CN117240459A - Password operation method, password operation module, chip and electronic equipment - Google Patents
Password operation method, password operation module, chip and electronic equipment Download PDFInfo
- Publication number
- CN117240459A CN117240459A CN202311522125.6A CN202311522125A CN117240459A CN 117240459 A CN117240459 A CN 117240459A CN 202311522125 A CN202311522125 A CN 202311522125A CN 117240459 A CN117240459 A CN 117240459A
- Authority
- CN
- China
- Prior art keywords
- password
- password operation
- cryptographic
- data
- processed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 238000012545 processing Methods 0.000 claims abstract description 21
- 238000012795 verification Methods 0.000 claims description 55
- 238000004364 calculation method Methods 0.000 claims description 36
- 230000003111 delayed effect Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 238000013461 design Methods 0.000 abstract description 8
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a password operation method, a password operation module, a chip and electronic equipment. The method comprises the following steps: determining the working mode of the password operation module according to whether the data to be processed needs to meet the functional safety requirements; and controlling the password operation module according to the working mode to carry out password operation processing on the data to be processed. Therefore, the working mode of the password operation module is determined based on the functional safety requirement of the data to be processed, and the functional safety design of the password operation module can be realized.
Description
Technical Field
The present invention relates to the field of vehicle information security technologies, and in particular, to a cryptographic operation method, a cryptographic operation module, a chip, and an electronic device.
Background
The functional safety is a set requirement in the automotive field, and is mainly implemented according to the automotive functional safety standard, and the network safety is mainly implemented according to the road vehicle network safety standard, so that the functional safety and the network safety of the vehicle can be ensured by the two standards.
In general, functional security and network security are parallel, for example, a cryptographic operation module related to network security does not participate in execution of a functional security related function, so that only a hardware acceleration function of a related algorithm is provided in the related art, and it is sufficient to ensure that the hardware acceleration function does not interfere with the functional security related function. However, as network security designs in vehicles increase, faults in network security mechanisms may cause serious functional security effects, such as functional security effects in the case of messages or signals exchanged between different controllers related to functional security.
Disclosure of Invention
The present invention aims to solve at least one of the technical problems in the related art to some extent. Therefore, the invention aims to provide a password operation method, a password operation module, a chip and electronic equipment, and the working mode of the password operation module is determined based on the functional safety requirement of data to be processed, so that the functional safety design of the password operation module can be realized.
To achieve the above object, an embodiment of a first aspect of the present invention provides a method for cryptographic operation, including: determining the working mode of the password operation module according to whether the data to be processed needs to meet the functional safety requirements; and controlling the password operation module according to the working mode to carry out password operation processing on the data to be processed.
According to one embodiment of the present invention, determining an operation mode of a cryptographic operation module according to whether data to be processed needs to satisfy functional security requirements includes: when the data to be processed needs to meet the functional safety requirements, determining that the working mode of the password operation module is a lockstep calculation mode or a lockstep verification mode; when the data to be processed does not need to meet the functional safety requirement, the working mode of the password operation module is determined to be a common calculation and verification mode or a parallel calculation mode.
According to one embodiment of the present invention, controlling a cryptographic operation module according to an operation mode to perform cryptographic operation on data to be processed includes: when the working mode is a lockstep computing mode, a first password operation unit of the password operation module is controlled to perform first password operation on first data to be processed to obtain a first password operation result, and the first password operation result is input to a comparison unit of the password operation module after delaying for a first preset time; after delaying for a second preset time, controlling a second password operation unit of the password operation module to perform first password operation on the first data to be processed to obtain a second password operation result, and inputting the second password operation result to the comparison unit; the control comparison unit compares whether the first password operation result and the second password operation result are identical, and outputs password operation error marking information when the first password operation result and the second password operation result are different.
According to one embodiment of the invention, the method further comprises: the control comparison unit compares whether the first password operation result and the second password operation result are identical, outputs password operation correct marking information when the first password operation result and the second password operation result are identical, and controls the first password operation unit to output the first password operation result.
According to one embodiment of the invention, the first cryptographic operation comprises encryption, decryption, digital signature generation, or message authentication code generation.
According to one embodiment of the present invention, controlling a cryptographic operation module according to an operation mode to perform cryptographic operation on data to be processed includes: when the working mode is a lock step verification mode, a first password operation unit of the password operation module is controlled to perform second password operation on second data to be processed to obtain a third password operation result, and the third password operation result is input to a comparison unit of the password operation module after a third preset time is delayed; after delaying the fourth preset time, controlling a second password operation unit of the password operation module to perform second password operation on the second data to be processed to obtain a fourth password operation result, and inputting the fourth password operation result to the comparison unit; the control comparison unit compares whether the third password operation result, the fourth password operation result and the corresponding reference value are the same or not, and outputs password operation error marking information when the third password operation result, the fourth password operation result and the corresponding reference value are different, and outputs password operation correct marking information when the third password operation result, the fourth password operation result and the corresponding reference value are the same.
According to one embodiment of the invention, the second cryptographic operation includes digital signature verification or message authentication code verification.
According to one embodiment of the present invention, controlling a cryptographic operation module according to an operation mode to perform cryptographic operation on data to be processed includes: when the working mode is a common calculation and verification mode, a first password operation unit of the password operation module is controlled to perform third password operation on third data to be processed to obtain a fifth password operation result, the fifth password operation result is input to a comparison unit of the password operation module, the comparison unit is controlled to compare whether the fifth password operation result is identical to a corresponding reference value or not, password operation error marking information is output when the fifth password operation result is different from the corresponding reference value, and password operation correct marking information is output when the fifth password operation result is identical to the corresponding reference value; and the second password operation unit controlling the password operation module performs fourth password operation on the fourth data to be processed to obtain a sixth password operation result and outputs the sixth password operation result.
According to one embodiment of the invention, the third cryptographic operation comprises digital signature verification or message authentication code verification, and the fourth cryptographic operation comprises encryption, decryption, digital signature generation or message authentication code generation.
According to one embodiment of the present invention, controlling a cryptographic operation module according to an operation mode to perform cryptographic operation on data to be processed includes: when the working mode is a parallel computing mode, a first password operation unit of the password operation module is controlled to perform fifth password operation on fifth data to be processed to obtain a seventh password operation result and output the seventh password operation result; and the second password operation unit controlling the password operation module performs sixth password operation on the sixth data to be processed to obtain an eighth password operation result and outputs the eighth password operation result.
According to one embodiment of the invention, the fifth cryptographic operation comprises encryption, decryption, digital signature generation or message authentication code generation, and the sixth cryptographic operation comprises encryption, decryption, digital signature generation or message authentication code generation.
To achieve the above object, a second aspect of the present invention provides a cryptographic operation module, including: the device comprises a first password operation unit, a second password operation unit, a comparison unit, a determination unit and a control unit, wherein the determination unit is used for determining the working mode of the password operation module according to whether data to be processed need to meet functional safety requirements or not; and the control unit is used for controlling the first password operation unit, the second password operation unit and the comparison unit to carry out password operation processing on the data to be processed according to the working mode.
To achieve the above object, an embodiment of a third aspect of the present invention provides a chip, including: the system comprises a memory, a processor and a program stored in the memory and capable of running on the processor, wherein the processor realizes the password operation method when executing the program.
In order to achieve the above objective, a fourth embodiment of the present invention provides a chip including the aforementioned cryptographic module.
In order to achieve the above object, a fifth embodiment of the present invention provides an electronic device, which includes the above-mentioned cryptographic module, or the above-mentioned chip.
According to the password operation method, the password operation module, the chip and the electronic equipment, the working mode of the password operation module is determined according to whether the data to be processed needs to meet the functional safety requirements; and controlling the password operation module according to the working mode to carry out password operation processing on the data to be processed. Therefore, the working mode of the password operation module is determined based on the functional safety requirement of the data to be processed, and the functional safety design of the password operation module can be realized.
Drawings
Fig. 1 is a flow chart of a cryptographic operation method according to an embodiment of the invention.
FIG. 2 is a schematic diagram of a cryptographic module in a lockstep computing mode according to one embodiment of the invention.
FIG. 3 is a schematic diagram of a cryptographic operation module in a lockstep authentication mode according to one embodiment of the invention.
Fig. 4 is a schematic diagram of a cryptographic module according to an embodiment of the invention in a normal computing and authentication mode.
FIG. 5 is a schematic diagram of a cryptographic operation module in parallel computing mode according to one embodiment of the invention.
Fig. 6 is a schematic structural diagram of a cryptographic operation module according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative and intended to explain the present invention and should not be construed as limiting the invention.
The following describes a cryptographic operation method, a cryptographic operation module, a chip, and an electronic device according to embodiments of the present invention in detail with reference to the accompanying drawings.
FIG. 1 is a flow chart of a cryptographic operation method according to one embodiment of the invention. Referring to fig. 1, the cryptographic operation method may include:
s110, determining the working mode of the password operation module according to whether the data to be processed needs to meet the functional safety requirements.
Specifically, the data to be processed refers to messages or signals to be exchanged between devices, and mainly includes two data types, one is the data to be processed which is required to meet the functional safety requirements, and the other is the data to be processed which is not required to meet the functional safety requirements. Correspondingly, when the data to be processed needs to meet the functional safety requirements, the working mode of the password operation module needs to meet the functional safety requirements; when the data to be processed does not need to meet the functional safety requirements, the working mode of the password operation module does not need to meet the functional safety requirements.
S120, controlling the password operation module according to the working mode to carry out password operation processing on the data to be processed.
Specifically, the cryptographic operation processing mainly includes encryption, decryption, digital signature generation, message authentication code generation, digital signature verification, or message authentication code verification. The password operation module needs to confirm the working mode according to the data type of the data to be processed, and then carries out corresponding password operation processing on the data to be processed.
For example, when the controller a transmits a message related to functional security to the controller B in a message authentication code manner, the cryptographic operation module performs a message authentication code generation operation process on data to be processed in a working mode required to satisfy the functional security requirement; correspondingly, when the controller B receives the message transmitted by the controller A, the password operation module performs message authentication code verification operation processing on the data to be processed in a working mode which needs to meet the functional safety requirement.
Therefore, the working mode of the password operation module is determined based on the functional safety requirement of the data to be processed, and the functional safety design of the password operation module can be realized.
In some embodiments, determining the operation mode of the cryptographic operation module according to whether the data to be processed needs to meet the functional security requirement includes: when the data to be processed needs to meet the functional safety requirements, determining that the working mode of the password operation module is a lockstep calculation mode or a lockstep verification mode; when the data to be processed does not need to meet the functional safety requirement, the working mode of the password operation module is determined to be a common calculation and verification mode or a parallel calculation mode.
Specifically, the lockstep mode refers to that the same operation is executed by using the same and redundant hardware or software to meet the functional safety requirement of the system, so when the data to be processed needs to meet the functional safety requirement, the cryptographic operation module adopts the lockstep mode, and the same operation is executed by setting two identical cryptographic operation units (which may be hardware or software) to realize the functional safety design of the cryptographic operation module. Furthermore, the lockstep mode of the password operation module can be divided into a lockstep calculation mode and a lockstep verification mode based on the password operation required by the data to be processed. For example, when the cryptographic operation required by the data to be processed is encryption, decryption, digital signature generation or message authentication code generation, the working mode of the cryptographic operation module is a lockstep calculation mode; when the password operation needed by the data to be processed is digital signature verification or message authentication code verification, the working mode of the password operation module is a lock step verification mode.
When the data to be processed does not need to meet the functional safety requirement, the working mode of the password operation module can be determined to be a common mode, and the common mode can be refined to be a common calculation and verification mode and a parallel calculation mode. The common computing and verifying mode refers to that a cryptographic operation process related to cryptographic computing, such as encryption, decryption, digital signature generation or message authentication code generation, is realized through one cryptographic operation unit (which may be hardware or software), and a cryptographic operation process related to cryptographic verification, such as digital signature verification or message authentication code verification, is realized through another cryptographic operation unit (which may be hardware or software). Parallel computing mode refers to the implementation of cryptographic operations associated with cryptographic computation, such as encryption, decryption, digital signature generation, or message authentication code generation, by one cryptographic operation unit (which may be hardware or software), and the implementation of cryptographic operations associated with cryptographic computation, such as encryption, decryption, digital signature generation, or message authentication code generation, by another cryptographic operation unit (which may be hardware or software). That is, in the normal mode, each of the cryptographic operation units may independently receive the data to be processed, perform cryptographic operation processing, and output a cryptographic operation result, so as to improve the operation efficiency of the cryptographic operation module to a certain extent when the security requirement is not available.
Therefore, based on the functional safety requirement of the data to be processed, the working mode of the password operation module is flexibly configured, the functional safety design of the password operation module can be realized, and the calculation efficiency of the password operation module is improved.
In some embodiments, controlling the cryptographic operation module according to the operation mode to perform cryptographic operation on the data to be processed includes: when the working mode is a lockstep computing mode, a first password operation unit of the password operation module is controlled to perform first password operation on first data to be processed to obtain a first password operation result, and the first password operation result is input to a comparison unit of the password operation module after delaying for a first preset time; after delaying for a second preset time, controlling a second password operation unit of the password operation module to perform first password operation on the first data to be processed to obtain a second password operation result, and inputting the second password operation result to the comparison unit; the control comparison unit compares whether the first password operation result and the second password operation result are identical, and outputs password operation error marking information when the first password operation result and the second password operation result are different.
In particular, the cryptographic operation module comprises a first cryptographic operation unit, a second cryptographic operation unit and a comparison unit, which may be in particular hardware or software, such as a calculation engine. When the data to be processed needs to meet the functional safety requirement, the password operation module selects a lockstep calculation mode or a lockstep verification mode to carry out password operation processing, and particularly selects according to the password operation required by the data to be processed. For example, when the cryptographic operation required by the data to be processed is encryption, decryption, digital signature generation or message authentication code generation, the cryptographic operation module performs the cryptographic operation processing on the data to be processed by adopting a lockstep calculation mode.
Illustratively, referring to fig. 2, the cryptographic operation module includes a first cryptographic operation unit 201, a second cryptographic operation unit 202, a first delay 203, a second delay 204, and a comparison unit 205. The first cryptographic operation unit 201 and the second cryptographic operation unit 202 are the same, and are used for performing a first cryptographic operation on the first data to be processed, the first cryptographic operation unit 201 outputs a first cryptographic operation result, and the second cryptographic operation unit 202 outputs a second cryptographic operation result. The first delayer 203 is configured to delay the first cryptographic operation result by a first preset time, and the second delayer 204 is configured to delay the first data to be processed by a second preset time, where the first preset time and the second preset time are the same. By providing the first delay 203 and the second delay 204, the first cryptographic operation unit 201 and the second cryptographic operation unit 202 can perform the same first cryptographic operation at different times, and the first cryptographic operation result and the second cryptographic operation result can reach the comparison unit 205 in the same clock cycle. The comparing unit 205 is configured to compare whether the first cryptographic operation result and the second cryptographic operation result are the same, and output cryptographic operation flag information. Outputting the password operation error marking information when the first password operation result is different from the second password operation result; when the first cryptographic operation result is identical to the second cryptographic operation result, the cryptographic operation correct flag information is output, and the first cryptographic operation unit 201 is controlled to output the first cryptographic operation result. The first preset time and the second preset time are determined according to practical situations, and are not limited herein, for example, the first preset time and the second preset time are a plurality of clock cycles of the cryptographic operation module.
Illustratively, the first cryptographic operation is exemplified as the generation of the message authentication code. The first password operation unit 201 of the password operation module is controlled to perform first password operation on first data to be processed to obtain a message authentication code 1, and the message authentication code 1 is input to the comparison unit 205 after delaying for a first preset time; meanwhile, the first data to be processed is controlled to be delayed for a second preset time and then is input into the second password operation unit 202 to perform the same operation to obtain a message authentication code 2, and the message authentication code 2 is input into the comparison unit 205; the comparing unit 205 compares whether the message authentication code 1 and the message authentication code 2 are identical, and when the message authentication code 1 and the message authentication code 2 are different, the comparing unit 205 outputs the cipher operation error flag information; when the message authentication code 1 is the same as the message authentication code 2, the comparison unit 205 outputs the cryptographic operation correct flag information, while the first cryptographic operation unit 201 outputs the message authentication code 1 for verification of the message verification code.
In some embodiments, controlling the cryptographic operation module according to the operation mode to perform cryptographic operation on the data to be processed includes: when the working mode is a lock step verification mode, a first password operation unit of the password operation module is controlled to perform second password operation on second data to be processed to obtain a third password operation result, and the third password operation result is input to a comparison unit of the password operation module after a third preset time is delayed; after delaying the fourth preset time, controlling a second password operation unit of the password operation module to perform second password operation on the second data to be processed to obtain a fourth password operation result, and inputting the fourth password operation result to the comparison unit; the control comparison unit compares whether the third password operation result, the fourth password operation result and the corresponding reference value are the same or not, and outputs password operation error marking information when the third password operation result, the fourth password operation result and the corresponding reference value are different, and outputs password operation correct marking information when the third password operation result, the fourth password operation result and the corresponding reference value are the same.
In particular, the cryptographic operation module comprises a first cryptographic operation unit, a second cryptographic operation unit and a comparison unit, which may be in particular hardware or software, such as a calculation engine. When the data to be processed needs to meet the functional safety requirement, the password operation module selects a lockstep calculation mode or a lockstep verification mode to carry out password operation processing, and particularly selects according to the password operation required by the data to be processed. For example, when the cryptographic operation required by the data to be processed is digital signature verification or message authentication code verification, the cryptographic operation module adopts a lock step verification mode to perform cryptographic operation processing on the data to be processed.
Illustratively, referring to fig. 3, the cryptographic operation module includes a first cryptographic operation unit 201, a second cryptographic operation unit 202, a first delay 203, a second delay 204, and a comparison unit 205. The first cryptographic operation unit 201 and the second cryptographic operation unit 202 are the same, and are both configured to perform a second cryptographic operation on the second data to be processed, where the first cryptographic operation unit 201 outputs a third cryptographic operation result, and the second cryptographic operation unit 202 outputs a fourth cryptographic operation result. The first delayer 203 is configured to delay the third cryptographic operation result by a third preset time, and the second delayer 204 is configured to delay the second data to be processed by a fourth preset time, where the third preset time is the same as the fourth preset time. By providing the first delay 203 and the second delay 204, the first cryptographic operation unit 201 and the second cryptographic operation unit 202 can perform the same second cryptographic operation at different times, and the third cryptographic operation result and the fourth cryptographic operation result can reach the comparison unit 205 in the same clock cycle. The comparing unit 205 is configured to compare whether the third cryptographic operation result, the fourth cryptographic operation result and the corresponding reference value are the same, and output the cryptographic operation flag information. Outputting password operation error marking information when the third password operation result and the fourth password operation result are different from the corresponding reference values; and outputting the correct marking information of the password operation when the third password operation result and the fourth password operation result are the same as the corresponding reference values. The third preset time and the fourth preset time are determined according to practical situations, and are not limited herein, for example, the third preset time and the fourth preset time are a plurality of clock cycles of the cryptographic operation module.
Illustratively, the second cryptographic operation is taken as a verification of the message authentication code. The first password operation unit 201 of the password operation module is controlled to perform a second password operation on the second data to be processed to obtain a message authentication code 3, and the message authentication code 3 is input to the comparison unit 205 after a third preset time is delayed; meanwhile, the second data to be processed is controlled to be delayed for a fourth preset time and then is input into the second password operation unit 202 to perform the same operation to obtain the message authentication code 4, and the message authentication code 4 is input into the comparison unit 205; when the message authentication code 3 and the message authentication code 4 are different from the corresponding reference values, the comparison unit 205 outputs the password operation error flag information; when the message authentication code 3, the message authentication code 4, and the corresponding reference values are the same, the comparison unit 205 outputs the cryptographic operation correct flag information. Wherein the corresponding reference value is a message authentication code for verification.
Therefore, when the data to be processed needs to meet the functional safety requirement, a lockstep calculation mode or a lockstep verification mode can be selected to carry out the cryptographic operation processing, so that the functional safety design of the cryptographic operation module is realized. The lock step calculation mode or the lock step verification mode can improve the accuracy of the password operation by comparing the two password operation results, and meanwhile, the two time delays are arranged to enable the password operation units to carry out the same password operation at different times, so that noise pulses affecting the functions of the password operation module due to simultaneous password operation are greatly reduced, and the stability of the password operation module is improved.
In some embodiments, controlling the cryptographic operation module according to the operation mode to perform cryptographic operation on the data to be processed includes: when the working mode is a common calculation and verification mode, a first password operation unit of the password operation module is controlled to perform third password operation on third data to be processed to obtain a fifth password operation result, the fifth password operation result is input to a comparison unit of the password operation module, the comparison unit is controlled to compare whether the fifth password operation result is identical to a corresponding reference value or not, password operation error marking information is output when the fifth password operation result is different from the corresponding reference value, and password operation correct marking information is output when the fifth password operation result is identical to the corresponding reference value; and the second password operation unit controlling the password operation module performs fourth password operation on the fourth data to be processed to obtain a sixth password operation result and outputs the sixth password operation result.
In particular, the cryptographic operation module comprises a first cryptographic operation unit, a second cryptographic operation unit and a comparison unit, which may be in particular hardware or software, such as a calculation engine. When the data to be processed does not need to meet the functional safety requirement, the password operation module can select a common calculation and verification mode or a parallel calculation mode to carry out password operation processing, and particularly selects according to the password operation required by the data to be processed. For example, when the cryptographic operation required for the data to be processed includes digital signature verification or message authentication code verification, the cryptographic operation module performs the cryptographic operation processing on the data to be processed using the normal calculation and verification mode.
For example, referring to fig. 4, the cryptographic operation module includes a first cryptographic operation unit 201, a second cryptographic operation unit 202, and a comparison unit 205, where the first cryptographic operation unit 201 is configured to perform a third cryptographic operation on input third data to be processed to obtain a fifth cryptographic operation result, and the comparison unit 205 is configured to compare whether the fifth cryptographic operation result is the same as a corresponding reference value, and output a cryptographic operation flag information, where when the fifth cryptographic operation result is different from the corresponding reference value, output a cryptographic operation error flag information; and outputting the correct marking information of the password operation when the fifth password operation result is the same as the corresponding reference value. The second cryptographic operation unit 202 is configured to perform a fourth cryptographic operation on the input fourth data to be processed, and output a sixth cryptographic operation result.
The third cryptographic operation is exemplified as verification of the message authentication code, and the fourth cryptographic operation is exemplified as generation of the message authentication code. The first password operation unit 201 controlling the password operation module performs a third password operation on the third data to be processed to obtain a message authentication code 5, and inputs the message authentication code 5 to the comparison unit 205, the comparison unit 205 compares the message authentication code 5 with a corresponding reference value, and when the message authentication code 5 is different from the corresponding reference value, the comparison unit 205 outputs password operation error flag information; when the message authentication code 5 is identical to the corresponding reference value, the comparison unit 205 outputs the cryptographic operation correct flag information. The second cryptographic operation unit 202 controlling the cryptographic operation module performs a fourth cryptographic operation on the fourth data to be processed to obtain the message authentication code 6. Therefore, the calculation efficiency of the password operation module is improved. Wherein the corresponding reference value is a message authentication code for verification.
In some embodiments, controlling the cryptographic operation module according to the operation mode to perform cryptographic operation on the data to be processed includes: when the working mode is a parallel computing mode, a first password operation unit of the password operation module is controlled to perform fifth password operation on fifth data to be processed to obtain a seventh password operation result and output the seventh password operation result; and the second password operation unit controlling the password operation module performs sixth password operation on the sixth data to be processed to obtain an eighth password operation result and outputs the eighth password operation result.
In particular, the cryptographic operation module comprises a first cryptographic operation unit and a second cryptographic operation unit, which may in particular be hardware or software, such as a computing engine. When the data to be processed does not need to meet the functional safety requirement, the password operation module can select a common calculation and verification mode or a parallel calculation mode to carry out password operation processing, and particularly selects according to the password operation required by the data to be processed. For example, when the cryptographic operation required by the data to be processed does not include digital signature verification or message authentication code verification, such as only encryption, decryption, digital signature generation or message authentication code generation, the cryptographic operation module performs cryptographic operation processing on the data to be processed in a parallel computing mode.
Illustratively, referring to fig. 5, the cryptographic operation module includes a first cryptographic operation unit 201 and a second cryptographic operation unit 202. The first cryptographic operation unit 201 and the second cryptographic operation unit 202 may independently receive the data to be processed, perform a cryptographic operation process, and output a cryptographic operation result, that is, the first cryptographic operation unit 201 performs a fifth cryptographic operation on the fifth data to be processed, and outputs a seventh cryptographic operation result, while the second cryptographic operation unit 202 performs a sixth cryptographic operation on the sixth data to be processed, and outputs an eighth cryptographic operation result.
Illustratively, taking the fifth cryptographic operation and the sixth cryptographic operation as the message authentication code generation example for explanation, the first cryptographic operation unit 201 controlling the cryptographic operation module performs the fifth cryptographic operation on the fifth data to be processed to obtain the message authentication code 7; meanwhile, the second password operation unit 202 of the password operation module is controlled to perform sixth password operation on the sixth data to be processed to obtain the message authentication code 8, namely the first password operation unit 201 and the second password operation unit 202 are calculated in parallel, so that the calculation efficiency of the password operation module is improved.
Therefore, when the data to be processed does not need to meet the functional safety requirement, the common computing and verifying mode or the parallel computing mode can be selected for carrying out the cryptographic operation processing, so that the computing efficiency of the cryptographic operation module is improved.
In summary, according to the cryptographic operation method of the embodiment of the present invention, the working mode of the cryptographic operation module is flexibly selected based on the functional security requirement of the data to be processed, so that the computing efficiency and the functional security requirement of the cryptographic operation module can be both considered.
In some embodiments, a cryptographic operation module is also provided.
Referring to fig. 6, the cryptographic operation module 300 includes: a first cryptographic operation unit 310, a second cryptographic operation unit 320, a comparison unit 330, a determination unit 340, and a control unit 350. The determining unit 340 is configured to determine, according to whether the data to be processed needs to meet the functional security requirement, a working mode of the cryptographic operation module 300; the control unit 350 is configured to control the first cryptographic operation unit 310, the second cryptographic operation unit 320, and the comparison unit 330 to perform cryptographic operation on the data to be processed according to the operation mode.
According to one embodiment of the present invention, the determining unit 340 is specifically configured to: when the data to be processed needs to meet the functional safety requirements, determining that the working mode of the password operation module 300 is a lockstep calculation mode or a lockstep verification mode; when the data to be processed does not need to meet the functional security requirement, the working mode of the cryptographic operation module 300 is determined to be a normal calculation and verification mode or a parallel calculation mode.
According to one embodiment of the invention, the control unit 350 is specifically configured to: when the working mode is the lockstep computing mode, the first cryptographic operation unit 310 of the cryptographic operation module 300 is controlled to perform a first cryptographic operation on the first data to be processed to obtain a first cryptographic operation result, and the first cryptographic operation result is input to the comparison unit 330 of the cryptographic operation module 300 after a first preset time is delayed; after the second preset time is delayed, the second password operation unit 320 of the password operation module 300 is controlled to perform the first password operation on the first data to be processed to obtain a second password operation result, and the second password operation result is input to the comparison unit 330; the control comparing unit 330 compares whether the first and second cryptographic operation results are identical, and outputs a cryptographic operation error flag information when the first and second cryptographic operation results are different.
According to one embodiment of the invention, the control unit 350 is further adapted to: the control comparison unit 330 compares whether the first and second cryptographic operation results are identical, and outputs the cryptographic operation correct flag information and controls the first cryptographic operation unit 310 to output the first cryptographic operation result when the first and second cryptographic operation results are identical.
According to one embodiment of the invention, the control unit 350 is specifically configured to: when the working mode is the lockstep verification mode, the first password operation unit 310 of the password operation module 300 is controlled to perform the second password operation on the second data to be processed to obtain a third password operation result, and the third password operation result is input to the comparison unit 330 of the password operation module 300 after delaying for a third preset time; after the fourth preset time is delayed, the second password operation unit 320 of the password operation module 300 is controlled to perform the second password operation on the second data to be processed to obtain a fourth password operation result, and the fourth password operation result is input to the comparison unit 330; the control comparison unit 330 compares whether the third cryptographic operation result, the fourth cryptographic operation result, and the corresponding reference value are identical, and outputs the cryptographic operation error flag information when the third cryptographic operation result, the fourth cryptographic operation result, and the corresponding reference value are different, and outputs the cryptographic operation correct flag information when the third cryptographic operation result, the fourth cryptographic operation result, and the corresponding reference value are identical.
According to one embodiment of the invention, the control unit 350 is specifically configured to: when the working mode is the normal calculation and verification mode, the first password operation unit 310 of the password operation module 300 is controlled to perform third password operation on the third data to be processed to obtain a fifth password operation result, the fifth password operation result is input to the comparison unit 330 of the password operation module 300, the comparison unit 330 is controlled to compare whether the fifth password operation result is identical to the corresponding reference value, password operation error marking information is output when the fifth password operation result is different from the corresponding reference value, and password operation correct marking information is output when the fifth password operation result is identical to the corresponding reference value; the second cryptographic operation unit 320 of the control cryptographic operation module 300 performs a fourth cryptographic operation on the fourth data to be processed to obtain a sixth cryptographic operation result, and outputs the sixth cryptographic operation result.
According to one embodiment of the invention, the control unit 350 is specifically configured to: when the working mode is the parallel computing mode, the first password operation unit 310 of the password operation module 300 is controlled to perform fifth password operation on the fifth data to be processed to obtain a seventh password operation result and output the seventh password operation result; the second cryptographic operation unit 320 of the control cryptographic operation module 300 performs a sixth cryptographic operation on the sixth data to be processed to obtain an eighth cryptographic operation result, and outputs the eighth cryptographic operation result.
In some embodiments, there is also provided a chip comprising: the system comprises a memory, a processor and a program stored in the memory and capable of running on the processor, wherein the processor realizes the password operation method when executing the program.
In some embodiments, a chip is also provided, including the foregoing cryptographic operation module.
In some embodiments, an electronic device is further provided, including the foregoing cryptographic operation module, or the foregoing chip.
It should be noted that the above explanation of the embodiment and the advantageous effects of the cryptographic operation method is also applicable to the cryptographic operation module, the chip and the electronic device according to the embodiments of the present invention, and is not further detailed herein to avoid redundancy.
It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered as a ordered listing of executable instructions for implementing logical functions, and may be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
In the present invention, unless explicitly specified and limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally formed; can be mechanically or electrically connected; either directly or indirectly, through intermediaries, or both, may be in communication with each other or in interaction with each other, unless expressly defined otherwise. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.
Claims (15)
1. A method of cryptographic operation, the method comprising:
determining the working mode of the password operation module according to whether the data to be processed needs to meet the functional safety requirements;
and controlling the password operation module to carry out password operation processing on the data to be processed according to the working mode.
2. The method according to claim 1, wherein determining the operation mode of the cryptographic module according to whether the data to be processed needs to satisfy the functional security requirement comprises:
when the data to be processed needs to meet the functional safety requirements, determining that the working mode of the password operation module is a lockstep calculation mode or a lockstep verification mode;
and when the data to be processed does not need to meet the functional safety requirement, determining that the working mode of the password operation module is a common calculation and verification mode or a parallel calculation mode.
3. The cryptographic operation method according to claim 2, wherein the controlling the cryptographic operation module to perform the cryptographic operation process on the data to be processed according to the operation mode includes:
when the working mode is a lockstep computing mode, a first password operation unit of the password operation module is controlled to perform first password operation on first data to be processed to obtain a first password operation result, and the first password operation result is input to a comparison unit of the password operation module after delaying for a first preset time;
After delaying for a second preset time, controlling a second password operation unit of the password operation module to perform the first password operation on the first data to be processed to obtain a second password operation result, and inputting the second password operation result to the comparison unit;
and controlling the comparison unit to compare whether the first password operation result and the second password operation result are the same or not, and outputting password operation error marking information when the first password operation result and the second password operation result are different.
4. A method of cryptographic operation according to claim 3, wherein the method further comprises:
and controlling the comparison unit to compare whether the first password operation result and the second password operation result are identical, outputting password operation correct marking information when the first password operation result and the second password operation result are identical, and controlling the first password operation unit to output the first password operation result.
5. The cryptographic operation method according to claim 3 or 4, wherein the first cryptographic operation comprises encryption, decryption, digital signature generation or message authentication code generation.
6. The cryptographic operation method according to claim 2, wherein the controlling the cryptographic operation module to perform the cryptographic operation process on the data to be processed according to the operation mode includes:
When the working mode is a lock step verification mode, a first password operation unit of the password operation module is controlled to perform second password operation on second data to be processed to obtain a third password operation result, and the third password operation result is input to a comparison unit of the password operation module after a third preset time is delayed;
after delaying for a fourth preset time, controlling a second password operation unit of the password operation module to perform second password operation on the second data to be processed to obtain a fourth password operation result, and inputting the fourth password operation result to the comparison unit;
controlling the comparison unit to compare whether the third password operation result, the fourth password operation result and the corresponding reference value are the same or not, outputting password operation error marking information when the third password operation result, the fourth password operation result and the corresponding reference value are different, and outputting password operation correct marking information when the third password operation result, the fourth password operation result and the corresponding reference value are the same.
7. The method of claim 6, wherein the second cryptographic operation comprises digital signature verification or message authentication code verification.
8. The cryptographic operation method according to claim 2, wherein the controlling the cryptographic operation module to perform the cryptographic operation process on the data to be processed according to the operation mode includes:
when the working mode is a common calculation and verification mode, controlling a first password operation unit of the password operation module to perform third password operation on third data to be processed to obtain a fifth password operation result, inputting the fifth password operation result to a comparison unit of the password operation module, controlling the comparison unit to compare whether the fifth password operation result is identical to a corresponding reference value or not, outputting password operation error marking information when the fifth password operation result is different from the corresponding reference value, and outputting password operation correct marking information when the fifth password operation result is identical to the corresponding reference value;
and controlling a second password operation unit of the password operation module to perform fourth password operation on fourth data to be processed to obtain a sixth password operation result and outputting the sixth password operation result.
9. The method of claim 8, wherein the third cryptographic operation comprises digital signature verification or message authentication code verification and the fourth cryptographic operation comprises encryption, decryption, digital signature generation, or message authentication code generation.
10. The cryptographic operation method according to claim 2, wherein the controlling the cryptographic operation module to perform the cryptographic operation process on the data to be processed according to the operation mode includes:
when the working mode is a parallel computing mode, controlling a first password operation unit of the password operation module to perform fifth password operation on fifth data to be processed to obtain a seventh password operation result and outputting the seventh password operation result;
and controlling a second password operation unit of the password operation module to perform sixth password operation on the sixth data to be processed to obtain an eighth password operation result and outputting the eighth password operation result.
11. The method of claim 10, wherein the fifth cryptographic operation comprises encryption, decryption, digital signature generation, or message authentication code generation, and the sixth cryptographic operation comprises encryption, decryption, digital signature generation, or message authentication code generation.
12. A cryptographic operation module, the module comprising: a first password operation unit, a second password operation unit, a comparison unit, a determination unit and a control unit, wherein,
the determining unit is used for determining the working mode of the password operation module according to whether the data to be processed needs to meet the functional safety requirement or not;
The control unit is used for controlling the first password operation unit, the second password operation unit and the comparison unit to carry out password operation processing on the data to be processed according to the working mode.
13. A chip, comprising: memory, a processor and a program stored on the memory and executable on the processor, the processor implementing the cryptographic operation method according to any one of claims 1-11 when executing the program.
14. A chip comprising the cryptographic module of claim 12.
15. An electronic device comprising a cryptographic operation module according to claim 12 or a chip according to claim 13 or 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311522125.6A CN117240459A (en) | 2023-11-15 | 2023-11-15 | Password operation method, password operation module, chip and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311522125.6A CN117240459A (en) | 2023-11-15 | 2023-11-15 | Password operation method, password operation module, chip and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117240459A true CN117240459A (en) | 2023-12-15 |
Family
ID=89093401
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311522125.6A Pending CN117240459A (en) | 2023-11-15 | 2023-11-15 | Password operation method, password operation module, chip and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117240459A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113836543A (en) * | 2020-06-08 | 2021-12-24 | 华为技术有限公司 | Method, device and system for encrypting or decrypting data |
| CN115994388A (en) * | 2021-10-19 | 2023-04-21 | 瑞萨电子株式会社 | Integrated circuit |
-
2023
- 2023-11-15 CN CN202311522125.6A patent/CN117240459A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113836543A (en) * | 2020-06-08 | 2021-12-24 | 华为技术有限公司 | Method, device and system for encrypting or decrypting data |
| CN115994388A (en) * | 2021-10-19 | 2023-04-21 | 瑞萨电子株式会社 | Integrated circuit |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108363347B (en) | Hardware security for electronic control unit | |
| US7197637B2 (en) | Authorization process using a certificate | |
| US6816971B2 (en) | Signature process | |
| Van den Herrewegen et al. | Beneath the bonnet: A breakdown of diagnostic security | |
| JP5541246B2 (en) | Electronic control unit | |
| CN113395348B (en) | Vehicle-mounted chip, functional fault checking method and electronic equipment | |
| US20230336356A1 (en) | Data storage device, data storage method, and non-transitory computer readable storage medium | |
| US11902300B2 (en) | Method for monitoring a data transmission system, data transmission system and motor vehicle | |
| CN112242903B (en) | Hybrid device and method for performing secure boot procedure for hybrid device | |
| CN109918240B (en) | Method for modular verification of device configuration | |
| CN117240459A (en) | Password operation method, password operation module, chip and electronic equipment | |
| US11669641B2 (en) | Method for the computer-aided parameterization of a technical system | |
| Plappert et al. | Secure and Lightweight ECU Attestations for Resilient Over-the-Air Updates in Connected Vehicles | |
| US20220271941A1 (en) | Method and device for checking an incoming secured, encrypted message | |
| JP5226653B2 (en) | In-vehicle control device | |
| KR102001420B1 (en) | Electronic Control Unit, Communication Security System and Method for Vehicle | |
| US10789365B2 (en) | Control device and control method | |
| Freiwald et al. | Safe and secure software updates over the air for electronic brake control systems | |
| CN112580015A (en) | Processing system including trust anchor computing instrument and corresponding method | |
| CN112994876B (en) | Vehicle-mounted controller key injection detection method, injection method and readable storage medium | |
| US20230306101A1 (en) | System, vehicle, and method | |
| US20240036878A1 (en) | Method for booting an electronic control unit | |
| US9239918B2 (en) | Method and apparatus for software-hardware authentication of electronic apparatus | |
| US11509640B2 (en) | Method for protecting an electronic control unit | |
| CN116956362A (en) | File filling method and system based on hybrid security mechanism and upper computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |