundancy processing is the inverse operation, the input parameter of the AES algorithm is 2AF5, and the execution result is 1EDC, the inverse operation may be performed on the AES algorithm according to the execution result 1EDC of the AES algorithm. If the calculated redundancy processing result is 2AF5, it may be determined that the redundancy processing result 2AF5 is the same as the input parameter 2AF5 of the AES algorithm, which indicates that the AES algorithm has not been subjected to fault injection attack, and the execution result is valid, and it may be determined that the target processing result of the AES algorithm is 1 EDC.
Case 2: if the redundancy processing is inverse operation, the input parameters corresponding to the redundancy processing result and the execution result are different.
If the input parameters corresponding to the redundant processing result and the execution result are different, it is indicated that the first task is attacked by fault injection, and the execution result is not trusted, and it can be determined that the target processing result of the first task is an error (error).
For example, if the first task is the AES algorithm, the corresponding redundancy processing is the inverse operation, the input parameter of the AES algorithm is 2AF5, and if the correct execution result is 1EDC and the actual execution result is 1ED2, the inverse operation may be performed on the AES algorithm according to the actual execution result of the AES algorithm being 1ED 2. If the calculated redundant processing result is 2FD3, it may be determined that the redundant processing result 2FD3 is different from the input parameter 2AF5 of the AES algorithm, which indicates that the AES algorithm is tampered during the process of calculating the input parameter 2AF5 by the AES algorithm and obtaining the actual execution result 1ED2, and the actual execution result 1ED2 is not trusted, so that the target processing result of the AES algorithm may be error. An error may be returned to indicate that the AES algorithm was tampered with.
Case 3: if the redundancy processing is a quadratic operation, the redundancy processing result is the same as the execution result.
If the redundant processing result is the same as the execution result, it indicates that the first task has not been tampered with, and it may be determined that the target processing result of the first task is the execution result.
For example, if the first task is the HASH algorithm, the corresponding redundancy processing is the secondary operation, the input parameter of the HASH algorithm is 2AF1, and the execution result is 2CF5, the secondary operation may be performed on the HASH algorithm according to the input parameter 2AF1 of the HASH algorithm to obtain the redundancy processing result. If the calculated redundant processing result is 2CF5, it may be determined that the redundant processing result 2CF5 is the same as the execution result 2CF5, which indicates that the HASH algorithm has not been attacked by fault injection and the execution result is valid, and it may be determined that the target processing result of the HASH algorithm is the execution result 2CF 5.
Case 4: if the redundancy processing is a secondary operation, the redundancy processing result is different from the execution result.
If the redundant processing result is different from the execution result, indicating that the first task is tampered, it may be determined that the target processing result of the first task is an error (error).
For example, if the first task is the HASH algorithm, the corresponding redundancy processing is the secondary operation, the input parameter of the HASH algorithm is 2AF1, and if the correct execution result is 2CF5 and the actual execution result is 2CE3, the HASH algorithm may be subjected to the secondary operation according to the input parameter 2AF1 of the HASH algorithm to obtain the redundancy processing result. If the calculated redundancy processing result is 2DE6, it may be determined that the redundancy processing result 2DE6 is different from the actual execution result 2CE3, which indicates that the HASH algorithm has been executed with a fault injection attack, and the actual execution result 2CE3 is not trusted, which may determine that the target processing result of the HASH algorithm is error. Error may be returned to indicate that the HASH algorithm was attacked by the fault injection.
Optionally, in the foregoing cases 1 and 3, the electronic device may determine the target processing result as the service processing result, or may determine the service processing result according to the target processing result.
The business process result may include displaying the business process result, and/or sending the business process result to other devices.
For example, if the service processing request is to decrypt encrypted information, the electronic device may perform a decryption operation on the encrypted information through an AES algorithm to obtain a target processing result, that is, decrypted information, and then the electronic device may use the target processing result as the service processing result, that is, may display the decrypted information.
If the service processing request is the encrypted transfer message sent by the first device, the electronic device may perform decryption operation on the encrypted transfer message through an AES algorithm to obtain a target processing result, that is, the decrypted transfer message, and the electronic device may determine the service processing result according to the target processing result, that is, may send a message of transfer success or failure to the first device according to the decrypted transfer message.
In this embodiment of the application, the electronic device may determine redundancy processing corresponding to the first task, and perform the redundancy processing on the first task to obtain a redundancy processing result. The electronic device may determine a target processing result corresponding to the first task according to the execution result and the redundancy processing result, and may also determine a service processing result according to the target processing result. As the first task can be verified through redundant processing, the capability of detecting fault injection attack is improved, the data security when the program is operated on the security chip is ensured, and the attack means of obtaining sensitive information by stealing the corresponding operation result of fault injection is prevented. Compared with a method for resisting fault injection based on a pure hardware mode, the method greatly improves the effect of resisting the fault injection attack.
Based on any of the above embodiments, the following takes the AES algorithm as an example to process 10 data packets, and further details the data processing method.
If the service processing request acquired by the electronic device is to decrypt 10 data packets, the service identifier is the decryption operation identifier-1, and the corresponding task identifier is the AES algorithm, it may be determined that the first task to be executed is the AES algorithm, and it is determined that 10 data packets need to be processed. The 10 packets may be packet-1, packet-2, packet-3, … …, and packet-10, respectively. Assume that the data of data packets-1 to-9 are all 16-byte aligned data packets, and data packet-10 is a non-16-byte aligned data packet.
The electronic device may perform the AES algorithm to perform the processing of the 10 data packets.
Before invoking the AES algorithm, an algorithm interface of the AES may be defined, which may include a plurality of parameters. For example, the algorithm interface may be defined as ise _ crypt _ err _ t crypt _ aes, and the parameters may include: algorithm (algo), decryption identifier (decryption), keyword (key), initial vector (iv), input parameter (in), character length of input parameter (in _ len), buffer (chk _ buf), output parameter (out), character length of output parameter (out _ len), and the like.
Wherein, the in data area can be used for storing input parameters; the Out data area may be used to store execution results; the chk _ buf data area may be used to store redundancy processing results. The hardware random number can be used for filling the memory space of the chk _ buf, so that the situation that external personnel preset wrong data is prevented.
Optionally, an inverse operation identifier may be set in the AES algorithm to perform the inverse operation, for example, the inverse operation identifier may be invert _ decrypt.
Before the AES algorithm is called, validity check can be carried out on the parameters algo, decryption, key, iv and the like, and the validity of the parameters is ensured.
Next, a description will be given of specific procedures for calling the AES algorithm and performing an inverse operation on the AES algorithm, which may include procedure 1, procedure 2, procedure 3, procedure 4, and procedure 5.
In an alternative embodiment, the AES algorithm function may be implemented in a three-segment theory. For example, sub-functions like aes _ begin, aes _ update, and aes _ final may be set for the electronic device calls. For example, AES _ begin may be called to initialize AES algorithm context; the aes _ update can be called to carry out encryption operation on the non-last packet of data; aes final may be called to perform an encryption operation on the last packet of data (not 16 byte aligned).
Process 1: the electronic equipment can call AES _ begin to initialize the context of the AES algorithm, that is, different initial values can be given to the parameters in the AES algorithm according to actual needs. For example, the initial value may be 0x5a5a5a5 a.
The aes _ begin can be set as a key logic, and after the aes _ begin is executed, a hardware random number generator can be used to generate a delay time length 5ms corresponding to the aes _ begin, and a preset delay statement is called to realize waiting for 5 ms.
And (2) a process: the electronic device can call aes _ update to perform encryption operation on the first 9 data packets, and set aes _ begin as the key logic.
For any data packet, the electronic device may call the aes _ update to perform encryption operation on the data packet, and after each execution of the aes _ update, may use a hardware random number generator to generate a delay duration corresponding to the aes _ update, and call a preset delay statement to implement waiting for the delay duration.
For example, the electronic device may call aes _ update to perform encryption operation on the data packet-1, and after the aes _ update is executed, may use a hardware random number generator to generate a delay time duration 3ms corresponding to the aes _ update, and call a preset delay statement to realize waiting for 3 ms; then, the electronic equipment can call aes _ update to perform encryption operation on the data packet-2, and after the aes _ update is executed, a hardware random number generator can be used for generating a delay time length corresponding to the aes _ update by 7ms, and a preset delay statement is called to realize waiting for 7 ms; and repeating the steps until the data packet-9 is processed, generating the delay time duration 1ms corresponding to the aes _ update by using a hardware random number generator, and calling a preset delay statement to wait for 1 ms.
And 3, process: since the data packet-10 is a non-16-byte aligned data packet, which is processed in a slightly different manner from the first 9 data packets, the electronic device can call aes _ final to perform encryption operation on the data packet-10, and set aes _ final as a key logic. After the aes _ final is executed, a hardware random number generator can be used to generate a delay time length 4ms corresponding to the aes _ final, and a preset delay statement is called to realize waiting for 4 ms.
Through the above-mentioned process 1, process 2 and process 3, the AES algorithm may be performed to implement the encryption operation on the 10 data packets, obtain the execution result, and store the execution result in the out data area.
Next, a process of performing an inverse operation of the AES algorithm will be described in detail.
And 4, process 4: because the AES algorithm is a reversible algorithm, it can be determined that the redundant processing corresponding to the AES algorithm is an inverse operation, and then the AES inverse operation can be performed, that is, the process 1, the process 2, and the process 3 can be performed again according to the execution result, and the input parameter of the AES algorithm, that is, the redundant processing result, is obtained by calculation. The redundant processing result may be stored in the chk _ buf data area.
And (5) a process: because the in data area stores the input parameters of the AES algorithm, and the chk _ buf data area stores the redundancy processing result, namely the calculated input parameters of the AES algorithm, the data in the in data area can be compared with the data in the chk _ buf data area to determine the comparison result. If the comparison results are the same, it is indicated that the AES algorithm is not attacked by fault injection, and the target processing result of the AES algorithm can be determined as an execution result. Further, the electronic device may determine a service processing result corresponding to the service processing request according to the execution result. If the comparison results are different, the AES algorithm is subjected to fault injection attack, the processing result of the AES algorithm can be determined to be an error (error), and the error can be returned to prompt that the AES algorithm is subjected to fault injection attack.
Optionally, when the data in the in data area is compared with the data in the chk _ buf data area, the comparison operation may be set as a key logic, and then a secondary operation may be performed on the comparison operation, so as to improve the capability of discriminating the fault injection attack.
Optionally, if the comparison results are different, and it is determined that the target processing result of the AES algorithm is an error (error), a hardware random number generator may be used to generate a random number, and the out data area and the chk _ buf data area may be filled to prevent the data of the execution result and the redundant processing result from being utilized by external personnel.
It should be noted that the implementation of the sub-functions of AES _ begin, AES _ update, AES _ final, etc. can use the data processing method described in the embodiments of fig. 2, fig. 3, and fig. 4 to prevent the AES algorithm from being attacked by fault injection at any position and at any time.
In this embodiment, the electronic device may determine, according to the service processing request, a first task to be executed, a data packet to be executed, and the number of data packets. The electronic device may set key logics in the first task, may randomly generate a delay time after execution of each key logic is completed, call a preset delay statement to wait for the delay time, and then execute the next key logic until the first task is executed, thereby obtaining an execution result. After the first task is executed, redundancy processing may be performed on the first task to obtain a redundancy processing result. The electronic device may determine a target processing result of the first task according to the redundant processing result and the execution result, and may further determine a service processing result. Because the random delay time can be set for the key logic in the first task, the accurate fault injection attack is prevented; the first task can be subjected to redundancy processing, the correctness of the execution result is verified, and the capability of discriminating fault injection attacks is improved, so that the data safety when a program is run on a safety chip is ensured by the random waiting delay time and the data processing method of the redundancy processing, and the attack means of obtaining sensitive information by stealing the corresponding operation result of fault injection is prevented. Compared with a method for resisting fault injection based on a pure hardware mode, the method has the advantage that the effect of resisting the fault injection attack is greatly improved.
Fig. 5 is a schematic structural diagram of a data processing apparatus according to an embodiment of the present application. The data processing device may be a chip or a chip module. Referring to fig. 5, the data processing apparatus may include: a first determination module 11, an execution module 12, a processing module 13, a second determination module 14, wherein,
the first determining module 11 is configured to determine a first task to be executed, where the first task includes multiple critical logics;
the execution module 12 is configured to execute the first task to obtain an execution result of the first task; after each key logic is executed, waiting for random delay time length in a fixed range;
the processing module 13 is configured to perform redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task;
the second determining module 14 is configured to determine a target processing result of the first task according to the execution result and the redundant processing result.
The data processing apparatus provided in the embodiment of the present application may execute the technical solutions shown in the foregoing method embodiments, and the implementation principles and beneficial effects thereof are similar, which are not described herein again.
In a possible implementation, the execution module 12 is specifically configured to:
executing the ith operation logic in the first task;
if the ith operation logic is the key logic, after the ith operation logic is executed, waiting for the random delay time length in the ith fixed range;
and i sequentially takes 1, 2, … … and N, wherein N is the number of operation logics included in the first task, and N is a positive integer.
And obtaining an execution result of the first task after the Nth arithmetic logic in the first task is executed.
In a possible implementation, the execution module 12 is specifically configured to:
after the ith operation logic is executed, generating a random delay time length value in an ith fixed range by utilizing a random number generator arranged in a security chip;
and waiting for the delay time corresponding to the ith operation logic.
In a possible implementation, the execution module 12 is specifically configured to:
and calling a preset delay statement according to the value of the random delay time length in the ith fixed range to wait for the random delay time length in the ith fixed range.
In a possible implementation, the processing module 13 is specifically configured to:
and carrying out inverse operation or secondary operation on the first task to obtain the redundancy processing result.
In a possible implementation, the processing module 13 is specifically configured to:
if the first task is an Advanced Encryption Standard (AES) algorithm, a triple data encryption 3DES algorithm, an RSA algorithm and an elliptic curve encryption ECC algorithm, performing inverse operation on the first task to obtain the redundancy processing result; and/or the presence of a gas in the gas,
and if the first task is a Hash HASH algorithm, a message authentication code (HMAC) algorithm based on Hash and a message authentication CMAC algorithm based on a symmetric encryption mode, performing secondary operation on the first task to obtain the redundancy processing result.
In a possible implementation, the second determining module 14 is specifically configured to:
and if the input parameters corresponding to the redundant processing result and the execution result are the same, determining the target processing result as the execution result.
In a possible implementation, the second determining module 14 is specifically configured to:
and if the redundant processing result is the same as the execution result, determining the target processing result as the execution result.
In a possible implementation, the first determining module 11 is specifically configured to:
acquiring a service processing request, wherein the service processing request comprises a service identifier;
determining a preset corresponding relationship, wherein the preset corresponding relationship comprises a plurality of service identifiers and task identifiers corresponding to each service identifier;
and determining the first task according to the service processing request and the preset corresponding relation.
The data processing apparatus provided in the embodiment of the present application may execute the technical solutions shown in the foregoing method embodiments, and the implementation principles and beneficial effects thereof are similar and will not be described herein again.
Fig. 6 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present application. The data processing device may be a chip or a chip module. On the basis of the embodiment shown in fig. 5, the data processing device further comprises a third determination module 15,
the third determining module 15 is configured to determine a service processing result corresponding to the service processing request according to the target processing result.
The data processing apparatus provided in the embodiment of the present application may execute the technical solutions shown in the foregoing method embodiments, and the implementation principles and beneficial effects thereof are similar and will not be described herein again.
Referring to fig. 7, the electronic device 20 may include a processor 21 and a memory 22. The processor 21, the memory 22, and the various parts are illustratively interconnected by a bus 23.
The memory 22 stores computer-executable instructions;
the processor 21 executes computer-executable instructions stored by the memory 22, so that the processor 21 performs the data processing method as shown in the above-described method embodiments.
All or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The aforementioned program may be stored in a readable memory. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape (magnetic tape), floppy disk (optical disk), and any combination thereof.
Accordingly, the present application provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the computer-readable storage medium is used for implementing the data processing method described in the above method embodiment.
Accordingly, the present application may also provide a computer program product, which includes a computer program, and when the computer program is executed by a processor, the data processing method shown in the foregoing method embodiments may be implemented.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications can be made in the embodiments of the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the embodiments of the present application fall within the scope of the claims of the present application and their equivalents, the present application is also intended to encompass such modifications and variations.
In the present application, the terms "include" and variations thereof may refer to non-limiting inclusions; the term "or" and variations thereof may mean "and/or". The terms "first," "second," and the like in this application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. In the present application, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

Claims (13)

1. A data processing method, comprising:
determining a first task to be performed, the first task comprising a plurality of critical logic;
executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for random delay time length in a fixed range;
performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task;
and determining a target processing result of the first task according to the execution result and the redundancy processing result.
2. The method of claim 1, wherein executing the first task to obtain a result of the execution of the first task comprises:
executing the ith operation logic in the first task;
if the ith operation logic is the key logic, after the ith operation logic is executed, waiting for the random delay time length in the ith fixed range;
sequentially taking 1, 2, … … and N from the i, wherein N is the number of operation logics included in the first task, and N is a positive integer;
and obtaining an execution result of the first task after the Nth arithmetic logic in the first task is executed.
3. The method of claim 2, wherein waiting for the ith fixed-range random delay time after the ith arithmetic logic is executed comprises:
after the ith operation logic is executed, generating a random delay time length value in an ith fixed range by utilizing a random number generator arranged in a security chip;
and waiting for the random delay time length in the ith fixed range.
4. The method of claim 3, wherein waiting for the random delay duration within the ith fixed range comprises:
and calling a preset delay statement according to the value of the random delay time length in the ith fixed range to wait for the random delay time length in the ith fixed range.
5. The method according to any one of claims 1 to 4, wherein performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task comprises:
and carrying out inverse operation or secondary operation on the first task to obtain the redundancy processing result.
6. The method of claim 5, wherein performing an inverse operation or a quadratic operation on the first task to obtain the redundant processing result comprises:
if the first task is an Advanced Encryption Standard (AES) algorithm, a triple data encryption 3DES algorithm, an RSA algorithm and an elliptic curve encryption ECC algorithm, performing inverse operation on the first task to obtain the redundancy processing result; and/or the presence of a gas in the gas,
and if the first task is a Hash HASH algorithm, a message authentication code (HMAC) algorithm based on Hash and a message authentication CMAC algorithm based on a symmetric encryption mode, performing secondary operation on the first task to obtain the redundancy processing result.
7. The method of any of claims 1-6, wherein the redundant processing is an inverse operation; determining a target processing result of the first task according to the execution result and the redundancy processing result, including:
and if the input parameters corresponding to the redundant processing result and the execution result are the same, determining the target processing result as the execution result.
8. The method of any of claims 1-6, wherein the redundant processing is a quadratic operation; determining a target processing result of the first task according to the execution result and the redundancy processing result, including:
and if the redundant processing result is the same as the execution result, determining the target processing result as the execution result.
9. The method of any of claims 1-8, wherein determining the first task to be performed comprises:
acquiring a service processing request, wherein the service processing request comprises a service identifier;
determining a preset corresponding relationship, wherein the preset corresponding relationship comprises a plurality of service identifiers and task identifiers corresponding to each service identifier;
and determining the first task according to the service processing request and the preset corresponding relation.
10. The method of claim 9, wherein after determining the target processing result of the first task based on the execution result and the redundant processing result, further comprising:
and determining a service processing result corresponding to the service processing request according to the target processing result.
11. A data processing apparatus, comprising: a first determining module, an executing module, a processing module and a second determining module, wherein,
the first determining module is used for determining a first task to be executed, wherein the first task comprises a plurality of key logics;
the execution module is used for executing the first task to obtain an execution result of the first task; after each key logic is executed, waiting for random delay time length in a fixed range;
the processing module is used for performing redundancy processing on the first task to obtain a redundancy processing result corresponding to the first task;
and the second determining module is used for determining a target processing result of the first task according to the execution result and the redundancy processing result.
12. An electronic device, comprising: a memory and a processor;
the memory stores computer execution instructions;
the processor executing computer-executable instructions stored by the memory causes the processor to perform the data processing method of any of claims 1 to 10.
13. A computer-readable storage medium having stored thereon computer-executable instructions for implementing the data processing method of any one of claims 1 to 10 when executed by a processor.
CN202210552587.1A 2022-05-20 2022-05-20 Data processing method, device and equipment Pending CN114978682A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210552587.1A CN114978682A (en) 2022-05-20 2022-05-20 Data processing method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210552587.1A CN114978682A (en) 2022-05-20 2022-05-20 Data processing method, device and equipment

Publications (1)

Publication Number Publication Date
CN114978682A true CN114978682A (en) 2022-08-30

Family

ID=82984845

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210552587.1A Pending CN114978682A (en) 2022-05-20 2022-05-20 Data processing method, device and equipment

Country Status (1)

Country Link
CN (1) CN114978682A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798366A (en) * 2018-08-01 2020-02-14 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN112529462A (en) * 2020-12-24 2021-03-19 平安普惠企业管理有限公司 Service verification method, device, server and storage medium
CN113434887A (en) * 2021-07-06 2021-09-24 中国银行股份有限公司 APP service data processing method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110798366A (en) * 2018-08-01 2020-02-14 阿里巴巴集团控股有限公司 Task logic processing method, device and equipment
CN112529462A (en) * 2020-12-24 2021-03-19 平安普惠企业管理有限公司 Service verification method, device, server and storage medium
CN113434887A (en) * 2021-07-06 2021-09-24 中国银行股份有限公司 APP service data processing method and device

Similar Documents

Publication Publication Date Title
US10148442B2 (en) End-to-end security for hardware running verified software
EP3362939B1 (en) Migrating secrets using hardware roots of trust for devices
EP3179690A1 (en) Mobile device having trusted execution environment
US9443107B2 (en) Method for protecting the integrity of a group of memory elements using an aggregate authentication code
CN103797489A (en) System and method for securely binding and node-locking program execution to a trusted signature authority
KR102218572B1 (en) Processing method for preventing replication attacks, and server and client
US20220237287A1 (en) Method for Securing Against Fault Attacks a Verification Algorithm of a Digital Signature of a Message
CN109753788B (en) Integrity checking method and computer readable storage medium during kernel operation
CN110069415A (en) For in software test procedure software integrity verification and method for testing software
EP3525126A1 (en) Firmware integrity test
US10404718B2 (en) Method and device for transmitting software
CN115357908B (en) Network equipment kernel credibility measurement and automatic restoration method
CN114978682A (en) Data processing method, device and equipment
US11902412B2 (en) Fault attack resistant cryptographic systems and methods
CN111400771A (en) Target partition checking method and device, storage medium and computer equipment
EP3507737B1 (en) Preserving protected secrets across a secure boot update
WO2023216077A1 (en) Attestation method, apparatus and system
CN116484379A (en) System starting method, system comprising trusted computing base software, equipment and medium
CN115580393A (en) Privacy data calculation method and device based on homomorphic encryption
CN111814157B (en) Data security processing system, method, storage medium, processor and hardware security card
US11784790B2 (en) Method for operating keystream generators for secure data transmission, the keystream generators being operated in counter mode, keystream generator having counter mode operation for secure data transmission, and computer program product for keystream generation
Zhang et al. CM-Droid: Secure Container for Android Password Misuse Vulnerability.
CN114615075B (en) Software tamper-proof system and method of controller and storage medium
CN113553125B (en) Method, device and equipment for calling trusted application program and computer storage medium
US12088722B2 (en) Method for executing a computer program by means of an electronic apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination