WO2019109418A1 - Data protection method and apparatus, computer apparatus, and readable storage medium - Google Patents

Data protection method and apparatus, computer apparatus, and readable storage medium Download PDF

Info

Publication number
WO2019109418A1
WO2019109418A1 PCT/CN2017/119040 CN2017119040W WO2019109418A1 WO 2019109418 A1 WO2019109418 A1 WO 2019109418A1 CN 2017119040 W CN2017119040 W CN 2017119040W WO 2019109418 A1 WO2019109418 A1 WO 2019109418A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
master device
application processor
processor chip
storage medium
Prior art date
Application number
PCT/CN2017/119040
Other languages
French (fr)
Chinese (zh)
Inventor
李安
Original Assignee
深圳云天励飞技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳云天励飞技术有限公司 filed Critical 深圳云天励飞技术有限公司
Publication of WO2019109418A1 publication Critical patent/WO2019109418A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • the present invention relates to the field of information security technologies, and in particular, to a data protection method and apparatus, a computer apparatus, and a readable storage medium.
  • the face image library and similar database are used as the basis for the final check comparison, which is the core data of the product.
  • face recognition and similar AI products usually have some parameters (such as CNN (Convolutional Neural Network) parameters), which takes a lot of time and model to debug good parameters is to determine the performance of the algorithm and product. Key data, parameter security is also very necessary.
  • CNN Convolutional Neural Network
  • AI products on the market do not have encryption and protection for databases and parameters for controlling costs, and some purchase high-cost IP and design solutions for encryption protection.
  • the former is low in security and the latter is costly.
  • a first aspect of the present application provides a data protection method, which is applied to a computer device including an application processor chip, the application processor chip is connected to a memory, and the memory includes a secure data area, and the method includes:
  • the master device is a device independent of an external input/output interface, allowing the master device to read the data from the secure data region;
  • the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area;
  • the master device is a high-speed peripheral having an input/output interface
  • security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
  • the performing the security certification includes:
  • the memory is encapsulated in the application processor chip.
  • the application processor chip is further connected to an external storage medium and a memory, and the method further includes:
  • the encrypted data is decrypted, and the decrypted data is stored in the secure data area.
  • the external storage medium includes a removable external storage medium and a non-removable external storage medium.
  • a second aspect of the present application provides a data protection device for a computer device including an application processor chip, the application processor chip being connected to a memory, the memory including a secure data area, the device comprising:
  • a receiving unit configured to receive, by the master device of the application processor chip, an access request for data in the secure data area
  • a determining unit configured to determine a type of the master device
  • a first processing unit configured to: if the master device is determined to be a master device independent of an external input/output interface, permit the master device to read the data from the secure data region;
  • a second processing unit configured to: if the master device is determined to be a low-speed peripheral having an input/output interface, prohibit the master device from reading the data from the secure data area;
  • a third processing unit configured to perform security authentication if the master device is determined to be a high-speed peripheral device having an input/output interface, and if the security device is authenticated, permit the master device to read the data from the secure data region .
  • the application processor chip is further connected to an external storage medium and a memory, and the device further includes:
  • An encryption unit configured to encrypt data, and store the encrypted data in the external storage medium
  • a reading unit configured to receive a data read instruction, and read the encrypted data from the external storage medium according to the data read instruction
  • a decryption unit configured to decrypt the encrypted data, and store the decrypted data in the secure data area.
  • a third aspect of the present application provides a computer apparatus including an application processor chip for implementing the data protection method when executing a computer program stored in a memory.
  • a fourth aspect of the present application provides a computer readable storage medium having stored thereon a computer program that implements the data protection method when executed by an application processor chip.
  • the invention receives an access request of the main device of the application processor chip to the data in the secure data area of the memory; determines the type of the main device; if it is determined that the main device is a device unrelated to the external input and output interface, the device is allowed
  • the master device reads the data from the secure data area; if it is determined that the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area; It is determined that the master device is a high-speed peripheral having an input/output interface, and then performs security authentication. If the security device is authenticated, the master device is allowed to read the data from the secure data region.
  • the invention can conveniently protect the data, ensure the data has a higher security level and reduce the implementation cost.
  • FIG. 1 is a flowchart of a data protection method according to Embodiment 1 of the present invention.
  • FIG. 2 is a flowchart of a data protection method according to Embodiment 2 of the present invention.
  • FIG. 3 is a data flow diagram of a data protection method according to Embodiment 2 of the present invention.
  • FIG. 4 is a structural diagram of a data protection device according to Embodiment 3 of the present invention.
  • FIG. 5 is a structural diagram of a data protection device according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic diagram of a computer apparatus according to Embodiment 5 of the present invention.
  • the data protection method of the present invention is applied in one or more computer devices.
  • the computer device is a device capable of automatically performing numerical calculation and/or information processing according to an instruction set or stored in advance, and the hardware thereof includes but is not limited to an application processor chip, an external storage medium, a memory, and the like.
  • the computer device may be a host device such as a desktop computer, a notebook, a palmtop computer, and a cloud server.
  • the computer device can perform human-computer interaction with the user through a keyboard, a mouse, a remote controller, a touch panel, or a voice control device.
  • FIG. 1 is a flowchart of a data protection method according to Embodiment 1 of the present invention.
  • the data protection method is applied to a computer device including an application processor chip, the application processor chip being coupled to a memory.
  • the memory can be packaged in the main chip to prevent direct reading or interception of data in the memory.
  • the memory is a DDR SDRAM (Double Data Rate Synchronous Dynamic Random Access Memory), and the DDR SDRAM particles are SIP (System In a Package) or POP (Package on Package, The package is packaged in the main chip to prevent direct reading or interception of data from the DDR SDRAM. Since the memory is packaged in the main chip, it is difficult and costly to read or intercept the data in the memory.
  • the memory (eg, DDR SDRAM) is divided into a secure data area and a non-secure data area.
  • the data to be protected such as a database of AI (Artificial Intelligence) products (such as a face image library), parameters (such as CNN (Convolutional Neural Network) parameters), can store core data or key data.
  • AI Artificial Intelligence
  • CNN Convolutional Neural Network
  • a fixed address segment can be divided as a secure data area.
  • the data protection method specifically includes the following steps:
  • the processor of the application processor chip detects a face image and needs to perform face comparison according to the stored face image library, an access request for the face image library and the CNN parameter in the secure data area is proposed.
  • the data in the secure data area may be unencrypted data (ie, plaintext) or encrypted data (ie, ciphertext).
  • the type of the master device may include at least the following types:
  • UART Universal Asynchronous Receiver/Transmitter
  • I 2 C Inter-Integrated Circuit
  • SPI of the application processor chip Serial Peripheral Interface
  • a high-speed peripheral device having an input/output interface, such as a USB (Universal Serial Bus) device of the application processor chip, and a PCIe (peripheral component interconnect express) device.
  • USB Universal Serial Bus
  • PCIe peripheral component interconnect express
  • the correspondence between the master device identifier (for example, the master device name, the master device number, and the like) of the application processor chip and the master device type may be set in advance, and the corresponding relationship defines the master device type corresponding to the different master device identifiers.
  • the master device identifier for example, the master device name, the master device number, and the like
  • the master device is allowed to read the data from the secure data region.
  • the master device is allowed to read the data from the secure data region.
  • the master device is an SPI device of the application processor chip, the master device is prohibited from reading the data from the secure data region.
  • the master device If it is determined that the master device is a high-speed peripheral device having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region.
  • the master device is a USB device of the application processor chip
  • security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
  • Two accessible address segments A and B can be configured for high-speed peripherals with input and output interfaces, where A is a non-secure data address segment, corresponding to a non-secure data region, and B is a secure data address segment corresponding to the secure data region.
  • A is a non-secure data address segment, corresponding to a non-secure data region
  • B is a secure data address segment corresponding to the secure data region.
  • the high-speed peripherals with input and output interfaces can only access the non-secure data area of the memory and prohibit access to the secure data area of the memory.
  • the security authentication process is started. If the security authentication process is passed, the access permission is turned on, the valid address segment is switched to B, and the high-speed peripheral having the input/output interface accesses the data of the secure data area. After the access is complete, switch the valid address segment back to A and close the access rights.
  • the performing security authentication may include: receiving an input permission unlock password; calculating a message digest of the input authority unlock password; determining a calculated message digest of the input authority unlock password and the application processor chip Whether the pre-stored message digests are the same; if the calculated message digest of the input rights unlocking password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
  • Security verification can be done in other ways. For example, biometric information of the user (eg, fingerprint, iris, face image, sound, etc.) may be collected; whether the collected biometric information matches the pre-stored biometric information; if the collected biometric information and the pre-stored biometrics If the feature information matches, it passes the security certification.
  • biometric information of the user eg, fingerprint, iris, face image, sound, etc.
  • the data protection method of the first embodiment receives an access request of the master device of the application processor chip to the data in the secure data area of the memory; determines the type of the master device; if it is determined that the master device is independent of the external input and output interface The device, the master device is allowed to read the data from the secure data area; if the master device is determined to be a low-speed peripheral device having an input/output interface, the master device is prohibited from reading from the secure data area The data; if it is determined that the master device is a high-speed peripheral having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region.
  • the data protection method of the first embodiment can conveniently protect data, ensure that the data has a higher security level and reduce the implementation cost.
  • FIG. 2 is a flowchart of a data protection method according to Embodiment 2 of the present invention.
  • FIG. 3 is a data flow diagram of a data protection method according to Embodiment 2 of the present invention. The data protection method provided by the second embodiment of the present invention will be described below with reference to FIG. 2 and FIG.
  • the data protection method is applied to an application processor chip, and the application processor chip is connected to an external storage medium and a memory, and the memory includes a secure data area. As shown in FIG. 2, the data protection method specifically includes the following steps:
  • the data can be any data that needs to be secured.
  • the data may be user's private data, such as a phone book, a short message, a mail, an account number, and the like.
  • the data may also be key data or core data, such as a database of AI products (eg, a face picture library) and parameters (eg, CNN parameters).
  • the data can be a single file, such as a picture, document, music, video or application, or a folder.
  • the encrypted data is ciphertext, that is, the external storage medium stores ciphertext.
  • the data can be encrypted by an asymmetric encryption algorithm.
  • the data may be encrypted by an RSA asymmetric encryption algorithm.
  • the database of the AI product such as a face picture library
  • parameters such as CNN parameters
  • the database of the AI product can be encrypted by the RSA public key
  • the encrypted database such as a face picture library
  • parameters such as CNN parameters
  • the data can be encrypted by a symmetric encryption algorithm.
  • the data can be encrypted by an AES symmetric encryption algorithm.
  • an AES encryption algorithm with a key bit width of 256 bits or more is used to encrypt a database (for example, a face image library) and parameters (for example, CNN parameters) of an AI product, and an encrypted database (for example, a face image library) and parameters (for example)
  • CNN parameters are stored in the external storage medium.
  • the external storage medium may include a removable external storage medium, such as an SD/TF card, for storing frequently changed data, such as a face image library, for routine maintenance and updates.
  • a removable external storage medium such as an SD/TF card
  • the external storage medium may also include a non-removable external storage medium, such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
  • a non-removable external storage medium such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
  • the encrypted face image library and CNN parameters are read from the external storage medium.
  • the encrypted data is decrypted by using a corresponding decryption algorithm.
  • the data is encrypted with an RSA public key
  • the encrypted data is decrypted with an RSA private key
  • the data is encrypted by the AES key
  • the AES key is used for decryption.
  • the decrypted data is plaintext, that is, the secure data area stores plaintext.
  • the data in the secure data area (such as the face picture library and the CNN parameter) needs to be frequently used. If the ciphertext is stored in the secure data area, it will need to be repeatedly encrypted and decrypted frequently, which will greatly affect the performance. Therefore, the plaintext (ie, the decrypted data) is stored in the secure data area of the memory.
  • the step 204 in this embodiment is substantially the same as the step 101 in the first embodiment.
  • the data is the decrypted data.
  • Narration refer to the description of step 101 in the first embodiment.
  • Step 205 is the same as step 102 in the first embodiment.
  • Step 205 refers to the description of step 102 in the first embodiment, and details are not described herein.
  • the master device is allowed to read the decrypted data from the secure data region.
  • the step 206 in this embodiment is substantially the same as the step 103 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 102 in the first embodiment. Narration.
  • the master device is a low-speed peripheral device having an input/output interface, the master device is prohibited from reading the decrypted data from the secure data region.
  • the step 207 in this embodiment is substantially the same as the step 104 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 102 in the first embodiment. Narration.
  • the master device If it is determined that the master device is a high-speed peripheral device having an input/output interface, perform security authentication, and if the security device is authenticated, allow the master device to read the decrypted data from the secure data region.
  • the step 208 in this embodiment is substantially the same as the step 105 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 103 in the first embodiment. Narration.
  • the data protection method of the second embodiment encrypts the data, stores the encrypted data in an external storage medium, receives a data read instruction, and reads the encrypted data from the external storage medium according to the data read command. Decrypting the encrypted data, storing the decrypted data in a secure data area of the memory; and receiving, by the master device of the application processor chip, an access request for the decrypted data in the secure data area Determining a type of the master device; if it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the decrypted data from the secure data region; The master device is a low-speed peripheral having an input/output interface, and the master device is prohibited from reading the decrypted data from the secure data area; if the master device is determined to be a high-speed peripheral having an input/output interface, Performing security authentication, if passing the security authentication, allowing the master device to read the decrypted data from the secure data area.
  • the data protection device 10 may include: a receiving unit 401, a determining unit 402, a first processing unit 403, a second processing unit 404, and a third processing unit 405.
  • the receiving unit 401 is configured to receive an access request of the master device of the application processor chip to the data in the secure data area.
  • the processor of the application processor chip detects the face image and needs to perform face matching according to the stored face picture library, an access request for the face picture library and the CNN parameter in the secure data area is proposed.
  • the data in the secure data area may be unencrypted data (ie, plaintext) or encrypted data (ie, ciphertext).
  • the determining unit 402 is configured to determine the type of the master device.
  • the type of the master device may include at least the following types:
  • UART Universal Asynchronous Receiver/Transmitter
  • I 2 C Inter-Integrated Circuit
  • SPI of the application processor chip Serial Peripheral Interface
  • a high-speed peripheral device having an input/output interface, such as a USB (Universal Serial Bus) device of the application processor chip, and a PCIe (peripheral component interconnect express) device.
  • USB Universal Serial Bus
  • PCIe peripheral component interconnect express
  • the correspondence between the master device identifier (for example, the master device name, the master device number, and the like) of the application processor chip and the master device type may be set in advance, and the corresponding relationship defines the master device type corresponding to the different master device identifiers.
  • the master device identifier for example, the master device name, the master device number, and the like
  • the first processing unit 403 is configured to allow the master device to read the data from the secure data area if it is determined that the master device is a device independent of an external input/output interface.
  • the master device is allowed to read the data from the secure data region.
  • the second processing unit 404 is configured to, if it is determined that the master device is a low-speed peripheral device having an input/output interface, prohibit the master device from reading the data from the secure data region.
  • the master device is an SPI device of the application processor chip, the master device is prohibited from reading the data from the secure data region.
  • the third processing unit 405 is configured to perform security authentication if it is determined that the master device is a high-speed peripheral device having an input/output interface, and if the security device is authenticated, allow the master device to read the security data region from the security data region. data.
  • the master device is a USB device of the application processor chip
  • security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
  • Two accessible address segments A and B can be configured for high-speed peripherals with input and output interfaces, where A is a non-secure data address segment, corresponding to a non-secure data region, and B is a secure data address segment corresponding to the secure data region.
  • A is a non-secure data address segment, corresponding to a non-secure data region
  • B is a secure data address segment corresponding to the secure data region.
  • the high-speed peripherals with input and output interfaces can only access the non-secure data area of the memory and prohibit access to the secure data area of the memory.
  • the security authentication process is started. If the security authentication process is passed, the access permission is turned on, the valid address segment is switched to B, and the high-speed peripheral having the input/output interface accesses the data of the secure data area. After the access is complete, switch the valid address segment back to A and close the access rights.
  • the performing security authentication may include: receiving an input permission unlock password; calculating a message digest of the input authority unlock password; determining a calculated message digest of the input authority unlock password and the application processor chip Whether the pre-stored message digests are the same; if the calculated message digest of the input rights unlocking password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
  • Security verification can be done in other ways. For example, biometric information of the user (eg, fingerprint, iris, face image, sound, etc.) may be collected; whether the collected biometric information matches the pre-stored biometric information; if the collected biometric information and the pre-stored biometrics If the feature information matches, it passes the security certification.
  • biometric information of the user eg, fingerprint, iris, face image, sound, etc.
  • the data protection device of the third embodiment receives an access request of the master device of the application processor chip to the data in the secure data area of the memory; determines the type of the master device; if it is determined that the master device is independent of the external input and output interface The device, the master device is allowed to read the data from the secure data area; if the master device is determined to be a low-speed peripheral device having an input/output interface, the master device is prohibited from reading from the secure data area The data; if it is determined that the master device is a high-speed peripheral having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region.
  • the data protection device of the third embodiment can conveniently protect the data, ensure the data has a higher security level and reduce the implementation cost.
  • FIG. 5 is a structural diagram of a data protection apparatus according to Embodiment 4 of the present invention.
  • the data protection device 50 may include: an encryption unit 501, a reading unit 502, a decryption unit 503, a receiving unit 504, a determining unit 505, a first processing unit 506, a second processing unit 507, and a third. Processing unit 508.
  • the encryption unit 501 is configured to encrypt data and store the encrypted data in the external storage medium.
  • the data can be any data that needs to be secured.
  • the data may be user's private data, such as a phone book, a short message, a mail, an account number, and the like.
  • the data may also be key data or core data, such as a database of AI products (eg, a face picture library) and parameters (eg, CNN parameters).
  • the data can be a single file, such as a picture, document, music, video or application, or a folder.
  • the encrypted data is ciphertext, that is, the external storage medium stores ciphertext.
  • the data can be encrypted by an asymmetric encryption algorithm.
  • the data may be encrypted by an RSA asymmetric encryption algorithm.
  • the database of the AI product such as a face picture library
  • parameters such as CNN parameters
  • the database of the AI product can be encrypted by the RSA public key
  • the encrypted database such as a face picture library
  • parameters such as CNN parameters
  • the data can be encrypted by a symmetric encryption algorithm.
  • the data can be encrypted by an AES symmetric encryption algorithm.
  • an AES encryption algorithm with a key bit width of 256 bits or more is used to encrypt a database (for example, a face image library) and parameters (for example, CNN parameters) of an AI product, and an encrypted database (for example, a face image library) and parameters (for example)
  • CNN parameters are stored in the external storage medium.
  • the external storage medium may include a removable external storage medium, such as an SD/TF card, for storing frequently changed data, such as a face image library, for routine maintenance and updates.
  • a removable external storage medium such as an SD/TF card
  • the external storage medium may also include a non-removable external storage medium, such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
  • a non-removable external storage medium such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
  • the reading unit 502 is configured to receive a data read instruction, and read the encrypted data from the external storage medium according to the data read instruction.
  • the encrypted face image library and CNN parameters are read from the external storage medium.
  • the decryption unit 503 is configured to decrypt the encrypted data, and store the decrypted data in the secure data area.
  • the encrypted data is decrypted according to an encryption algorithm of the encryption unit 501 using a corresponding decryption algorithm.
  • the encryption unit 501 encrypts the data with the RSA public key
  • the decryption unit 503 decrypts the encrypted data with the RSA private key.
  • the encryption unit 501 encrypts the data with the AES key
  • the decryption unit 503 decrypts with the AES key.
  • the decrypted data is plaintext, that is, the secure data area stores plaintext.
  • the data in the secure data area (such as the face picture library and the CNN parameter) needs to be frequently used. If the ciphertext is stored in the secure data area, it will need to be repeatedly encrypted and decrypted frequently, which will greatly affect the performance. Therefore, the plaintext (ie, the decrypted data) is stored in the secure data area of the memory.
  • the receiving unit 504 is configured to receive, by the master device of the application processor chip, an access request for the decrypted data in the secure data area.
  • the receiving unit 504 is substantially the same as the receiving unit 401 in the third embodiment.
  • the data is the decrypted data.
  • the receiving unit 401 in the third embodiment I will not go into details here.
  • the determining unit 505 is configured to determine the type of the master device.
  • the determining unit 505 is the same as the determining unit 402 in the third embodiment. For details, refer to the related description of the determining unit 402 in the third embodiment, and details are not described herein.
  • the first processing unit 506 is configured to, if it is determined that the master device is a master device that is independent of an external input/output interface, allow the master device to read the decrypted data from the secure data region.
  • the first processing unit 506 is substantially the same as the first processing unit 403 in the third embodiment. (The present embodiment only defines the data as the decrypted data. For details, refer to the first processing in the third embodiment. The related description of the unit 403 is not described here.
  • the second processing unit 507 is configured to, if it is determined that the master device is a low-speed peripheral device having an input/output interface, prohibit the master device from reading the decrypted data from the secure data region.
  • the second processing unit 507 is substantially the same as the second processing unit 404 in the third embodiment.
  • This embodiment only defines the data as the decrypted data. For details, refer to the second processing in the third embodiment. A related description of the unit 404 is not described herein.
  • the third processing unit 508 is configured to perform security authentication if it is determined that the master device is a high-speed peripheral device having an input/output interface, and if the security device is authenticated, allow the master device to read the security data region from the security data region. Decrypted data.
  • the third processing unit 508 is substantially the same as the third processing unit 405 in the third embodiment. (The embodiment only defines the data as the decrypted data. For details, refer to the third processing in the third embodiment. The related description of unit 405 is not described herein.
  • the data protection device of the fourth embodiment encrypts the data, stores the encrypted data in an external storage medium, receives a data read command, and reads the encrypted data from the external storage medium according to the data read command. Decrypting the encrypted data, storing the decrypted data in a secure data area of the memory; and receiving, by the master device of the application processor chip, an access request for the decrypted data in the secure data area Determining a type of the master device; if it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the decrypted data from the secure data region; The master device is a low-speed peripheral having an input/output interface, and the master device is prohibited from reading the decrypted data from the secure data area; if the master device is determined to be a high-speed peripheral having an input/output interface, Performing security authentication, if passing the security authentication, allowing the master device to read the decrypted data from the secure data area.
  • FIG. 6 is a schematic diagram of a computer apparatus according to Embodiment 5 of the present invention.
  • the computer device 1 includes a memory 20, an application processor chip 30, and a computer program 40, such as a data protection program, stored in the memory 20 and executable on the application processor chip 30.
  • a computer program 40 such as a data protection program, stored in the memory 20 and executable on the application processor chip 30.
  • the application processor chip 30 executes the computer program 40
  • the steps in the foregoing data protection method embodiment are implemented, for example, steps 101-105 shown in FIG. 1 or steps 201-208 shown in FIG.
  • the application processor chip 30 executes the computer program 40
  • the functions of the modules/units in the above device embodiments are implemented, such as the units 401-405 in FIG. 4 or the units 501-508 in FIG.
  • the computer program 40 can be partitioned into one or more modules/units that are stored in the memory 20 and executed by the application processor chip 30, To complete the present invention.
  • the one or more modules/units may be a series of computer program instruction segments capable of performing a particular function for describing the execution of the computer program 40 in the computer device 1.
  • the computer program 40 may be divided into a receiving unit 401, a determining unit 402, a first processing unit 403, a second processing unit 404, a third processing unit 405 in FIG. 4, or may be segmented into the encryption in FIG.
  • the unit 501, the reading unit 502, the decryption unit 503, the receiving unit 504, the determining unit 505, the first processing unit 506, the second processing unit 507, and the third processing unit 508, and the specific functions of each unit, refer to the third embodiment and the fourth embodiment. .
  • the computer device 1 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. It will be understood by those skilled in the art that the schematic diagram 6 is merely an example of the computer device 1 and does not constitute a limitation of the computer device 1. It may include more or less components than those illustrated, or may combine some components, or different. The components, such as the computer device 1, may also include input and output devices, network access devices, buses, and the like.
  • the application processor chip 30 is referred to as a processor.
  • the processor may be a central processing unit (CPU), and may also include other general-purpose processors, a digital signal processor (DSP), an application specific integrated circuit (ASIC), and an off-the-shelf device.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA Field-Programmable Gate Array
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like, which is a control center of the computer device 1, and connects various parts of the entire computer device 1 by various interfaces and lines. .
  • the memory 20 can be used to store the computer program 40 and/or modules/units by running or executing computer programs and/or modules/units stored in the memory 20, and invoking storage
  • the data within the memory 20 implements various functions of the computer device 1.
  • the memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be Data (such as audio data, phone book, etc.) created according to the use of the computer device 1 is stored.
  • the memory 20 may include an external storage medium, and may also include a memory.
  • the memory 20 may include a high-speed random access memory, and may also include a non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SMC), and a secure digital (Secure Digital, SD).
  • a non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SMC), and a secure digital (Secure Digital, SD).
  • SMC smart memory card
  • SD Secure Digital
  • Card flash card, at least one disk storage device, flash device, or other volatile solid state storage device.
  • the modules/units integrated by the computer device 1 can be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the present invention implements all or part of the processes in the foregoing embodiments, and may also be completed by a computer program to instruct related hardware.
  • the computer program may be stored in a computer readable storage medium. The steps of the various method embodiments described above may be implemented when the program is executed by the processor.
  • the computer program comprises computer program code, which may be in the form of source code, object code form, executable file or some intermediate form.
  • the computer readable medium may include any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM). , random access memory (RAM, Random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. It should be noted that the content contained in the computer readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in a jurisdiction, for example, in some jurisdictions, according to legislation and patent practice, computer readable media Does not include electrical carrier signals and telecommunication signals.
  • each functional unit in each embodiment of the present invention may be integrated in the same processing unit, or each unit may exist physically separately, or two or more units may be integrated in the same unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of hardware plus software function modules.

Abstract

A data protection method and apparatus, and a readable storage medium. The method comprises: receiving an access request of a master device of an application processor chip for data in a secure data area of a memory (101); determining the type of master device (102); if it is determined that the master device is a device not related to an external input and output interface, then allowing the master device to read the data from the secure data area (103); if it is determined that the master device is a low-speed peripheral device with an input and output interface, then prohibiting the master device from reading the data from the secure data area (104); and if it is determined that the master device is a high-speed peripheral device with an input and output interface, then performing security authentication, and if the security authentication is passed, then allowing the master device to read the data from the secure data area (105). The method can protect data conveniently and ensure that the data has a higher security level and reduces implementation costs.

Description

数据保护方法及装置、计算机装置及可读存储介质Data protection method and device, computer device and readable storage medium
本申请要求于2017年12月5日提交中国专利局,申请号为201711269114.6、发明名称为“数据保护方法及装置、计算机装置及可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application filed on December 5, 2017, the Chinese Patent Office, the application number is 201711269114.6, and the invention name is "data protection method and device, computer device and readable storage medium", the entire contents of which are The citations are incorporated herein by reference.
技术领域Technical field
本发明涉及信息安全技术领域,具体涉及一种数据保护方法及装置、计算机装置及可读存储介质。The present invention relates to the field of information security technologies, and in particular, to a data protection method and apparatus, a computer apparatus, and a readable storage medium.
背景技术Background technique
在人脸识别及类似AI(Artificial Intelligence,人工智能)产品中,人脸图片库及类似的数据库作为最终校验比对的依据,是产品的核心数据,一旦被攻击者获取及进一步篡改,则可以非法修改权限,或使得原本没有权限的人获得权限,所以数据库的安全保障非常有必要。In face recognition and similar AI (Artificial Intelligence) products, the face image library and similar database are used as the basis for the final check comparison, which is the core data of the product. Once the attacker obtains and further tampers, You can illegally modify the permissions, or enable people who do not have permission to obtain permissions, so the security of the database is very necessary.
此外,人脸识别及类似AI产品中通常有一些参数(例如CNN(Convolutional Neural Network,卷积神经网络)参数),其中花费了大量时间和模型才调试好的参数是决定算法和产品的性能的关键数据,参数的安全保障也非常有必要。In addition, face recognition and similar AI products usually have some parameters (such as CNN (Convolutional Neural Network) parameters), which takes a lot of time and model to debug good parameters is to determine the performance of the algorithm and product. Key data, parameter security is also very necessary.
目前市面上的AI产品,有的为控制成本没有对数据库和参数进行加密保护,有的则为了实现加密保护花了高额成本购买相应的IP和设计方案。前者安全性低,后者成本高。At present, AI products on the market do not have encryption and protection for databases and parameters for controlling costs, and some purchase high-cost IP and design solutions for encryption protection. The former is low in security and the latter is costly.
发明内容Summary of the invention
鉴于以上内容,有必要提出一种数据保护方法及装置、计算机装置及可读存储介质,其可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。In view of the above, it is necessary to provide a data protection method and apparatus, a computer apparatus and a readable storage medium, which can conveniently protect data, ensure a high security level of data and reduce implementation cost.
本申请的第一方面提供一种数据保护方法,应用于包括应用处理器芯片的计算机装置,所述应用处理器芯片与内存相连,所述内存包括安全数据区,所述方法包括:A first aspect of the present application provides a data protection method, which is applied to a computer device including an application processor chip, the application processor chip is connected to a memory, and the memory includes a secure data area, and the method includes:
接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求;Receiving, by the master device of the application processor chip, an access request for data in the secure data area;
确定所述主设备的类型;Determining the type of the primary device;
若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据;If it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the data from the secure data region;
若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;If it is determined that the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area;
若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。If it is determined that the master device is a high-speed peripheral having an input/output interface, security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
另一种可能的实现方式中,所述进行安全认证包括:In another possible implementation manner, the performing the security certification includes:
接收输入的权限解锁密码;Receive the entered permission to unlock the password;
计算所述输入的权限解锁密码的消息摘要;Calculating a message digest of the entered permission unlock password;
判断计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要是否相同;Determining whether the calculated message digest of the input authority unlock password is the same as the pre-stored message digest in the application processor chip;
若计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要相同,则通过安全认证。If the calculated message digest of the entered privilege unlock password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
另一种可能的实现方式中,所述内存封装在所述应用处理器芯片内。In another possible implementation, the memory is encapsulated in the application processor chip.
另一种可能的实现方式中,所述应用处理器芯片还与外部存储介质及内存相连,所述方法还包括:In another possible implementation, the application processor chip is further connected to an external storage medium and a memory, and the method further includes:
对数据进行加密,将加密后的数据存入所述外部存储介质;Encrypting the data, and storing the encrypted data in the external storage medium;
接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据;Receiving a data read instruction, and reading the encrypted data from the external storage medium according to the data read command;
对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。The encrypted data is decrypted, and the decrypted data is stored in the secure data area.
另一种可能的实现方式中,所述外部存储介质包括可移动外部存储介质和不可移动外部存储介质。In another possible implementation manner, the external storage medium includes a removable external storage medium and a non-removable external storage medium.
本申请的第二方面提供一种数据保护装置,应用于包括应用处理器芯片的计算机装置,所述应用处理器芯片与内存相连,所述内存包括安全数据区,所述装置包括:A second aspect of the present application provides a data protection device for a computer device including an application processor chip, the application processor chip being connected to a memory, the memory including a secure data area, the device comprising:
接收单元,用于接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求;a receiving unit, configured to receive, by the master device of the application processor chip, an access request for data in the secure data area;
确定单元,用于确定所述主设备的类型;a determining unit, configured to determine a type of the master device;
第一处理单元,用于若确定所述主设备是与外部输入输出接口无关的主设备,则允许所述主设备从所述安全数据区读取所述数据;a first processing unit, configured to: if the master device is determined to be a master device independent of an external input/output interface, permit the master device to read the data from the secure data region;
第二处理单元,用于若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;a second processing unit, configured to: if the master device is determined to be a low-speed peripheral having an input/output interface, prohibit the master device from reading the data from the secure data area;
第三处理单元,用于若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。a third processing unit, configured to perform security authentication if the master device is determined to be a high-speed peripheral device having an input/output interface, and if the security device is authenticated, permit the master device to read the data from the secure data region .
另一种可能的实现方式中,所述应用处理器芯片还与外部存储介质及内存相连,所述装置还包括:In another possible implementation, the application processor chip is further connected to an external storage medium and a memory, and the device further includes:
加密单元,用于对数据进行加密,将加密后的数据存入所述外部存储介质;An encryption unit, configured to encrypt data, and store the encrypted data in the external storage medium;
读取单元,用于接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据;a reading unit, configured to receive a data read instruction, and read the encrypted data from the external storage medium according to the data read instruction;
解密单元,用于对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。And a decryption unit, configured to decrypt the encrypted data, and store the decrypted data in the secure data area.
本申请的第三方面提供一种计算机装置,所述计算机装置包括应用处理器芯片,所述应用处理器芯片用于执行存储器中存储的计算机程序时实现所述数据保护方法。A third aspect of the present application provides a computer apparatus including an application processor chip for implementing the data protection method when executing a computer program stored in a memory.
本申请的第四方面提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被应用处理器芯片执行时实现所述数据保护方法。A fourth aspect of the present application provides a computer readable storage medium having stored thereon a computer program that implements the data protection method when executed by an application processor chip.
本发明接收应用处理器芯片的主设备对内存的安全数据区中的数据的访问请求;确定所述主设备的类型;若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据;若确定所述主设 备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。本发明可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。The invention receives an access request of the main device of the application processor chip to the data in the secure data area of the memory; determines the type of the main device; if it is determined that the main device is a device unrelated to the external input and output interface, the device is allowed The master device reads the data from the secure data area; if it is determined that the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area; It is determined that the master device is a high-speed peripheral having an input/output interface, and then performs security authentication. If the security device is authenticated, the master device is allowed to read the data from the secure data region. The invention can conveniently protect the data, ensure the data has a higher security level and reduce the implementation cost.
附图说明DRAWINGS
图1是本发明实施例一提供的数据保护方法的流程图。FIG. 1 is a flowchart of a data protection method according to Embodiment 1 of the present invention.
图2是本发明实施例二提供的数据保护方法的流程图。FIG. 2 is a flowchart of a data protection method according to Embodiment 2 of the present invention.
图3是本发明实施例二提供的数据保护方法的数据流图。FIG. 3 is a data flow diagram of a data protection method according to Embodiment 2 of the present invention.
图4是本发明实施例三提供的数据保护装置的结构图。4 is a structural diagram of a data protection device according to Embodiment 3 of the present invention.
图5是本发明实施例四提供的数据保护装置的结构图。FIG. 5 is a structural diagram of a data protection device according to Embodiment 4 of the present invention.
图6是本发明实施例五提供的计算机装置的示意图。FIG. 6 is a schematic diagram of a computer apparatus according to Embodiment 5 of the present invention.
具体实施方式Detailed ways
为了能够更清楚地理解本发明的上述目的、特征和优点,下面结合附图和具体实施例对本发明进行详细描述。需要说明的是,在不冲突的情况下,本申请的实施例及实施例中的特征可以相互组合。The present invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
在下面的描述中阐述了很多具体细节以便于充分理解本发明,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In the following description, numerous specific details are set forth in the description All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
除非另有定义,本文所使用的所有的技术和科学术语与属于本发明的技术领域的技术人员通常理解的含义相同。本文中在本发明的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本发明。All technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. The terminology used in the description of the present invention is for the purpose of describing particular embodiments and is not intended to limit the invention.
优选地,本发明的数据保护方法应用在一个或者多个计算机装置中。所述计算机装置是一种能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于应用处理器芯片、外部存储介质、内存等。Preferably, the data protection method of the present invention is applied in one or more computer devices. The computer device is a device capable of automatically performing numerical calculation and/or information processing according to an instruction set or stored in advance, and the hardware thereof includes but is not limited to an application processor chip, an external storage medium, a memory, and the like.
所述计算机装置可以是桌上型计算机、笔记本、掌上电脑及云端服务器等主设备。所述计算机装置可以与用户通过键盘、鼠标、遥控器、触摸板或声控设备等方式进行人机交互。The computer device may be a host device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The computer device can perform human-computer interaction with the user through a keyboard, a mouse, a remote controller, a touch panel, or a voice control device.
实施例一 Embodiment 1
图1是本发明实施例一提供的数据保护方法的流程图。所述数据保护方法应用于包括应用处理器芯片的计算机装置,所述应用处理器芯片与内存相连。FIG. 1 is a flowchart of a data protection method according to Embodiment 1 of the present invention. The data protection method is applied to a computer device including an application processor chip, the application processor chip being coupled to a memory.
为了提高数据的安全级别,所述内存可以封装在主芯片内,以防止对内存中数据直接读取或截取。例如,所述内存是DDR SDRAM(Double Data Rate Synchronous Dynamic Random Access Memory,双倍速率同步动态随机存储器),将DDR SDRAM颗粒以SIP(System In a Package,系统级封装)或POP(Package on Package,叠层封装)的方式封装在主芯片内,以防止对DDR SDRAM的数据直接读取或截取。由于内存封装在主芯片内,读取或截取内存中的数据的难度和成本都很高。In order to increase the security level of the data, the memory can be packaged in the main chip to prevent direct reading or interception of data in the memory. For example, the memory is a DDR SDRAM (Double Data Rate Synchronous Dynamic Random Access Memory), and the DDR SDRAM particles are SIP (System In a Package) or POP (Package on Package, The package is packaged in the main chip to prevent direct reading or interception of data from the DDR SDRAM. Since the memory is packaged in the main chip, it is difficult and costly to read or intercept the data in the memory.
所述内存(例如DDR SDRAM)划分为安全数据区和非安全数据区。可以将需要保护的数据,例如AI(Artificial Intelligence,人工智能)产品的数据库(例如人脸图片库)、参数(例如CNN(Convolutional Neural Network,卷积神经网络)参数)等核心数据或关键数据存放在安全数据区,其他数据存储在非安全数据区。可以划分一个固定的地址段作为安全数据区。The memory (eg, DDR SDRAM) is divided into a secure data area and a non-secure data area. The data to be protected, such as a database of AI (Artificial Intelligence) products (such as a face image library), parameters (such as CNN (Convolutional Neural Network) parameters), can store core data or key data. In the secure data area, other data is stored in the non-secure data area. A fixed address segment can be divided as a secure data area.
如图1所示,所述数据保护方法具体包括以下步骤:As shown in FIG. 1 , the data protection method specifically includes the following steps:
101:接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求。101: Receive an access request of the master device of the application processor chip to data in the secure data area.
例如,当应用处理器芯片的处理器检测到人脸图像,需要根据存储的人脸图片库进行人脸比对时,提出对所述安全数据区中人脸图片库和CNN参数的访问请求。For example, when the processor of the application processor chip detects a face image and needs to perform face comparison according to the stored face image library, an access request for the face image library and the CNN parameter in the secure data area is proposed.
所述安全数据区中的数据可以是未加密的数据(即明文),也可以是加密后的数据(即密文)。The data in the secure data area may be unencrypted data (ie, plaintext) or encrypted data (ie, ciphertext).
102:确定所述主设备的类型。102: Determine the type of the master device.
所述主设备的类型至少可以包括以下几种类型:The type of the master device may include at least the following types:
(1)与外部输入输出接口无关的设备,例如应用处理器芯片的处理器(JTAG口已禁用的状态)、DMA(Direct Memory Access,直接内存访问)控制器。(1) Devices that are not related to the external I/O interface, such as the processor of the application processor chip (the state in which the JTAG port is disabled) or the DMA (Direct Memory Access) controller.
(2)有输入输出接口的低速外设,例如所述应用处理器芯片的UART(Universal Asynchronous Receiver/Transmitter,通用异步收发器)、I 2C(Inter-Integrated Circuit,内部整合电路)设备、SPI(Serial Peripheral Interface,串行外设接口)设备。 (2) Low-speed peripherals with input and output interfaces, such as UART (Universal Asynchronous Receiver/Transmitter), I 2 C (Inter-Integrated Circuit) device, SPI of the application processor chip (Serial Peripheral Interface) device.
(3)有输入输出接口的高速外设,例如所述应用处理器芯片的USB(Universal Serial Bus,通用串行总线)设备、PCIE(peripheral component interconnect express,外围组件快速互连)设备。(3) A high-speed peripheral device having an input/output interface, such as a USB (Universal Serial Bus) device of the application processor chip, and a PCIe (peripheral component interconnect express) device.
可以预先设置应用处理器芯片的主设备标识(例如主设备名称、主设备编号等)与主设备类型的对应关系,所述对应关系定义不同的主设备标识对应的主设备类型。在接收到所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求后,获取所述主设备的主设备标识(例如主设备名称),根据所述主设备标识从所述对应关系中查找对应的主设备类型,即得到所述主设备的类型。The correspondence between the master device identifier (for example, the master device name, the master device number, and the like) of the application processor chip and the master device type may be set in advance, and the corresponding relationship defines the master device type corresponding to the different master device identifiers. After receiving the access request of the master device of the application processor chip to the data in the secure data area, acquiring a master device identifier (for example, a master device name) of the master device, according to the master device identifier Find the corresponding master device type in the corresponding relationship, that is, obtain the type of the master device.
103:若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据。103: If it is determined that the master device is a device unrelated to an external input/output interface, the master device is allowed to read the data from the secure data region.
例如,若确定所述主设备是所述应用处理器芯片的DMA控制器,则允许所述主设备从所述安全数据区读取所述数据。For example, if it is determined that the master device is a DMA controller of the application processor chip, the master device is allowed to read the data from the secure data region.
104:若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据。104: If it is determined that the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area.
例如,若确定所述主设备是所述应用处理器芯片的SPI设备,则禁止所述主设备从所述安全数据区读取所述数据。For example, if it is determined that the master device is an SPI device of the application processor chip, the master device is prohibited from reading the data from the secure data region.
105:若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。105: If it is determined that the master device is a high-speed peripheral device having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region.
例如,若确定所述主设备是所述应用处理器芯片的USB设备,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数 据。For example, if it is determined that the master device is a USB device of the application processor chip, security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
可以为有输入输出接口的高速外设配置两个可访问的地址段A和B,其中A是非安全数据地址段,对应非安全数据区,B是安全数据地址段,对应安全数据区。上电默认情况下,只有A地址段有效,有输入输出接口的高速外设只能访问内存的非安全数据区,禁止访问内存的安全数据区。在收到有输入输出接口的高速外设对安全数据区中的数据的访问请求后,启动安全认证流程。若通过安全认证流程,则开启访问权限,将有效的地址段切换到B,有输入输出接口的高速外设访问安全数据区的数据。访问完毕后,将有效的地址段切换回A,关闭访问权限。Two accessible address segments A and B can be configured for high-speed peripherals with input and output interfaces, where A is a non-secure data address segment, corresponding to a non-secure data region, and B is a secure data address segment corresponding to the secure data region. By default, only the A address segment is valid. The high-speed peripherals with input and output interfaces can only access the non-secure data area of the memory and prohibit access to the secure data area of the memory. After receiving the high-speed peripheral with the input and output interface to access the data in the secure data area, the security authentication process is started. If the security authentication process is passed, the access permission is turned on, the valid address segment is switched to B, and the high-speed peripheral having the input/output interface accesses the data of the secure data area. After the access is complete, switch the valid address segment back to A and close the access rights.
可以通过HASH加密算法进行安全验证。具体地,所述进行安全认证可以包括:接收输入的权限解锁密码;计算所述输入的权限解锁密码的消息摘要;判断计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要是否相同;若计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要相同,则通过安全认证。Security verification can be performed by the HASH encryption algorithm. Specifically, the performing security authentication may include: receiving an input permission unlock password; calculating a message digest of the input authority unlock password; determining a calculated message digest of the input authority unlock password and the application processor chip Whether the pre-stored message digests are the same; if the calculated message digest of the input rights unlocking password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
可以以其他方式进行安全验证。例如,可以采集用户的生物特征信息(例如指纹、虹膜、人脸图像、声音等);判断采集的生物特征信息与预先存储的生物特征信息是否匹配;若采集的生物特征信息与预先存储的生物特征信息匹配,则通过安全认证。Security verification can be done in other ways. For example, biometric information of the user (eg, fingerprint, iris, face image, sound, etc.) may be collected; whether the collected biometric information matches the pre-stored biometric information; if the collected biometric information and the pre-stored biometrics If the feature information matches, it passes the security certification.
实施例一的数据保护方法接收应用处理器芯片的主设备对内存的安全数据区中的数据的访问请求;确定所述主设备的类型;若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据;若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。实施例一的数据保护方法可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。The data protection method of the first embodiment receives an access request of the master device of the application processor chip to the data in the secure data area of the memory; determines the type of the master device; if it is determined that the master device is independent of the external input and output interface The device, the master device is allowed to read the data from the secure data area; if the master device is determined to be a low-speed peripheral device having an input/output interface, the master device is prohibited from reading from the secure data area The data; if it is determined that the master device is a high-speed peripheral having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region. The data protection method of the first embodiment can conveniently protect data, ensure that the data has a higher security level and reduce the implementation cost.
实施例二Embodiment 2
图2是本发明实施例二提供的数据保护方法的流程图。图3是本发明实施 例二提供的数据保护方法的数据流图。下面结合图2和图3,对本发明实施例二提供的数据保护方法进行说明。FIG. 2 is a flowchart of a data protection method according to Embodiment 2 of the present invention. FIG. 3 is a data flow diagram of a data protection method according to Embodiment 2 of the present invention. The data protection method provided by the second embodiment of the present invention will be described below with reference to FIG. 2 and FIG.
所述数据保护方法应用于应用处理器芯片,所述应用处理器芯片与外部存储介质及内存相连,所述内存包括安全数据区。如图2所示,所述数据保护方法具体包括以下步骤:The data protection method is applied to an application processor chip, and the application processor chip is connected to an external storage medium and a memory, and the memory includes a secure data area. As shown in FIG. 2, the data protection method specifically includes the following steps:
201:对数据进行加密,将加密后的数据存入所述外部存储介质。201: Encrypt data, and store the encrypted data in the external storage medium.
所述数据可以是任意需要进行安全保护的数据。例如,所述数据可以是用户的隐私数据,比如电话本、短消息、邮件、账号等。所述数据也可以是关键数据或核心数据,比如AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)。The data can be any data that needs to be secured. For example, the data may be user's private data, such as a phone book, a short message, a mail, an account number, and the like. The data may also be key data or core data, such as a database of AI products (eg, a face picture library) and parameters (eg, CNN parameters).
所述数据可以是单个文件,例如某个图片、文档、音乐、视频或应用程序等,也可以是某个文件夹。The data can be a single file, such as a picture, document, music, video or application, or a folder.
加密后的数据即密文,也就是说,外部存储介质存放的是密文。The encrypted data is ciphertext, that is, the external storage medium stores ciphertext.
可以通过非对称加密算法对所述数据进行加密。在本较佳实施例中,可以通过RSA非对称加密算法对所述数据进行加密。例如,可以通过RSA的公钥对AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)进行加密,将加密后的数据库(例如人脸图片库)和参数(例如CNN参数)存入所述外部存储介质。The data can be encrypted by an asymmetric encryption algorithm. In the preferred embodiment, the data may be encrypted by an RSA asymmetric encryption algorithm. For example, the database of the AI product (such as a face picture library) and parameters (such as CNN parameters) can be encrypted by the RSA public key, and the encrypted database (such as a face picture library) and parameters (such as CNN parameters) can be stored. Into the external storage medium.
或者,可以通过对称加密算法对所述数据进行加密。在本较佳实施例中,可以通过AES对称加密算法对所述数据进行加密。例如,通过密钥位宽256bit以上的AES加密算法对AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)进行加密,将加密后的数据库(例如人脸图片库)和参数(例如CNN参数)存入所述外部存储介质。Alternatively, the data can be encrypted by a symmetric encryption algorithm. In the preferred embodiment, the data can be encrypted by an AES symmetric encryption algorithm. For example, an AES encryption algorithm with a key bit width of 256 bits or more is used to encrypt a database (for example, a face image library) and parameters (for example, CNN parameters) of an AI product, and an encrypted database (for example, a face image library) and parameters (for example) For example, CNN parameters are stored in the external storage medium.
所述外部存储介质可以包括可移动外部存储介质,例如SD/TF卡,用于存储经常更改的数据,例如人脸图片库,便于日常维护和更新。The external storage medium may include a removable external storage medium, such as an SD/TF card, for storing frequently changed data, such as a face image library, for routine maintenance and updates.
所述外部存储介质还可以包括不可移动外部存储介质,例如nandflash/norflash、emmc flash,用于存储不常更改的数据,例如训练好的CNN参数。The external storage medium may also include a non-removable external storage medium, such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
202:接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据。202: Receive a data read instruction, and read the encrypted data from the external storage medium according to the data read command.
例如,当需要使用存储的人脸图片库与采集到的人脸图像进行比对时,从所述外部存储介质读取加密后的人脸图片库和CNN参数。For example, when it is required to use the stored face image library to compare with the collected face image, the encrypted face image library and CNN parameters are read from the external storage medium.
203:对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。203: Decrypt the encrypted data, and store the decrypted data in the secure data area.
根据步骤201中的加密算法,采用相应的解密算法对所述加密后的数据进行解密。例如,步骤201中,用RSA公钥对所述数据进行加密,则步骤203中,用RSA私钥对所述加密后的数据进行解密。又如,步骤201中,用AES密钥对所述数据进行加密,则步骤203中,用AES密钥进行解密。According to the encryption algorithm in step 201, the encrypted data is decrypted by using a corresponding decryption algorithm. For example, in step 201, the data is encrypted with an RSA public key, and in step 203, the encrypted data is decrypted with an RSA private key. For another example, in step 201, the data is encrypted by the AES key, and in step 203, the AES key is used for decryption.
解密后的数据即明文,也就是说,安全数据区存放明文。在本实施例中,安全数据区中的数据(例如人脸图片库和CNN参数)需要频繁使用,如果在安全数据区中存放密文,就会需要频繁地反复加解密,会大大影响性能,因而在内存的安全数据区存放明文(即解密后的数据)。The decrypted data is plaintext, that is, the secure data area stores plaintext. In this embodiment, the data in the secure data area (such as the face picture library and the CNN parameter) needs to be frequently used. If the ciphertext is stored in the secure data area, it will need to be repeatedly encrypted and decrypted frequently, which will greatly affect the performance. Therefore, the plaintext (ie, the decrypted data) is stored in the secure data area of the memory.
204:接收所述应用处理器芯片的主设备对所述安全数据区中所述解密后的数据的访问请求。204: Receive an access request of the master device of the application processor chip to the decrypted data in the secure data area.
本实施例中步骤204与实施例一中步骤101基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例一中步骤101的相关描述,此处不赘述。The step 204 in this embodiment is substantially the same as the step 101 in the first embodiment. The data is the decrypted data. For details, refer to the description of step 101 in the first embodiment. Narration.
205:确定所述主设备的类型。205: Determine the type of the primary device.
本实施例中步骤205与实施例一中步骤102一致,具体请参阅实施例一中步骤102的相关描述,此处不赘述。Step 205 is the same as step 102 in the first embodiment. For details, refer to the description of step 102 in the first embodiment, and details are not described herein.
206:若确定所述主设备是与外部输入输出接口无关的主设备,则允许所述主设备从所述安全数据区读取所述解密后的数据。206: If it is determined that the master device is a master device that is independent of an external input/output interface, the master device is allowed to read the decrypted data from the secure data region.
本实施例中步骤206与实施例一中步骤103基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例一中步骤102的相关描述,此处不赘述。The step 206 in this embodiment is substantially the same as the step 103 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 102 in the first embodiment. Narration.
207:若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备 从所述安全数据区读取所述解密后的数据。207: If it is determined that the master device is a low-speed peripheral device having an input/output interface, the master device is prohibited from reading the decrypted data from the secure data region.
本实施例中步骤207与实施例一中步骤104基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例一中步骤102的相关描述,此处不赘述。The step 207 in this embodiment is substantially the same as the step 104 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 102 in the first embodiment. Narration.
208:若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述解密后的数据。208: If it is determined that the master device is a high-speed peripheral device having an input/output interface, perform security authentication, and if the security device is authenticated, allow the master device to read the decrypted data from the secure data region.
本实施例中步骤208与实施例一中步骤105基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例一中步骤103的相关描述,此处不赘述。The step 208 in this embodiment is substantially the same as the step 105 in the first embodiment (the embodiment only defines the data as the decrypted data). For details, refer to the related description in step 103 in the first embodiment. Narration.
实施例二的数据保护方法对数据进行加密,将加密后的数据存入外部存储介质;接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据;对所述加密后的数据进行解密,将解密后的数据存入内存的安全数据区;接收所述应用处理器芯片的主设备对所述安全数据区中所述解密后的数据的访问请求;确定所述主设备的类型;若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述解密后的数据;若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述解密后的数据;若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述解密后的数据。实施例二的数据保护方法可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。The data protection method of the second embodiment encrypts the data, stores the encrypted data in an external storage medium, receives a data read instruction, and reads the encrypted data from the external storage medium according to the data read command. Decrypting the encrypted data, storing the decrypted data in a secure data area of the memory; and receiving, by the master device of the application processor chip, an access request for the decrypted data in the secure data area Determining a type of the master device; if it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the decrypted data from the secure data region; The master device is a low-speed peripheral having an input/output interface, and the master device is prohibited from reading the decrypted data from the secure data area; if the master device is determined to be a high-speed peripheral having an input/output interface, Performing security authentication, if passing the security authentication, allowing the master device to read the decrypted data from the secure data area. The data protection method of the second embodiment can conveniently protect the data, ensure the data has a high security level and reduce the implementation cost.
实施例三Embodiment 3
图4为本发明实施例三提供的数据保护装置的结构图。如图4所示,所述数据保护装置10可以包括:接收单元401、确定单元402、第一处理单元403、第二处理单元404、第三处理单元405。4 is a structural diagram of a data protection device according to Embodiment 3 of the present invention. As shown in FIG. 4, the data protection device 10 may include: a receiving unit 401, a determining unit 402, a first processing unit 403, a second processing unit 404, and a third processing unit 405.
接收单元401,用于接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求。The receiving unit 401 is configured to receive an access request of the master device of the application processor chip to the data in the secure data area.
例如,当应用处理器芯片的处理器检测到人脸图像,需要根据存储的人 脸图片库进行人脸比对时,提出对所述安全数据区中人脸图片库和CNN参数的访问请求。For example, when the processor of the application processor chip detects the face image and needs to perform face matching according to the stored face picture library, an access request for the face picture library and the CNN parameter in the secure data area is proposed.
所述安全数据区中的数据可以是未加密的数据(即明文),也可以是加密后的数据(即密文)。The data in the secure data area may be unencrypted data (ie, plaintext) or encrypted data (ie, ciphertext).
确定单元402,用于确定所述主设备的类型。The determining unit 402 is configured to determine the type of the master device.
所述主设备的类型至少可以包括以下几种类型:The type of the master device may include at least the following types:
(1)与外部输入输出接口无关的设备,例如应用处理器芯片的处理器(JTAG口已禁用的状态)、DMA(Direct Memory Access,直接内存访问)控制器。(1) Devices that are not related to the external I/O interface, such as the processor of the application processor chip (the state in which the JTAG port is disabled) or the DMA (Direct Memory Access) controller.
(2)有输入输出接口的低速外设,例如所述应用处理器芯片的UART(Universal Asynchronous Receiver/Transmitter,通用异步收发器)、I 2C(Inter-Integrated Circuit,内部整合电路)设备、SPI(Serial Peripheral Interface,串行外设接口)设备。 (2) Low-speed peripherals with input and output interfaces, such as UART (Universal Asynchronous Receiver/Transmitter), I 2 C (Inter-Integrated Circuit) device, SPI of the application processor chip (Serial Peripheral Interface) device.
(3)有输入输出接口的高速外设,例如所述应用处理器芯片的USB(Universal Serial Bus,通用串行总线)设备、PCIE(peripheral component interconnect express,外围组件快速互连)设备。(3) A high-speed peripheral device having an input/output interface, such as a USB (Universal Serial Bus) device of the application processor chip, and a PCIe (peripheral component interconnect express) device.
可以预先设置应用处理器芯片的主设备标识(例如主设备名称、主设备编号等)与主设备类型的对应关系,所述对应关系定义不同的主设备标识对应的主设备类型。在接收到所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求后,获取所述主设备的主设备标识(例如主设备名称),根据所述主设备标识从所述对应关系中查找对应的主设备类型,即得到所述主设备的类型。The correspondence between the master device identifier (for example, the master device name, the master device number, and the like) of the application processor chip and the master device type may be set in advance, and the corresponding relationship defines the master device type corresponding to the different master device identifiers. After receiving the access request of the master device of the application processor chip to the data in the secure data area, acquiring a master device identifier (for example, a master device name) of the master device, according to the master device identifier Find the corresponding master device type in the corresponding relationship, that is, obtain the type of the master device.
第一处理单元403,用于若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据。The first processing unit 403 is configured to allow the master device to read the data from the secure data area if it is determined that the master device is a device independent of an external input/output interface.
例如,若确定所述主设备是所述应用处理器芯片的DMA控制器,则允许所述主设备从所述安全数据区读取所述数据。For example, if it is determined that the master device is a DMA controller of the application processor chip, the master device is allowed to read the data from the secure data region.
第二处理单元404,用于若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据。The second processing unit 404 is configured to, if it is determined that the master device is a low-speed peripheral device having an input/output interface, prohibit the master device from reading the data from the secure data region.
例如,若确定所述主设备是所述应用处理器芯片的SPI设备,则禁止所述主设备从所述安全数据区读取所述数据。For example, if it is determined that the master device is an SPI device of the application processor chip, the master device is prohibited from reading the data from the secure data region.
第三处理单元405,用于若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。The third processing unit 405 is configured to perform security authentication if it is determined that the master device is a high-speed peripheral device having an input/output interface, and if the security device is authenticated, allow the master device to read the security data region from the security data region. data.
例如,若确定所述主设备是所述应用处理器芯片的USB设备,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。For example, if it is determined that the master device is a USB device of the application processor chip, security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
可以为有输入输出接口的高速外设配置两个可访问的地址段A和B,其中A是非安全数据地址段,对应非安全数据区,B是安全数据地址段,对应安全数据区。上电默认情况下,只有A地址段有效,有输入输出接口的高速外设只能访问内存的非安全数据区,禁止访问内存的安全数据区。在收到有输入输出接口的高速外设对安全数据区中的数据的访问请求后,启动安全认证流程。若通过安全认证流程,则开启访问权限,将有效的地址段切换到B,有输入输出接口的高速外设访问安全数据区的数据。访问完毕后,将有效的地址段切换回A,关闭访问权限。Two accessible address segments A and B can be configured for high-speed peripherals with input and output interfaces, where A is a non-secure data address segment, corresponding to a non-secure data region, and B is a secure data address segment corresponding to the secure data region. By default, only the A address segment is valid. The high-speed peripherals with input and output interfaces can only access the non-secure data area of the memory and prohibit access to the secure data area of the memory. After receiving the high-speed peripheral with the input and output interface to access the data in the secure data area, the security authentication process is started. If the security authentication process is passed, the access permission is turned on, the valid address segment is switched to B, and the high-speed peripheral having the input/output interface accesses the data of the secure data area. After the access is complete, switch the valid address segment back to A and close the access rights.
可以通过HASH加密算法进行安全验证。具体地,所述进行安全认证可以包括:接收输入的权限解锁密码;计算所述输入的权限解锁密码的消息摘要;判断计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要是否相同;若计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要相同,则通过安全认证。Security verification can be performed by the HASH encryption algorithm. Specifically, the performing security authentication may include: receiving an input permission unlock password; calculating a message digest of the input authority unlock password; determining a calculated message digest of the input authority unlock password and the application processor chip Whether the pre-stored message digests are the same; if the calculated message digest of the input rights unlocking password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
可以以其他方式进行安全验证。例如,可以采集用户的生物特征信息(例如指纹、虹膜、人脸图像、声音等);判断采集的生物特征信息与预先存储的生物特征信息是否匹配;若采集的生物特征信息与预先存储的生物特征信息匹配,则通过安全认证。Security verification can be done in other ways. For example, biometric information of the user (eg, fingerprint, iris, face image, sound, etc.) may be collected; whether the collected biometric information matches the pre-stored biometric information; if the collected biometric information and the pre-stored biometrics If the feature information matches, it passes the security certification.
实施例三的数据保护装置接收应用处理器芯片的主设备对内存的安全数据区中的数据的访问请求;确定所述主设备的类型;若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取 所述数据;若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。实施例三的数据保护装置可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。The data protection device of the third embodiment receives an access request of the master device of the application processor chip to the data in the secure data area of the memory; determines the type of the master device; if it is determined that the master device is independent of the external input and output interface The device, the master device is allowed to read the data from the secure data area; if the master device is determined to be a low-speed peripheral device having an input/output interface, the master device is prohibited from reading from the secure data area The data; if it is determined that the master device is a high-speed peripheral having an input/output interface, performing security authentication, and if passing the security authentication, allowing the master device to read the data from the secure data region. The data protection device of the third embodiment can conveniently protect the data, ensure the data has a higher security level and reduce the implementation cost.
实施例四Embodiment 4
图5为本发明实施例四提供的数据保护装置的结构图。如图5所示,所述数据保护装置50可以包括:加密单元501、读取单元502、解密单元503、接收单元504、确定单元505、第一处理单元506、第二处理单元507、第三处理单元508。FIG. 5 is a structural diagram of a data protection apparatus according to Embodiment 4 of the present invention. As shown in FIG. 5, the data protection device 50 may include: an encryption unit 501, a reading unit 502, a decryption unit 503, a receiving unit 504, a determining unit 505, a first processing unit 506, a second processing unit 507, and a third. Processing unit 508.
加密单元501,用于对数据进行加密,将加密后的数据存入所述外部存储介质。The encryption unit 501 is configured to encrypt data and store the encrypted data in the external storage medium.
所述数据可以是任意需要进行安全保护的数据。例如,所述数据可以是用户的隐私数据,比如电话本、短消息、邮件、账号等。所述数据也可以是关键数据或核心数据,比如AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)。The data can be any data that needs to be secured. For example, the data may be user's private data, such as a phone book, a short message, a mail, an account number, and the like. The data may also be key data or core data, such as a database of AI products (eg, a face picture library) and parameters (eg, CNN parameters).
所述数据可以是单个文件,例如某个图片、文档、音乐、视频或应用程序等,也可以是某个文件夹。The data can be a single file, such as a picture, document, music, video or application, or a folder.
加密后的数据即密文,也就是说,外部存储介质存放的是密文。The encrypted data is ciphertext, that is, the external storage medium stores ciphertext.
可以通过非对称加密算法对所述数据进行加密。在本较佳实施例中,可以通过RSA非对称加密算法对所述数据进行加密。例如,可以通过RSA的公钥对AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)进行加密,将加密后的数据库(例如人脸图片库)和参数(例如CNN参数)存入所述外部存储介质。The data can be encrypted by an asymmetric encryption algorithm. In the preferred embodiment, the data may be encrypted by an RSA asymmetric encryption algorithm. For example, the database of the AI product (such as a face picture library) and parameters (such as CNN parameters) can be encrypted by the RSA public key, and the encrypted database (such as a face picture library) and parameters (such as CNN parameters) can be stored. Into the external storage medium.
或者,可以通过对称加密算法对所述数据进行加密。在本较佳实施例中,可以通过AES对称加密算法对所述数据进行加密。例如,通过密钥位宽256bit以上的AES加密算法对AI产品的数据库(例如人脸图片库)和参数(例如CNN参数)进行加密,将加密后的数据库(例如人脸图片库)和参数(例如 CNN参数)存入所述外部存储介质。Alternatively, the data can be encrypted by a symmetric encryption algorithm. In the preferred embodiment, the data can be encrypted by an AES symmetric encryption algorithm. For example, an AES encryption algorithm with a key bit width of 256 bits or more is used to encrypt a database (for example, a face image library) and parameters (for example, CNN parameters) of an AI product, and an encrypted database (for example, a face image library) and parameters (for example) For example, CNN parameters are stored in the external storage medium.
所述外部存储介质可以包括可移动外部存储介质,例如SD/TF卡,用于存储经常更改的数据,例如人脸图片库,便于日常维护和更新。The external storage medium may include a removable external storage medium, such as an SD/TF card, for storing frequently changed data, such as a face image library, for routine maintenance and updates.
所述外部存储介质还可以包括不可移动外部存储介质,例如nandflash/norflash、emmc flash,用于存储不常更改的数据,例如训练好的CNN参数。The external storage medium may also include a non-removable external storage medium, such as nandflash/norflash, emmc flash, for storing infrequently changed data, such as trained CNN parameters.
读取单元502,用于接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据。The reading unit 502 is configured to receive a data read instruction, and read the encrypted data from the external storage medium according to the data read instruction.
例如,当需要使用存储的人脸图片库与采集到的人脸图像进行比对时,从所述外部存储介质读取加密后的人脸图片库和CNN参数。For example, when it is required to use the stored face image library to compare with the collected face image, the encrypted face image library and CNN parameters are read from the external storage medium.
解密单元503,用于对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。The decryption unit 503 is configured to decrypt the encrypted data, and store the decrypted data in the secure data area.
根据加密单元501加密算法,采用相应的解密算法对所述加密后的数据进行解密。例如,加密单元501用RSA公钥对所述数据进行加密,则解密单元503用RSA私钥对所述加密后的数据进行解密。又如,加密单元501用AES密钥对所述数据进行加密,则解密单元503用AES密钥进行解密。The encrypted data is decrypted according to an encryption algorithm of the encryption unit 501 using a corresponding decryption algorithm. For example, the encryption unit 501 encrypts the data with the RSA public key, and the decryption unit 503 decrypts the encrypted data with the RSA private key. For another example, the encryption unit 501 encrypts the data with the AES key, and the decryption unit 503 decrypts with the AES key.
解密后的数据即明文,也就是说,安全数据区存放明文。在本实施例中,安全数据区中的数据(例如人脸图片库和CNN参数)需要频繁使用,如果在安全数据区中存放密文,就会需要频繁地反复加解密,会大大影响性能,因而在内存的安全数据区存放明文(即解密后的数据)。The decrypted data is plaintext, that is, the secure data area stores plaintext. In this embodiment, the data in the secure data area (such as the face picture library and the CNN parameter) needs to be frequently used. If the ciphertext is stored in the secure data area, it will need to be repeatedly encrypted and decrypted frequently, which will greatly affect the performance. Therefore, the plaintext (ie, the decrypted data) is stored in the secure data area of the memory.
接收单元504,用于接收所述应用处理器芯片的主设备对所述安全数据区中所述解密后的数据的访问请求。The receiving unit 504 is configured to receive, by the master device of the application processor chip, an access request for the decrypted data in the secure data area.
本实施例中接收单元504与实施例三中接收单元401基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例三中接收单元401的相关描述,此处不赘述。In this embodiment, the receiving unit 504 is substantially the same as the receiving unit 401 in the third embodiment. The data is the decrypted data. For details, refer to the related description of the receiving unit 401 in the third embodiment. I will not go into details here.
确定单元505,用于确定所述主设备的类型。The determining unit 505 is configured to determine the type of the master device.
本实施例中确定单元505与实施例三中确定单元402一致,具体请参阅实施例三中确定单元402的相关描述,此处不赘述。The determining unit 505 is the same as the determining unit 402 in the third embodiment. For details, refer to the related description of the determining unit 402 in the third embodiment, and details are not described herein.
第一处理单元506,用于若确定所述主设备是与外部输入输出接口无关的主设备,则允许所述主设备从所述安全数据区读取所述解密后的数据。The first processing unit 506 is configured to, if it is determined that the master device is a master device that is independent of an external input/output interface, allow the master device to read the decrypted data from the secure data region.
本实施例中第一处理单元506与实施例三中第一处理单元403基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例三中第一处理单元403的相关描述,此处不赘述。In the embodiment, the first processing unit 506 is substantially the same as the first processing unit 403 in the third embodiment. (The present embodiment only defines the data as the decrypted data. For details, refer to the first processing in the third embodiment. The related description of the unit 403 is not described here.
第二处理单元507,用于若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述解密后的数据。The second processing unit 507 is configured to, if it is determined that the master device is a low-speed peripheral device having an input/output interface, prohibit the master device from reading the decrypted data from the secure data region.
本实施例中第二处理单元507与实施例三中第二处理单元404基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例三中第二处理单元404的相关描述,此处不赘述。In this embodiment, the second processing unit 507 is substantially the same as the second processing unit 404 in the third embodiment. This embodiment only defines the data as the decrypted data. For details, refer to the second processing in the third embodiment. A related description of the unit 404 is not described herein.
第三处理单元508,用于若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述解密后的数据。The third processing unit 508 is configured to perform security authentication if it is determined that the master device is a high-speed peripheral device having an input/output interface, and if the security device is authenticated, allow the master device to read the security data region from the security data region. Decrypted data.
本实施例中第三处理单元508与实施例三中第三处理单元405基本一致(本实施例只是限定了所述数据为所述解密后的数据),具体请参阅实施例三中第三处理单元405的相关描述,此处不赘述。In this embodiment, the third processing unit 508 is substantially the same as the third processing unit 405 in the third embodiment. (The embodiment only defines the data as the decrypted data. For details, refer to the third processing in the third embodiment. The related description of unit 405 is not described herein.
实施例四的数据保护装置对数据进行加密,将加密后的数据存入外部存储介质;接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据;对所述加密后的数据进行解密,将解密后的数据存入内存的安全数据区;接收所述应用处理器芯片的主设备对所述安全数据区中所述解密后的数据的访问请求;确定所述主设备的类型;若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述解密后的数据;若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述解密后的数据;若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述解密后的数据。实施例四的数据保护装置可以方便地对数据进行保护,保证数据具有较高的安全级别并且降低实现成本。The data protection device of the fourth embodiment encrypts the data, stores the encrypted data in an external storage medium, receives a data read command, and reads the encrypted data from the external storage medium according to the data read command. Decrypting the encrypted data, storing the decrypted data in a secure data area of the memory; and receiving, by the master device of the application processor chip, an access request for the decrypted data in the secure data area Determining a type of the master device; if it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the decrypted data from the secure data region; The master device is a low-speed peripheral having an input/output interface, and the master device is prohibited from reading the decrypted data from the secure data area; if the master device is determined to be a high-speed peripheral having an input/output interface, Performing security authentication, if passing the security authentication, allowing the master device to read the decrypted data from the secure data area. The data protection device of the fourth embodiment can conveniently protect the data, ensure the data has a higher security level and reduce the implementation cost.
实施例五Embodiment 5
图6为本发明实施例五提供的计算机装置的示意图。所述计算机装置1包括存储器20、应用处理器芯片30以及存储在所述存储器20中并可在所述应用处理器芯片30上运行的计算机程序40,例如数据保护程序。所述应用处理器芯片30执行所述计算机程序40时实现上述数据保护方法实施例中的步骤,例如图1所示的步骤101~105或图2所示的步骤201~208。或者,所述应用处理器芯片30执行所述计算机程序40时实现上述装置实施例中各模块/单元的功能,例如图4中的单元401~405或图5中的单元501~508。FIG. 6 is a schematic diagram of a computer apparatus according to Embodiment 5 of the present invention. The computer device 1 includes a memory 20, an application processor chip 30, and a computer program 40, such as a data protection program, stored in the memory 20 and executable on the application processor chip 30. When the application processor chip 30 executes the computer program 40, the steps in the foregoing data protection method embodiment are implemented, for example, steps 101-105 shown in FIG. 1 or steps 201-208 shown in FIG. Alternatively, when the application processor chip 30 executes the computer program 40, the functions of the modules/units in the above device embodiments are implemented, such as the units 401-405 in FIG. 4 or the units 501-508 in FIG.
示例性的,所述计算机程序40可以被分割成一个或多个模块/单元,所述一个或者多个模块/单元被存储在所述存储器20中,并由所述应用处理器芯片30执行,以完成本发明。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机程序指令段,该指令段用于描述所述计算机程序40在所述计算机装置1中的执行过程。例如,所述计算机程序40可以被分割成图4中的接收单元401、确定单元402、第一处理单元403、第二处理单元404、第三处理单元405,或者被分割成图5中的加密单元501、读取单元502、解密单元503、接收单元504、确定单元505、第一处理单元506、第二处理单元507、第三处理单元508,各单元具体功能参见实施例三与实施例四。Illustratively, the computer program 40 can be partitioned into one or more modules/units that are stored in the memory 20 and executed by the application processor chip 30, To complete the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing a particular function for describing the execution of the computer program 40 in the computer device 1. For example, the computer program 40 may be divided into a receiving unit 401, a determining unit 402, a first processing unit 403, a second processing unit 404, a third processing unit 405 in FIG. 4, or may be segmented into the encryption in FIG. The unit 501, the reading unit 502, the decryption unit 503, the receiving unit 504, the determining unit 505, the first processing unit 506, the second processing unit 507, and the third processing unit 508, and the specific functions of each unit, refer to the third embodiment and the fourth embodiment. .
所述计算机装置1可以是桌上型计算机、笔记本、掌上电脑及云端服务器等计算设备。本领域技术人员可以理解,所述示意图6仅仅是计算机装置1的示例,并不构成对计算机装置1的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如所述计算机装置1还可以包括输入输出设备、网络接入设备、总线等。The computer device 1 may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. It will be understood by those skilled in the art that the schematic diagram 6 is merely an example of the computer device 1 and does not constitute a limitation of the computer device 1. It may include more or less components than those illustrated, or may combine some components, or different. The components, such as the computer device 1, may also include input and output devices, network access devices, buses, and the like.
所称应用处理器芯片30包括处理器。所述处理器可以是中央处理单元(Central Processing Unit,CPU),还可以包括其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器 等,所述处理器是所述计算机装置1的控制中心,利用各种接口和线路连接整个计算机装置1的各个部分。The application processor chip 30 is referred to as a processor. The processor may be a central processing unit (CPU), and may also include other general-purpose processors, a digital signal processor (DSP), an application specific integrated circuit (ASIC), and an off-the-shelf device. Field-Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like, which is a control center of the computer device 1, and connects various parts of the entire computer device 1 by various interfaces and lines. .
所述存储器20可用于存储所述计算机程序40和/或模块/单元,所述应用处理器芯片30通过运行或执行存储在所述存储器20内的计算机程序和/或模块/单元,以及调用存储在存储器20内的数据,实现所述计算机装置1的各种功能。所述存储器20可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据计算机装置1的使用所创建的数据(比如音频数据、电话本等)等。存储器20可以包括外部存储介质,也可以包括内存。此外,存储器20可以包括高速随机存取存储器,还可以包括非易失性存储器,例如硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、或其他易失性固态存储器件。The memory 20 can be used to store the computer program 40 and/or modules/units by running or executing computer programs and/or modules/units stored in the memory 20, and invoking storage The data within the memory 20 implements various functions of the computer device 1. The memory 20 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application required for at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may be Data (such as audio data, phone book, etc.) created according to the use of the computer device 1 is stored. The memory 20 may include an external storage medium, and may also include a memory. In addition, the memory 20 may include a high-speed random access memory, and may also include a non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (SMC), and a secure digital (Secure Digital, SD). Card, flash card, at least one disk storage device, flash device, or other volatile solid state storage device.
所述计算机装置1集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明实现上述实施例方法中的全部或部分流程,也可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储于一计算机可读存储介质中,该计算机程序在被处理器执行时,可实现上述各个方法实施例的步骤。其中,所述计算机程序包括计算机程序代码,所述计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机程序代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质等。需要说明的是,所述计算机可读介质包含的内容可以根据司法管辖区内立法和专利实践的要求进行适当的增减,例如在某些司法管辖区,根据立法和专利实践,计算机可读介质不包括电载波信号和电信信号。The modules/units integrated by the computer device 1 can be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the present invention implements all or part of the processes in the foregoing embodiments, and may also be completed by a computer program to instruct related hardware. The computer program may be stored in a computer readable storage medium. The steps of the various method embodiments described above may be implemented when the program is executed by the processor. Wherein, the computer program comprises computer program code, which may be in the form of source code, object code form, executable file or some intermediate form. The computer readable medium may include any entity or device capable of carrying the computer program code, a recording medium, a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a computer memory, a read-only memory (ROM). , random access memory (RAM, Random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. It should be noted that the content contained in the computer readable medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in a jurisdiction, for example, in some jurisdictions, according to legislation and patent practice, computer readable media Does not include electrical carrier signals and telecommunication signals.
在本发明所提供的几个实施例中,应该理解到,所揭露的计算机装置和 方法,可以通过其它的方式实现。例如,以上所描述的计算机装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In the several embodiments provided by the present invention, it should be understood that the disclosed computer apparatus and methods may be implemented in other manners. For example, the computer device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division, and the actual implementation may have another division manner.
另外,在本发明各个实施例中的各功能单元可以集成在相同处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在相同单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能模块的形式实现。In addition, each functional unit in each embodiment of the present invention may be integrated in the same processing unit, or each unit may exist physically separately, or two or more units may be integrated in the same unit. The above integrated unit can be implemented in the form of hardware or in the form of hardware plus software function modules.
对于本领域技术人员而言,显然本发明不限于上述示范性实施例的细节,而且在不背离本发明的精神或基本特征的情况下,能够以其他的具体形式实现本发明。因此,无论从哪一点来看,均应将实施例看作是示范性的,而且是非限制性的,本发明的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本发明内。不应将权利要求中的任何附图标记视为限制所涉及的权利要求。此外,显然“包括”一词不排除其他单元或步骤,单数不排除复数。计算机装置权利要求中陈述的多个单元或计算机装置也可以由同一个单元或计算机装置通过软件或者硬件来实现。第一,第二等词语用来表示名称,而并不表示任何特定的顺序。It is apparent to those skilled in the art that the present invention is not limited to the details of the above-described exemplary embodiments, and the present invention can be embodied in other specific forms without departing from the spirit or essential characteristics of the invention. Therefore, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the invention is defined by the appended claims instead All changes in the meaning and scope of equivalent elements are included in the present invention. Any reference signs in the claims should not be construed as limiting the claim. In addition, it is to be understood that the word "comprising" does not exclude other elements or steps. A plurality of units or computer devices recited in the computer device claims can also be implemented by the same unit or computer device in software or hardware. The first, second, etc. words are used to denote names and do not denote any particular order.
最后应说明的是,以上实施例仅用以说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或等同替换,而不脱离本发明技术方案的精神和范围。It should be noted that the above embodiments are only for explaining the technical solutions of the present invention and are not intended to be limiting, and the present invention will be described in detail with reference to the preferred embodiments. Modifications or equivalents are made without departing from the spirit and scope of the invention.

Claims (10)

  1. 一种数据保护方法,应用于包括应用处理器芯片的计算机装置,所述应用处理器芯片与内存相连,其特征在于,所述内存包括安全数据区,所述方法包括:A data protection method is applied to a computer device including an application processor chip, wherein the application processor chip is connected to a memory, wherein the memory includes a secure data area, and the method includes:
    接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求;Receiving, by the master device of the application processor chip, an access request for data in the secure data area;
    确定所述主设备的类型;Determining the type of the primary device;
    若确定所述主设备是与外部输入输出接口无关的设备,则允许所述主设备从所述安全数据区读取所述数据;If it is determined that the master device is a device independent of an external input/output interface, allowing the master device to read the data from the secure data region;
    若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;If it is determined that the master device is a low-speed peripheral having an input/output interface, prohibiting the master device from reading the data from the secure data area;
    若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。If it is determined that the master device is a high-speed peripheral having an input/output interface, security authentication is performed, and if the security device is authenticated, the master device is allowed to read the data from the secure data region.
  2. 如权利要求1所述的方法,其特征在于,所述进行安全认证包括:The method of claim 1 wherein said performing security authentication comprises:
    接收输入的权限解锁密码;Receive the entered permission to unlock the password;
    计算所述输入的权限解锁密码的消息摘要;Calculating a message digest of the entered permission unlock password;
    判断计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要是否相同;Determining whether the calculated message digest of the input authority unlock password is the same as the pre-stored message digest in the application processor chip;
    若计算的所述输入的权限解锁密码的消息摘要与所述应用处理器芯片中预先存储的消息摘要相同,则通过安全认证。If the calculated message digest of the entered privilege unlock password is the same as the pre-stored message digest in the application processor chip, the security authentication is passed.
  3. 如权利要求1或2所述的方法,其特征在于,所述内存封装在所述应用处理器芯片内。The method of claim 1 or 2 wherein said memory is encapsulated within said application processor chip.
  4. 如权利要求1或2所述的方法,其特征在于,所述应用处理器芯片还与外部存储介质及内存相连,所述方法还包括:The method of claim 1 or 2, wherein the application processor chip is further connected to an external storage medium and a memory, the method further comprising:
    对数据进行加密,将加密后的数据存入所述外部存储介质;Encrypting the data, and storing the encrypted data in the external storage medium;
    接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述 加密后的数据;Receiving a data read instruction, reading the encrypted data from the external storage medium according to the data read command;
    对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。The encrypted data is decrypted, and the decrypted data is stored in the secure data area.
  5. 如权利要求4所述的方法,其特征在于,所述对数据进行加密包括:The method of claim 4 wherein said encrypting the data comprises:
    通过非对称加密算法对所述数据进行加密,所述非对称加密算法包括RSA算法;或者Encrypting the data by an asymmetric encryption algorithm, the asymmetric encryption algorithm including an RSA algorithm; or
    通过对称加密算法对所述数据进行加密,所述对称加密算法包括AES算法;Encrypting the data by a symmetric encryption algorithm, where the symmetric encryption algorithm includes an AES algorithm;
    所述进行安全认证包括:The security certification includes:
    通过HASH加密算法进行安全验证。Security verification is performed by the HASH encryption algorithm.
  6. 如权利要求4或5所述的方法,其特征在于,所述外部存储介质包括可移动外部存储介质和不可移动外部存储介质。The method according to claim 4 or 5, wherein the external storage medium comprises a removable external storage medium and a non-removable external storage medium.
  7. 一种数据保护装置,应用于包括应用处理器芯片的计算机装置,所述应用处理器芯片与内存相连,其特征在于,所述内存包括安全数据区,所述装置包括:A data protection device is applied to a computer device including an application processor chip, wherein the application processor chip is connected to a memory, wherein the memory comprises a secure data area, and the device comprises:
    接收单元,用于接收所述应用处理器芯片的主设备对所述安全数据区中的数据的访问请求;a receiving unit, configured to receive, by the master device of the application processor chip, an access request for data in the secure data area;
    确定单元,用于确定所述主设备的类型;a determining unit, configured to determine a type of the master device;
    第一处理单元,用于若确定所述主设备是与外部输入输出接口无关的主设备,则允许所述主设备从所述安全数据区读取所述数据;a first processing unit, configured to: if the master device is determined to be a master device independent of an external input/output interface, permit the master device to read the data from the secure data region;
    第二处理单元,用于若确定所述主设备是有输入输出接口的低速外设,则禁止所述主设备从所述安全数据区读取所述数据;a second processing unit, configured to: if the master device is determined to be a low-speed peripheral having an input/output interface, prohibit the master device from reading the data from the secure data area;
    第三处理单元,用于若确定所述主设备是有输入输出接口的高速外设,则进行安全认证,若通过安全认证,则允许所述主设备从所述安全数据区读取所述数据。a third processing unit, configured to perform security authentication if the master device is determined to be a high-speed peripheral device having an input/output interface, and if the security device is authenticated, permit the master device to read the data from the secure data region .
  8. 如权利要求7所述的装置,其特征在于,所述应用处理器芯片还与外部存储介质及内存相连,所述装置还包括:The device of claim 7, wherein the application processor chip is further connected to an external storage medium and a memory, the device further comprising:
    加密单元,用于对数据进行加密,将加密后的数据存入所述外部存储介质;An encryption unit, configured to encrypt data, and store the encrypted data in the external storage medium;
    读取单元,用于接收数据读取指令,根据所述数据读取指令从所述外部存储介质读取所述加密后的数据;a reading unit, configured to receive a data read instruction, and read the encrypted data from the external storage medium according to the data read instruction;
    解密单元,用于对所述加密后的数据进行解密,将解密后的数据存入所述安全数据区。And a decryption unit, configured to decrypt the encrypted data, and store the decrypted data in the secure data area.
  9. 一种计算机装置,其特征在于,所述计算机装置包括应用处理器芯片,所述应用处理器芯片用于执行存储器中存储的计算机程序时实现如权利要求1-6中任一项所述数据保护方法。A computer apparatus, comprising: an application processor chip, wherein the application processor chip is configured to perform data protection according to any one of claims 1-6 when executing a computer program stored in a memory method.
  10. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被应用处理器芯片执行时实现如权利要求1-6中任一项所述数据保护方法。A computer readable storage medium having stored thereon a computer program, wherein the computer program is executed by an application processor chip to implement the data protection method according to any one of claims 1-6.
PCT/CN2017/119040 2017-12-05 2017-12-27 Data protection method and apparatus, computer apparatus, and readable storage medium WO2019109418A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711269114.6 2017-12-05
CN201711269114.6A CN108090366B (en) 2017-12-05 2017-12-05 Data protection method and device, computer device and readable storage medium

Publications (1)

Publication Number Publication Date
WO2019109418A1 true WO2019109418A1 (en) 2019-06-13

Family

ID=62173781

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/119040 WO2019109418A1 (en) 2017-12-05 2017-12-27 Data protection method and apparatus, computer apparatus, and readable storage medium

Country Status (2)

Country Link
CN (1) CN108090366B (en)
WO (1) WO2019109418A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040091A (en) * 2018-08-17 2018-12-18 中科物栖(北京)科技有限责任公司 The encryption method and device of deep neural network model
CN109714754A (en) * 2018-10-29 2019-05-03 努比亚技术有限公司 A kind of data guard method, terminal and computer readable storage medium
CN111901117A (en) * 2019-05-06 2020-11-06 深圳大普微电子科技有限公司 Safety authentication method and system based on JTAG interface
CN110278201B (en) * 2019-06-12 2022-08-23 深圳市腾讯计算机系统有限公司 Security policy evaluation method and device, computer readable medium and electronic device
CN111786955B (en) * 2020-06-05 2023-04-18 三星电子(中国)研发中心 Method and apparatus for protecting a model
CN112948863B (en) * 2021-03-15 2022-07-29 清华大学 Sensitive data reading method and device, electronic equipment and storage medium
CN115292764B (en) * 2022-10-08 2023-03-24 山东云海国创云计算装备产业创新中心有限公司 Bus safety protection method, device and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1501263A (en) * 2002-11-13 2004-06-02 �������ʿƿƼ����޹�˾ Method of actualizing safety data storage and algorithm storage in virtue of semiconductor memory device
US20100174902A1 (en) * 2005-12-23 2010-07-08 Phison Electronics Corp. Portable storage media with high security function
CN103198263A (en) * 2012-10-26 2013-07-10 马国强 Method for establishing encrypted/decrypted storage space by virtue of personnel computer external secrete key
CN106326782A (en) * 2015-06-23 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106874748A (en) * 2015-12-11 2017-06-20 北京奇虎科技有限公司 A kind of method and apparatus that user data is provided

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100354787C (en) * 2004-06-24 2007-12-12 株式会社东芝 Microprocessor
US7299327B2 (en) * 2005-02-18 2007-11-20 International Business Machines Corporation Content-on-demand memory key with positive access evidence feature
JP2012022479A (en) * 2010-07-13 2012-02-02 Panasonic Corp Microcontroller and its control method
US9054874B2 (en) * 2011-12-01 2015-06-09 Htc Corporation System and method for data authentication among processors

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1501263A (en) * 2002-11-13 2004-06-02 �������ʿƿƼ����޹�˾ Method of actualizing safety data storage and algorithm storage in virtue of semiconductor memory device
US20100174902A1 (en) * 2005-12-23 2010-07-08 Phison Electronics Corp. Portable storage media with high security function
CN103198263A (en) * 2012-10-26 2013-07-10 马国强 Method for establishing encrypted/decrypted storage space by virtue of personnel computer external secrete key
CN106326782A (en) * 2015-06-23 2017-01-11 联想(北京)有限公司 Information processing method and electronic device
CN106874748A (en) * 2015-12-11 2017-06-20 北京奇虎科技有限公司 A kind of method and apparatus that user data is provided

Also Published As

Publication number Publication date
CN108090366B (en) 2020-02-04
CN108090366A (en) 2018-05-29

Similar Documents

Publication Publication Date Title
WO2019109418A1 (en) Data protection method and apparatus, computer apparatus, and readable storage medium
US11093604B2 (en) Personalized and cryptographically secure access control in trusted execution environment
US11128471B2 (en) Accessibility controls in distributed data systems
US8689015B2 (en) Portable secure data files
US8826391B2 (en) Virtualized trusted descriptors
US8352735B2 (en) Method and system for encrypted file access
WO2020192406A1 (en) Method and apparatus for data storage and verification
WO2020073513A1 (en) Blockchain-based user authentication method and terminal device
US9336369B2 (en) Methods of licensing software programs and protecting them from unauthorized use
US20040003262A1 (en) Methods and systems for protecting data in USB systems
TWI388985B (en) A method for controlling access to data in a storage device and a storage device
US20120297205A1 (en) Secure User/Host Authentication
KR102030858B1 (en) Digital signing authority dependent platform secret
US11483147B2 (en) Intelligent encryption based on user and data properties
CN106575342A (en) Kernel program including relational data base, and method and device for executing said program
TW201530344A (en) Application program access protection method and application program access protection device
US9129098B2 (en) Methods of protecting software programs from unauthorized use
CN102024115B (en) Computer with user security subsystem
US8611544B1 (en) Systems and methods for controlling electronic document use
US8499357B1 (en) Signing a library file to verify a callback function
US10628334B2 (en) System and method to protect digital content on external storage
US11425143B2 (en) Sleeper keys
US8756433B2 (en) Associating policy with unencrypted digital content
US20060075507A1 (en) Secure protocols for use with microsoft directshow filters
US11102005B2 (en) Intelligent decryption based on user and data profiling

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17934117

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 08/09/2020)

122 Ep: pct application non-entry in european phase

Ref document number: 17934117

Country of ref document: EP

Kind code of ref document: A1