CN115296795A - A hybrid encryption information processing and communication on-chip system and method - Google Patents

A hybrid encryption information processing and communication on-chip system and method Download PDF

Info

Publication number
CN115296795A
CN115296795A CN202210761754.3A CN202210761754A CN115296795A CN 115296795 A CN115296795 A CN 115296795A CN 202210761754 A CN202210761754 A CN 202210761754A CN 115296795 A CN115296795 A CN 115296795A
Authority
CN
China
Prior art keywords
encryption
communication
file
decryption
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210761754.3A
Other languages
Chinese (zh)
Inventor
李圣龙
刘波
高瑛珂
彭宇
赵云富
刘奇
孙川川
杨正
华更新
王骕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Control Engineering
Original Assignee
Beijing Institute of Control Engineering
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Control Engineering filed Critical Beijing Institute of Control Engineering
Priority to CN202210761754.3A priority Critical patent/CN115296795A/en
Publication of CN115296795A publication Critical patent/CN115296795A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

A system and a method for processing mixed encryption information and a communication chip are designed based on a hardware mixed encryption idea, adopt an SM2/SM3/SM4 encryption and decryption calculation method which accords with the national encryption standard, and have the characteristics of high encryption and decryption operation speed, no increase of the task burden of a processor, difficulty in being broken by violence and the like compared with the traditional information encryption method based on software. The method solves the problems that the task load of a processor is increased, the processor is easy to be attacked and cracked by hardware violence and the like in the traditional software-based information encryption method, is suitable for being applied to intelligent control systems in key fields of aerospace, intelligent power grids, high-speed rail ships and the like, and can also be popularized and applied to the commercial information security fields of intelligent gateways, intelligent door locks and the like.

Description

一种混合加密信息处理与通信片上系统及方法System and method on a hybrid encryption information processing and communication chip

技术领域technical field

本发明涉及一种混合加密信息处理与通信片上系统及方法,属于信息安全技术领域。The invention relates to a hybrid encrypted information processing and communication on-chip system and method, belonging to the technical field of information security.

背景技术Background technique

现代控制系统网络化、信息化、智能化的发展趋势为信息安全带来了新的安全隐患,无论是星载控制系统,或是智能电网控制系统、高速铁路控制系统等,一旦信息系统被不法分子攻击破坏甚至被接管,将严重威胁整个系统的安全运行甚至造成巨大的物理破坏。因此,必须在信息系统中加入加密信息身份鉴别机制和文件校验机制,增强控制系统的信息安全保护能力。The development trend of modern control system networking, informatization, and intelligence has brought new security risks to information security. Whether it is an onboard control system, a smart grid control system, or a high-speed railway control system, once the information system is illegal Molecular attacks, destruction or even takeover will seriously threaten the safe operation of the entire system and even cause huge physical damage. Therefore, it is necessary to add encrypted information identification mechanism and file verification mechanism in the information system to enhance the information security protection ability of the control system.

传统的基于软件的信息加密方法具有设计灵活、成本低的特点,但也存在着处理器任务负载加重、易被硬件暴力攻击和破解等弊端。本发明提出了一种面向信息安全的基于硬件混合加密算法的片上系统及方法,具有加解密运行速度快、不增加处理器任务负担、不易被暴力攻破等特点。The traditional software-based information encryption method has the characteristics of flexible design and low cost, but there are also disadvantages such as increased processor task load and easy hardware brute force attack and cracking. The invention proposes an information security-oriented on-chip system and method based on a hardware hybrid encryption algorithm, which has the characteristics of fast encryption and decryption operation speed, no increase in processor task burden, and difficult to be broken by violence.

发明内容Contents of the invention

本发明解决的技术问题是:克服现有技术的不足,提供了一种混合加密信息处理与通信片上系统及方法,具有加解密运行速度快、不增加处理器任务负担、不易被暴力攻破等特点。进一步,本发明解决了传统的基于软件的信息加密方法中处理器任务负载加重、易被硬件暴力攻击和破解等问题。The technical problem solved by the present invention is: to overcome the deficiencies of the prior art, to provide a mixed encryption information processing and communication on-chip system and method, which has the characteristics of fast encryption and decryption operation speed, no increase of processor task burden, and difficult to be broken by violence. . Further, the present invention solves the problems of the traditional software-based information encryption method, such as heavy processor task load, easy to be attacked and cracked by hardware violence, and the like.

本发明的技术解决方案是:一种混合加密信息处理与通信片上系统,包括异构多核处理器、存储器控制器、通信系统、加解密协处理器和系统总线;The technical solution of the present invention is: a mixed encrypted information processing and communication system-on-chip, including a heterogeneous multi-core processor, a memory controller, a communication system, an encryption and decryption coprocessor, and a system bus;

所述异构多核处理器通过执行预定设计步骤的软件,实现系统混合加密信息处理与通信的过程控制和任务调度;The heterogeneous multi-core processor implements the process control and task scheduling of the mixed encryption information processing and communication of the system by executing the software of predetermined design steps;

所述存储器控制器,用于存储发送或者接收的数据和文件信息;The memory controller is used to store sent or received data and file information;

所述通信系统,用于不同模块之间发送或者接收经过加密处理的数据和文件信息;The communication system is used for sending or receiving encrypted data and file information between different modules;

所述加解密协处理器,包括真随机数发生器和加解密模块;所述真随机数发生器用于随机生成初始通信密钥,所述加解密模块用于信息处理中的符合商用密码加解密规范的计算;The encryption and decryption coprocessor includes a true random number generator and an encryption and decryption module; the true random number generator is used to randomly generate an initial communication key, and the encryption and decryption module is used for encryption and decryption in compliance with commercial ciphers in information processing Normative calculations;

所述系统总线,用于各模块之间的数据和文件信息传递。The system bus is used for data and file information transfer between modules.

进一步地,所述真随机数发生器采用物理热噪声的方法生成初始密钥。Further, the true random number generator generates the initial key by means of physical thermal noise.

进一步地,所述加解密模块设有若干个,均采用符合国家商用密码算法标准的自主硬件逻辑实现。Further, there are several encryption and decryption modules, all of which are implemented by independent hardware logic that conforms to the national commercial encryption algorithm standard.

进一步地,所述系统总线采用支持系统内部安全访问方式的实现机制。Further, the system bus adopts an implementation mechanism that supports internal security access methods of the system.

根据所述的一种混合加密信息处理与通信片上系统实现的身份鉴别和数据加密通信方法,包括:According to the identity authentication and data encryption communication method realized by the mixed encryption information processing and communication system-on-chip, it includes:

发送节点使用真随机数发生器随机生成通信密钥KEY1;The sending node uses a true random number generator to randomly generate the communication key KEY1;

准备身份鉴别信息,采用第一加解密算法对通信数据ID1使用通信密钥KEY1进行加密,得到加密身份鉴别信息ID2;Prepare identity authentication information, use the first encryption and decryption algorithm to encrypt the communication data ID1 using the communication key KEY1, and obtain the encrypted identity authentication information ID2;

采用第二加解密算法对通信密钥KEY1进行加密得到KEY2;Using the second encryption and decryption algorithm to encrypt the communication key KEY1 to obtain KEY2;

通过通信系统将加密身份ID2和密钥KEY2发送至接收节点;Send the encrypted identity ID2 and key KEY2 to the receiving node through the communication system;

接收节点接收到身份鉴别信息后,采用第二加解密算法对KEY2进行解密得到通信密钥KEY1;After receiving the identity authentication information, the receiving node uses the second encryption and decryption algorithm to decrypt KEY2 to obtain the communication key KEY1;

采用第一加解密算法对加密身份ID2使用通信密钥KEY1进行解密得到通信数据ID1;Using the first encryption and decryption algorithm to decrypt the encrypted identity ID2 using the communication key KEY1 to obtain the communication data ID1;

判断ID1为有效身份,将其加入通信网络节点。Judging that ID1 is a valid identity, add it to the communication network node.

进一步地,所述第一加解密算法为SM4算法,所述第二加解密算法为SM2算法。Further, the first encryption and decryption algorithm is the SM4 algorithm, and the second encryption and decryption algorithm is the SM2 algorithm.

根据所述的一种混合加密信息处理与通信片上系统实现的数据文件有效性通信与校验方法,包括:According to the described hybrid encryption information processing and communication system-on-chip implementation of data file validity communication and verification method, comprising:

使用真随机数发生器随机生成通信密钥KEY1;Use a true random number generator to randomly generate the communication key KEY1;

准备通信文件FILE,采用第三加解密算法生成FILE的杂凑值HASH1;Prepare the communication file FILE, and use the third encryption and decryption algorithm to generate the hash value HASH1 of the FILE;

采用第一加解密算法对杂凑值HASH1使用通信密钥KEY1进行加密,得到加密杂凑值HASH2;Using the first encryption and decryption algorithm to encrypt the hash value HASH1 using the communication key KEY1 to obtain the encrypted hash value HASH2;

采用第二加解密算法对通信密钥KEY1进行加密得到KEY2;Using the second encryption and decryption algorithm to encrypt the communication key KEY1 to obtain KEY2;

通过通信系统将通信文件FILE、加密杂凑值HASH2和密钥HASH2发送至接收节点;Send the communication file FILE, encrypted hash value HASH2 and key HASH2 to the receiving node through the communication system;

接收节点接收到通信文件后,采用第二加解密算法对KEY2进行解密得到通信密钥KEY1;After receiving the communication file, the receiving node uses the second encryption and decryption algorithm to decrypt KEY2 to obtain the communication key KEY1;

采用第一加解密算法对加密杂凑值HASH2使用通信密钥KEY1进行解密得到杂凑值HASH1;Using the first encryption and decryption algorithm to decrypt the encrypted hash value HASH2 using the communication key KEY1 to obtain the hash value HASH1;

采用第三加解密算法对接收到的通信文件FILE与杂凑值HASH1进行校验,若一致则判断通信文件有效可以采用,若不一致则通信文件无效不可采用。The third encryption and decryption algorithm is used to check the received communication file FILE and the hash value HASH1. If they are consistent, the communication file is judged to be valid and can be used. If not, the communication file is invalid and cannot be used.

进一步地,所述第一加解密算法为SM4算法,所述第二加解密算法为SM2算法,所述第三加解密算法为SM3算法。Further, the first encryption and decryption algorithm is the SM4 algorithm, the second encryption and decryption algorithm is the SM2 algorithm, and the third encryption and decryption algorithm is the SM3 algorithm.

一种计算机可读存储介质,所述的计算机可读存储介质存储有计算机程序,其特征在于,所述的计算机程序被处理器执行时实现所述身份鉴别和数据加密通信方法或数据文件有效性通信与校验方法的步骤。A computer-readable storage medium, the computer-readable storage medium stores a computer program, and is characterized in that, when the computer program is executed by a processor, the identity authentication and data encryption communication method or the validity of the data file are realized The steps of the communication and verification method.

一种混合加密信息处理与通信设备,包括存储器、处理器以及存储在所述存储器中并可在所述处理器上运行的计算机程序,其特征在于:所述的处理器执行所述的计算机程序时实现所述身份鉴别和数据加密通信方法或数据文件有效性通信与校验方法的步骤。A hybrid encrypted information processing and communication device, comprising a memory, a processor, and a computer program stored in the memory and operable on the processor, characterized in that: the processor executes the computer program The step of implementing the identity authentication and data encryption communication method or the data file validity communication and verification method.

本发明与现有技术相比的优点在于:The advantage of the present invention compared with prior art is:

(1)本发明将硬件混合加解密协处理器在片上系统架构上集成实现,加解密协处理器包含了真随机数发生器,保证了密钥产生的真随机性,同时采用符合国密标准的SM2/SM3/SM4加解密计算方法,也保证了产品的通用性;(1) The present invention integrates the hardware hybrid encryption and decryption coprocessor on the system-on-chip architecture. The encryption and decryption coprocessor includes a true random number generator, which ensures the true randomness of key generation. The unique SM2/SM3/SM4 encryption and decryption calculation method also ensures the versatility of the product;

(2)本发明中信息安全实现方法中,有序地调度真随机数发生器、符合国密标准的SM2/SM3/SM4加解密算法,实现了身份鉴别、数据加密通信和数据文件有效性校验等任务。(2) In the implementation method of information security in the present invention, the true random number generator and the SM2/SM3/SM4 encryption and decryption algorithm that meet the national secret standard are scheduled in an orderly manner, and identity authentication, data encryption communication and data file validity verification are realized. testing and other tasks.

附图说明Description of drawings

图1为本发明一种混合加密信息处理与通信片上系统及方法原理示意图;Fig. 1 is a schematic diagram of the principle of a hybrid encryption information processing and communication system-on-chip and method of the present invention;

图2为本发明一种混合加密信息处理与通信片上系统及方法身份鉴别和数据加密通信任务流程图;Fig. 2 is a kind of hybrid encrypted information processing and communication on-chip system and method identity authentication and data encryption communication task flowchart of the present invention;

图3为本发明一种混合加密信息处理与通信片上系统及方法数据文件有效性校验任务流程图。Fig. 3 is a flow chart of a hybrid encrypted information processing and communication system-on-a-chip and a method for verifying the validity of data files according to the present invention.

具体实施方式Detailed ways

为了更好的理解上述技术方案,下面通过附图以及具体实施例对本申请技术方案做详细的说明,应当理解本申请实施例以及实施例中的具体特征是对本申请技术方案的详细的说明,而不是对本申请技术方案的限定,在不冲突的情况下,本申请实施例以及实施例中的技术特征可以相互组合。In order to better understand the above technical solutions, the technical solutions of the present application will be described in detail below through the accompanying drawings and specific examples. It should be understood that the embodiments of the present application and the specific features in the examples are detailed descriptions of the technical solutions of the present application, and It is not a limitation to the technical solutions of the present application, and the embodiments of the present application and the technical features in the embodiments can be combined without conflict.

以下结合说明书附图对本申请实施例所提供的一种混合加密信息处理与通信片上系统及方法做进一步详细的说明,具体实现方式可以包括(如图1~3所示):异构多核处理器、存储器控制器、通信系统、加解密协处理器和系统总线;A hybrid encrypted information processing and communication on-chip system and method provided by the embodiment of the present application will be further described in detail below in conjunction with the accompanying drawings. The specific implementation methods may include (as shown in Figures 1-3): heterogeneous multi-core processors , memory controller, communication system, encryption and decryption coprocessor and system bus;

所述异构多核处理器通过执行预定设计步骤的软件,实现系统混合加密信息处理与通信的过程控制和任务调度;所述存储器控制器,用于存储发送或者接收的数据和文件信息;所述通信系统,用于不同模块之间发送或者接收经过加密处理的数据和文件信息;所述加解密协处理器,包括真随机数发生器和加解密模块;所述真随机数发生器用于随机生成初始通信密钥,所述加解密模块用于信息处理中的符合商用密码加解密规范的计算;所述系统总线,用于各模块之间的数据和文件信息传递。The heterogeneous multi-core processor realizes the process control and task scheduling of mixed encrypted information processing and communication of the system by executing the software of predetermined design steps; the memory controller is used to store the data and file information sent or received; the The communication system is used for sending or receiving encrypted data and file information between different modules; the encryption and decryption coprocessor includes a true random number generator and an encryption and decryption module; the true random number generator is used for randomly generating The initial communication key, the encryption and decryption module is used for calculation in accordance with commercial encryption and decryption specifications in information processing; the system bus is used for data and file information transfer between modules.

进一步的,在一种可能实现的方式中,所述真随机数发生器采用物理热噪声的方法实现满足独立性和随机性的初始密钥。Further, in a possible implementation manner, the true random number generator implements an initial key satisfying independence and randomness by using a method of physical thermal noise.

可选的,在一种可能实现的方式中,所述加解密模块设有若干个,均采用符合国家商用密码算法标准的自主硬件逻辑实现。Optionally, in a possible implementation manner, there are several encryption and decryption modules, all of which are implemented by independent hardware logic that conforms to the national commercial encryption algorithm standard.

进一步,在一种可能实现的方式中,所述系统总线采用支持系统内部安全访问方式的实现机制。Further, in a possible implementation manner, the system bus adopts an implementation mechanism that supports a secure access manner within the system.

在本申请实施例所提供的方案中,如图1所示本发明一种混合加密信息处理与通信片上系统及方法原理示意图,本发明方法在片上系统内部集成了真随机数发生器、符合国密标准的SM2/SM3/SM4加解密模块,能够完成身份鉴别、数据加密通信和数据文件有效性校验的信息安全任务。下面结合附图对本发明方法进行详细说明,如图2所示本发明身份鉴别和数据加密通信任务包括如下步骤:In the solution provided by the embodiment of the present application, as shown in Figure 1, a schematic diagram of the principle of a mixed encryption information processing and communication system-on-chip and method of the present invention, the method of the present invention integrates a true random number generator inside the system-on-chip, conforming to the national Encryption standard SM2/SM3/SM4 encryption and decryption modules can complete the information security tasks of identity authentication, data encryption communication and data file validity verification. Below in conjunction with accompanying drawing, the method of the present invention is described in detail, as shown in Figure 2, the identity authentication and data encryption communication tasks of the present invention include the following steps:

步骤1、发送节点使用真随机数发生器随机生成通信密钥KEY1;Step 1. The sending node uses a true random number generator to randomly generate the communication key KEY1;

步骤2、准备身份鉴别信息(数据加密通信流程相同),采用SM4算法对通信数据ID1使用通信密钥KEY1进行加密,得到加密身份鉴别信息ID2;Step 2, preparing identity authentication information (data encryption communication process is the same), using SM4 algorithm to encrypt communication data ID1 using communication key KEY1, to obtain encrypted identity authentication information ID2;

步骤3、采用SM2算法对通信密钥KEY1进行加密得到KEY2;Step 3, using the SM2 algorithm to encrypt the communication key KEY1 to obtain KEY2;

步骤4、通过通信系统将加密身份ID2和密钥KEY2发送至接收节点;Step 4. Send the encrypted identity ID2 and key KEY2 to the receiving node through the communication system;

步骤5、接收节点接收到身份鉴别信息后,采用SM2算法对KEY2进行解密得到通信密钥KEY1;Step 5. After receiving the identity authentication information, the receiving node uses the SM2 algorithm to decrypt KEY2 to obtain the communication key KEY1;

步骤6、采用SM4算法对加密身份ID2使用通信密钥KEY1进行解密得到通信数据ID1;Step 6, using the SM4 algorithm to decrypt the encrypted identity ID2 using the communication key KEY1 to obtain the communication data ID1;

步骤7、判断ID1为有效身份,将其加入通信网络节点。Step 7, judging that ID1 is a valid identity, and adding it to the communication network node.

如图3所示本发明数据文件有效性校验任务包括如下步骤:As shown in Figure 3, the data file validity verification task of the present invention comprises the following steps:

步骤1、使用真随机数发生器随机生成通信密钥KEY1;Step 1. Use a true random number generator to randomly generate the communication key KEY1;

步骤2、准备通信文件FILE(通讯指令、数据、图像、文件等,统称为文件),采用SM3杂凑算法生成FILE的杂凑值HASH1;Step 2, prepare the communication file FILE (communication instructions, data, images, files, etc., collectively referred to as files), and use the SM3 hash algorithm to generate the hash value HASH1 of the FILE;

步骤3、采用SM4算法对杂凑值HASH1使用通信密钥KEY1进行加密,得到加密杂凑值HASH2;Step 3. Use the SM4 algorithm to encrypt the hash value HASH1 using the communication key KEY1 to obtain the encrypted hash value HASH2;

步骤4、采用SM2算法对通信密钥KEY1进行加密得到KEY2;Step 4, using the SM2 algorithm to encrypt the communication key KEY1 to obtain KEY2;

步骤5、通过通信系统将通信文件FILE、加密杂凑值HASH2和密钥HASH2发送至接收节点;Step 5. Send the communication file FILE, the encrypted hash value HASH2 and the key HASH2 to the receiving node through the communication system;

步骤6、接收节点接收到通信文件后,采用SM2算法对KEY2进行解密得到通信密钥KEY1;Step 6. After receiving the communication file, the receiving node uses the SM2 algorithm to decrypt KEY2 to obtain the communication key KEY1;

步骤7、采用SM4算法对加密杂凑值HASH2使用通信密钥KEY1进行解密得到杂凑值HASH1;Step 7. Use the SM4 algorithm to decrypt the encrypted hash value HASH2 using the communication key KEY1 to obtain the hash value HASH1;

步骤8、采用SM3算法对接收到的通信文件FILE与杂凑值HASH1进行校验,若一致则判断通信文件有效可以采用,若不一致则通信文件无效不可采用。Step 8: Check the received communication file FILE and the hash value HASH1 using the SM3 algorithm. If they are consistent, it is determined that the communication file is valid and can be used. If not, the communication file is invalid and cannot be used.

本发明提出的一种混合加密信息处理与通信片上系统及方法,采用符合国密标准的SM2/SM3/SM4加解密计算方法,不仅可以应用于航空航天、智能电网、高铁船舶等关键领域的智能控制系统,也可推广应用至智能网关、智能门锁等商用信息安全领域。A mixed encryption information processing and communication on-chip system and method proposed by the present invention adopts the SM2/SM3/SM4 encryption and decryption calculation method that conforms to the national secret standard, and can not only be applied to key fields such as aerospace, smart grids, and high-speed rail ships. The control system can also be extended and applied to commercial information security fields such as smart gateways and smart door locks.

本申请提供一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,当所述计算机指令在计算机上运行时,使得计算机执行图1所述的方法。The present application provides a computer-readable storage medium, the computer-readable storage medium stores computer instructions, and when the computer instructions are run on a computer, the computer is made to execute the method described in FIG. 1 .

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.

本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. any such actual relationship or order exists between them. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device.

显然,本领域的技术人员可以对本申请进行各种改动和变型而不脱离本申请的精神和范围。这样,倘若本申请的这些修改和变型属于本申请权利要求及其等同技术的范围之内,则本申请也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the application without departing from the spirit and scope of the application. In this way, if these modifications and variations of the present application fall within the scope of the claims of the present application and their equivalent technologies, the present application is also intended to include these modifications and variations.

本发明说明书中未作详细描述的内容属本领域技术人员的公知技术。The content that is not described in detail in the description of the present invention belongs to the well-known technology of those skilled in the art.

Claims (10)

1. A hybrid encryption information processing and communication system-on-a-chip, comprising: the system comprises a heterogeneous multi-core processor, a memory controller, a communication system, an encryption and decryption coprocessor and a system bus;
the heterogeneous multi-core processor realizes the process control and task scheduling of system hybrid encryption information processing and communication through software for executing a preset design step;
the memory controller is used for storing the transmitted or received data and file information;
the communication system is used for sending or receiving data and file information which are subjected to encryption processing among different modules;
the encryption and decryption coprocessor comprises a true random number generator and an encryption and decryption module; the true random number generator is used for randomly generating an initial communication key, and the encryption and decryption module is used for calculating the encryption and decryption specification of the commercial password in information processing;
and the system bus is used for transmitting data and file information among the modules.
2. The system-on-chip for hybrid cryptographic information processing and communication of claim 1, wherein: the true random number generator generates an initial key by adopting a physical thermal noise method.
3. The system-on-chip for hybrid cryptographic information processing and communication of claim 1, wherein: the encryption and decryption modules are provided with a plurality of modules and all are realized by adopting independent hardware logic which accords with the national commercial cryptographic algorithm standard.
4. The system-on-chip for hybrid cryptographic information processing and communication of claim 1, wherein: the system bus adopts an implementation mechanism supporting a system internal security access mode.
5. The method for hybrid encrypted information processing and communication system-on-a-chip identity authentication and data encryption communication according to claim 1, comprising:
the sending node randomly generates a communication KEY KEY1 by using a true random number generator;
preparing identity authentication information, and encrypting communication data ID1 by using a first encryption and decryption algorithm and a communication KEY KEY1 to obtain encrypted identity authentication information ID2;
encrypting the communication KEY KEY1 by adopting a second encryption and decryption algorithm to obtain KEY2;
sending the encrypted identity ID2 and the KEY KEY2 to a receiving node through a communication system;
after receiving the identity authentication information, the receiving node decrypts KEY2 by adopting a second encryption and decryption algorithm to obtain a communication KEY KEY1;
decrypting the encrypted identity ID2 by using a first encryption and decryption algorithm through a communication KEY KEY1 to obtain communication data ID1;
and judging that the ID1 is a valid identity, and adding the ID into the communication network node.
6. The method of claim 5, wherein: the first encryption and decryption algorithm is an SM4 algorithm, and the second encryption and decryption algorithm is an SM2 algorithm.
7. The method for communicating and verifying the validity of the data file, which is implemented by the hybrid encryption information processing and communication system on chip, according to claim 1, comprises:
randomly generating a communication KEY KEY1 by using a true random number generator;
preparing a communication FILE FILE, and generating a HASH value HASH1 of the FILE by adopting a third encryption and decryption algorithm;
encrypting the HASH value HASH1 by using a communication KEY KEY1 by adopting a first encryption and decryption algorithm to obtain an encrypted HASH value HASH2;
encrypting the communication KEY KEY1 by adopting a second encryption and decryption algorithm to obtain KEY2;
sending the communication FILE FILE, the encrypted HASH value HASH2 and the key HASH2 to a receiving node through a communication system;
after receiving the communication file, the receiving node decrypts the KEY2 by adopting a second encryption and decryption algorithm to obtain a communication KEY KEY1;
decrypting the encrypted HASH value HASH2 by adopting a first encryption and decryption algorithm by using a communication KEY KEY1 to obtain a HASH value HASH1;
and checking the received communication FILE FILE and the HASH value HASH1 by adopting a third encryption and decryption algorithm, if the received communication FILE FILE and the HASH value HASH1 are consistent, judging that the communication FILE is valid and can be adopted, and if the received communication FILE and the HASH value HASH are inconsistent, judging that the communication FILE is invalid and cannot be adopted.
8. The method of claim 7, wherein: the first encryption and decryption algorithm is an SM4 algorithm, the second encryption and decryption algorithm is an SM2 algorithm, and the third encryption and decryption algorithm is an SM3 algorithm.
9. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 5 to 8.
10. A hybrid encrypted information processing and communication device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that: the processor, when executing the computer program, performs the steps of the method according to any one of claims 5 to 8.
CN202210761754.3A 2022-06-29 2022-06-29 A hybrid encryption information processing and communication on-chip system and method Pending CN115296795A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210761754.3A CN115296795A (en) 2022-06-29 2022-06-29 A hybrid encryption information processing and communication on-chip system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210761754.3A CN115296795A (en) 2022-06-29 2022-06-29 A hybrid encryption information processing and communication on-chip system and method

Publications (1)

Publication Number Publication Date
CN115296795A true CN115296795A (en) 2022-11-04

Family

ID=83822905

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210761754.3A Pending CN115296795A (en) 2022-06-29 2022-06-29 A hybrid encryption information processing and communication on-chip system and method

Country Status (1)

Country Link
CN (1) CN115296795A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278337A (en) * 2023-11-23 2023-12-22 北京航空航天大学 A blockchain-based data security transmission and consistency inspection system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100334519C (en) * 2005-03-23 2007-08-29 联想(北京)有限公司 Method for establishing credible input-output channels
CN110505050A (en) * 2019-08-27 2019-11-26 北京电子科技学院 A kind of Android information encryption system and method based on national secret algorithm
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100334519C (en) * 2005-03-23 2007-08-29 联想(北京)有限公司 Method for establishing credible input-output channels
CN110505050A (en) * 2019-08-27 2019-11-26 北京电子科技学院 A kind of Android information encryption system and method based on national secret algorithm
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
伍娟;: "基于国密SM4和SM2的混合密码算法研究与实现", 软件导刊, no. 08, 20 August 2013 (2013-08-20), pages 1 - 3 *
胡洋;任振兴;滕国山;杨小凡;纪陵;: "一种基于IEC 62351的变电站远动通信混合加密算法", 电力信息与通信技术, no. 05, 15 May 2018 (2018-05-15), pages 4 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117278337A (en) * 2023-11-23 2023-12-22 北京航空航天大学 A blockchain-based data security transmission and consistency inspection system

Similar Documents

Publication Publication Date Title
Liang et al. A mutual security authentication method for RFID-PUF circuit based on deep learning
US8171306B2 (en) Universal secure token for obfuscation and tamper resistance
CN113383511B (en) Recovery key to unlock the data storage device
CN102025503B (en) Data security implementation method in cluster environment and high-security cluster
CN110855430B (en) Computing system and method for managing a secure object store in a computing system
WO2016058404A1 (en) Entity authentication method and device based on pre-shared key
CN113383335B (en) Secure logging of data storage device events
CN107948156A (en) The closed key management method and system of a kind of identity-based
CN111970114B (en) File encryption method, system, server and storage medium
CN102236756A (en) File encryption method based on TCM (trusted cryptography module) and USBkey
CN102571348A (en) Ethernet encryption and authentication system and encryption and authentication method
CN103888429B (en) Virtual machine starts method, relevant device and system
CN107908574A (en) The method for security protection of solid-state disk data storage
CN102255727B (en) Improved anti-attacking intelligent card authentication method based on user defined algorithm environment
WO2018060448A1 (en) Authentication protocol using a one-time password
CN107391232A (en) A kind of system level chip SOC and SOC systems
CN114267100A (en) Unlock authentication method, device, security chip and electronic key management system
CN111884814B (en) Method and system for preventing intelligent terminal from being counterfeited
CN101651538A (en) Method for safe transmission of data based on creditable password module
CN107911221B (en) Key management method for secure storage of solid-state disk data
CN113328979B (en) Method and device for recording access behaviors
CN109194467A (en) A kind of safe transmission method and system of encryption data
CN115296795A (en) A hybrid encryption information processing and communication on-chip system and method
CN103944721A (en) Method and device for protecting terminal data security on basis of web
CN112968774B (en) Method, device storage medium and equipment for encrypting and decrypting configuration file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination