WO2019184740A1 - Data encryption, decryption method and device - Google Patents

Data encryption, decryption method and device Download PDF

Info

Publication number
WO2019184740A1
WO2019184740A1 PCT/CN2019/078419 CN2019078419W WO2019184740A1 WO 2019184740 A1 WO2019184740 A1 WO 2019184740A1 CN 2019078419 W CN2019078419 W CN 2019078419W WO 2019184740 A1 WO2019184740 A1 WO 2019184740A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
data
encrypted
hardware
program
Prior art date
Application number
PCT/CN2019/078419
Other languages
French (fr)
Chinese (zh)
Inventor
尉鲁飞
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2019184740A1 publication Critical patent/WO2019184740A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a data encryption and decryption method and apparatus.
  • a key can be written into the code of the hardware device, so that the data in the hardware device can be encrypted by the key.
  • the way to write the key into the code of the hardware device is difficult to achieve one machine (hardware device), that is, the key in the hardware device of the same class or the same hardware manufacturer is the same, therefore, when a hardware device When the key in the key is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer will be leaked, which makes it difficult to ensure data security, resulting in low security of data and hardware devices.
  • the present application has been made in order to provide a data encryption and decryption method and apparatus that overcomes the above problems or at least partially solves the above problems.
  • the application provides a data encryption method, including:
  • the encrypting the data according to the first key includes:
  • the data to be encrypted is encrypted by using the second key, and the first key is used to encrypt the second key.
  • the method further includes:
  • the method further includes:
  • the encrypted second key is saved corresponding to the encrypted data to be encrypted.
  • the method further includes:
  • Check data for verifying the integrity of the data to be encrypted is generated, and the check data is saved corresponding to the encrypted data to be encrypted.
  • the generating verification data for verifying integrity of the data to be encrypted includes:
  • the method before the data is encrypted according to the first key, the method further includes:
  • the method further includes:
  • the application also provides a data decryption method, including:
  • the encrypted data is decrypted according to the first key.
  • the decrypting the encrypted data according to the first key includes:
  • the encrypted data is decrypted using the second key.
  • the method further includes:
  • the check data is used to verify the integrity of the decrypted result.
  • the verification data includes a first hash value of the decryption result
  • the integrity of the decryption result by using the verification data includes:
  • the method further includes:
  • the decryption result is output through the second interface.
  • the application also provides a data encryption method, including:
  • the generating, by using the trusted root program, the first key that uniquely corresponds to the hardware device includes:
  • the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • the application also provides a data decryption method, including:
  • the encrypted data is decrypted according to the first key.
  • the generating, by using the trusted root program, the first key that uniquely corresponds to the hardware device includes:
  • the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • the application also provides a data encryption device, including:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a software root program
  • a data encryption module configured to encrypt data according to the first key.
  • the data encryption module includes:
  • a key random generation sub-module configured to randomly generate a second key
  • a data encryption submodule configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
  • the device further includes:
  • a second key encryption module configured to encrypt the second key by using the first key.
  • the device further includes:
  • the verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
  • the device further includes:
  • the data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
  • an encryption result output module configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
  • the application also provides a data decryption device, comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a software root program
  • a data decrypting module configured to decrypt the encrypted data according to the first key.
  • the data decryption module includes:
  • a key acquisition submodule configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data
  • a second key decrypting submodule configured to decrypt the encrypted second key by using the first key to obtain a second key
  • a data decryption submodule for decrypting the encrypted data using the second key.
  • the device further includes:
  • a verification data acquisition module configured to acquire verification data, where the verification data is saved corresponding to the encrypted data
  • An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
  • the device further includes:
  • the decryption result output module is configured to output the decryption result through the second interface.
  • the application also provides a data encryption device, including:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • a data encryption module configured to encrypt data according to the first key.
  • the first key generation module includes:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • the application also provides a data decryption device, comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • a data decrypting module configured to decrypt the encrypted data according to the first key.
  • the first key generation module includes:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • the present application also provides a computer device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, the processor executing the computer program to implement one or more of the foregoing method.
  • the application also provides a computer readable storage medium having stored thereon a computer program that, when executed by a processor, implements one or more of the methods described above.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • FIG. 1 is a flowchart of a data encryption method according to a first embodiment of the present application
  • FIG. 2 is a flowchart of another data encryption method according to a second embodiment of the present application.
  • FIG. 3 is a flowchart of another data encryption method according to a third embodiment of the present application.
  • FIG. 4 is a flowchart of a data decryption method according to a fourth embodiment of the present application.
  • FIG. 5 is a flowchart of another data decryption method according to an embodiment 5 of the present application.
  • FIG. 6 is a flowchart of another data decryption method according to an embodiment 6 of the present application.
  • FIG. 7 shows a flow chart of a data processing method according to an embodiment of the present application.
  • FIG. 8 is a flowchart of a data encryption method according to an embodiment of the present application.
  • FIG. 9 is a flowchart of a data decryption method according to an embodiment of the present application.
  • FIG. 10 is a structural block diagram of a data encryption apparatus according to a seventh embodiment of the present application.
  • FIG. 11 is a structural block diagram of another data encryption apparatus according to an eighth embodiment of the present application.
  • FIG. 12 is a structural block diagram of a data decryption apparatus according to an embodiment 9 of the present application.
  • FIG. 13 is a structural block diagram of another data decryption apparatus according to an embodiment 10 of the present application.
  • Figure 14 shows a block diagram of an exemplary system in accordance with one embodiment of the present application.
  • the root program of trust also known as the root of trust, refers to a set of functions that are considered to be always trusted by operations running on the hardware device.
  • the root of trust provides a trusted encryption and decryption service for the hardware device.
  • the trusted root program may include at least one of a hardware trust root program and a software trust root program.
  • the hardware root program depends on the corresponding hardware, and may include a hardware trust root program based on Intel SGX (Intel Software Guard Extensions) or TEE (Trusted Execution Environment).
  • the root program can include KM (key manager, key management module).
  • the root program of trust may also include other hardware root programs or software root programs, which are not repeated here.
  • the first key is derived from the trusted root program according to the device unique identifier of the hardware device, so as to uniquely correspond to the hardware device, and the first key can be used to encrypt the data in the hardware device.
  • the device unique identifier is used to uniquely identify an electronic device.
  • the device unique identifier may include an IMEI (International Mobile Equipment Identity) or a MAC (Media Access Control) address.
  • IMEI International Mobile Equipment Identity
  • MAC Media Access Control
  • the hardware device can be various IoT terminals or devices, such as various detectors for weather or environmental monitoring, or smart home devices such as smart speakers in the home. Of course, it can also include mobile phones, smart watches, and VR (Virtual Reality, Virtual reality) devices, tablets, e-book readers, MP3 (Moving Picture Experts Group Audio Layer III), MP4 (Moving Picture Experts Group Audio Layer IV) Standard audio level 4) Players, laptops, on-board computers, desktop computers, set-top boxes, wearable devices, and more.
  • the hardware device can interact with a remote server to obtain a client, a plug-in, a data encryption or decryption service, and can include any of the devices in FIG. 10-14 below, implementing any of the methods of FIG. 1-9 to encrypt the data. Or decrypt.
  • the client can include at least one application.
  • the client can be run in the positioning device to implement the data encryption or decryption method provided by the embodiment of the present application.
  • the plug-in may be included in an application running in the positioning device, thereby implementing the data encryption or decryption method provided by the embodiment of the present application.
  • the embodiment of the present application can be applied to a scenario of encrypting or decrypting data in a hardware device such as an Internet of Things device, such as an edge gateway. Since the key is directly written in the code of the hardware device, when the key in one hardware device is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer are leaked, thereby making it difficult to ensure data security, resulting in security. The security of the data and the hardware device is low. Therefore, in order to ensure the security of the data and the hardware device, the embodiment of the present application provides a data encryption method.
  • the first root key corresponding to the hardware device may be generated by using a trusted root program, and the data is encrypted according to the first key.
  • the key Since the key is not required to be directly written in the code of the hardware device, On the one hand, it reduces the possibility of obtaining a key by a hacker or the like. On the other hand, even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe.
  • the secure storage of data through a secure key can effectively improve the security of data and hardware devices.
  • the hardware trust root program since some hardware devices may not have hardware that the hardware trust root program depends on, that is, they do not have hardware security capabilities, therefore, in order to ensure that the hardware device capable of generating hardware or security can generate the first key, The reliability of the first key, which in turn ensures the security of the data and hardware devices, while reducing costs, can call the software root program to generate the first key. That is, the software trust root program provides a secure key management function.
  • the embodiment of the present application can be implemented as a client or a plug-in.
  • the hardware device can obtain and install the client or the plug-in from the remote server, so that the data encryption or decryption method provided by the embodiment of the present application is implemented by the client or the plug-in.
  • the embodiment of the present application may also be deployed in a form of software on a remote server, and the positioning device may obtain a data encryption or decryption service by accessing the remote server.
  • FIG. 1 a flowchart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 101 Generate a first key uniquely corresponding to the hardware device by using a software root program.
  • the key may not be written into the hardware code.
  • the first root key is generated by the root of the trust program, and the generated key can uniquely correspond to the hardware device.
  • the possibility of obtaining the first key directly from the code by the hacker is reduced, and on the other hand, even if some The key of the hardware device is cracked, and the key in the same type of hardware device or hardware device belonging to the same hardware manufacturer is still secure, so that the security of the data and the hardware device can be effectively improved.
  • the hardware trust root program since some hardware devices may not have hardware that the hardware trust root program depends on, that is, they do not have hardware security capabilities, therefore, in order to ensure that the hardware device capable of generating hardware or security can generate the first key, The reliability of the first key, which in turn ensures the security of the data and hardware devices, while reducing costs, can call the software root program to generate the first key. That is, the software trust root program provides a secure key management function.
  • the software root program can include KM.
  • the device unique identifier of the hardware device can be obtained, and the first key is derived based on the unique identifier of the device by using a trusted root program. Since the unique identifiers of the devices from different hardware devices are different, the first keys obtained by different hardware devices are also different.
  • Step 102 Encrypt data according to the first key.
  • the first key is generated by the root of the trust program and uniquely corresponding to the hardware device, and can effectively improve the security of the data and the hardware device, so the data can be encrypted according to the first key.
  • the data to be encrypted in the hardware device can be obtained, and the data to be encrypted is encrypted by using the first key.
  • the encrypted data can be encrypted according to the first key and using a more complicated encryption method.
  • more keys can be generated and treated with multiple keys including the first key. Encrypt data for encryption and more.
  • the data to be encrypted may include data with high security requirements in the hardware device, such as user password, user fingerprint feature, user facial feature, user iris feature, application key of the application in the hardware device, and the like.
  • data with high security requirements in the hardware device such as user password, user fingerprint feature, user facial feature, user iris feature, application key of the application in the hardware device, and the like.
  • other data in the hardware device such as user-specified data, may be included.
  • the encrypted data is a result of encrypting the data to be encrypted according to the first key, and the encrypted data can be decrypted according to the first key, thereby obtaining the data to be encrypted again.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • FIG. 2 a flow chart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 201 Generate a first key uniquely corresponding to the hardware device by using a software root program.
  • At least one of a hardware trust root program and a software trust root program may be included in the hardware device.
  • the generated first key may be stored in a storage location corresponding to the trusted root program, such as in a KM protected storage area.
  • Step 202 Provide a second interface that receives data to be encrypted, and receives the data to be encrypted through the second interface.
  • the hardware device may include a hardware root program and/or a software root program, and may even include more than one hardware root program, which may result in having multiple first interfaces for the hardware root program, thereby causing
  • the system architecture in the hardware device is confusing, and the application in the application layer needs to perform complicated and heavy adaptation, which not only increases the development cost of the application, but also may cause problems such as adaptation errors, which may make it difficult to encrypt data or other problems. Reduce the security and reliability of data and hardware devices.
  • a unified interface can be provided for the application in the application layer, that is, the second interface receives the number to be encrypted, thereby encapsulating the trusted root program at the bottom layer through the second interface, so that each application can use the root of trust through a unified interface.
  • the various functions of the program make the system architecture in the hardware device more compact, reduce the development cost of the application, and improve the security and reliability of the application and the hardware device.
  • the second interface facing the application layer may be provided in the form of hardware or software, the data from the application layer is received through the second interface, and the received data is converted according to the first interface or the software trusted root program, so that the converted data is converted
  • the data conforms to the data type or standard of the first interface or software trusted root program.
  • the data to be encrypted is data that needs to be encrypted by a key, and the data to be encrypted may include any data of a source and any application.
  • Step 203 Randomly generate a second key, and encrypt the data to be encrypted by using the second key, where the first key is used to encrypt the second key.
  • a second key may be generated on the basis of the first key, and the encrypted data is encrypted by the second key, and passed through A key encrypts the second key, that is, through layered key management, to improve the security of data and hardware devices. Since the possibility of multiple keys being cracked is less than the possibility of a key being cracked, of course, the security of data and hardware devices is improved. In addition, since the second key is randomly generated, it can be ensured that the keys used for each data to be encrypted are different, and even if an encrypted data in the hardware device is cracked, other encrypted data is still safe. This further enhances the security of data and hardware devices.
  • the second key may be generated by a key generation algorithm by using the trust root program in the foregoing.
  • Hierarchical key management refers to generating multiple keys in different ways. Each key is stored and managed separately. The data is encrypted by multiple keys, or the data is encrypted by some of the keys. The other key encrypts the key of the encrypted data, effectively improving the complexity of the encryption, making it difficult for the hacker to obtain all the keys, and thus it is difficult to crack the encrypted information, thereby improving the security of the encrypted information. Sex.
  • Step 204 Encrypt the second key by using the first key.
  • the second key may be encrypted with the first key.
  • the second key encrypted by the first key can be saved.
  • the encrypted first The second key is saved corresponding to the encrypted data to be encrypted.
  • the encrypted second key may be stored in the same storage location as the encrypted data to be encrypted, or the encrypted second key and the encrypted data to be encrypted may be separately stored to different storage locations, and the encrypted second secret may be stored.
  • the correspondence between the storage location where the key is located and the storage location where the encrypted data to be encrypted is located.
  • the encrypted second key may be correspondingly saved with the encrypted data to be encrypted.
  • the second key in order to improve the efficiency of encrypting data, may not be generated, but the first key is directly used to encrypt the encrypted data, that is, The first key is the key used to encrypt the encrypted data.
  • the first key may be encrypted by the second key on the basis of encrypting the data to be encrypted by using the first key, and the encrypted first The key is saved corresponding to the encrypted data to be encrypted.
  • the manner of encrypting the data to be encrypted by using the first key may be the same as the method of encrypting the data to be encrypted by using the second key, and details are not described herein.
  • Step 205 Generate verification data for verifying the integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
  • the verification data of the data to be encrypted may be generated, and the verification data may be The encrypted data to be encrypted is saved correspondingly.
  • the verification data is used for verification of the data to be encrypted, including integrity verification.
  • the verification data for integrity verification may include a hash value.
  • the hash value is a binary value obtained by computing data based on file data (such as data to be encrypted) for integrity verification of the file data.
  • the data to be encrypted may be determined. Hash value.
  • the verification information may also include other information, such as the verification information used for integrity verification, and may also include attribute information of the data to be encrypted, correspondingly, The attribute information of the data to be encrypted may be determined, and the determined attribute information is used as the check data.
  • the attribute information is information indicating an attribute of the data to be encrypted, for example, the attribute information may include at least one of a size and a data type of the data to be encrypted.
  • the size of the data to be encrypted used to describe the amount of data included in the data to be encrypted.
  • the type of data to be encrypted is used to describe the format or category of the data to be encrypted.
  • the manner in which the verification data is saved in the encrypted data to be encrypted may be the same as the manner in which the encrypted second key is stored in the encrypted data to be encrypted, and details are not described herein again.
  • step 205 is an optional step.
  • Step 206 Output an encryption result to the data source of the data to be encrypted through the second interface.
  • the encryption result may be output to the application as the data source, and the system architecture in the hardware device is simplified, the development cost of the application is lowered, and the application is improved. And the security and reliability of the hardware device, the encrypted result can be output to the data source through the unified interface, that is, the second interface.
  • the data source is the source of the data to be encrypted, and may include the application in the foregoing.
  • the result of the encryption is the result of encrypting and outputting the encrypted data, and may include the encrypted data to be encrypted.
  • the encrypted data to be encrypted is encrypted by the second key, and the second key is used first
  • the key is encrypted
  • the encryption result may further include a second key encrypted by the first key. If the verification data of the data to be encrypted is also generated in the foregoing, the verification result may further include the verification data.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • the architecture is more concise, which also reduces the development cost of the application, and also reduces the difficulty of encrypting the data caused by the application interface error of the first interface of the hardware trust root program, and improves the reliability of encrypting the data. This in turn increases the security and reliability of data and hardware devices.
  • the second key can be randomly generated, the second key is used to encrypt the encrypted data, and the second key is encrypted by using the first key, since the multiple keys are less likely to be cracked, and
  • the randomly generated second key can also ensure that the data to be encrypted is encrypted by using different keys, thereby effectively improving the complexity of the data being cracked, thereby further improving the security of the data and hardware devices.
  • FIG. 3 a flowchart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 301 Generate a first key uniquely corresponding to the hardware device by using a root of trust program.
  • the key of the hardware device of the same type or the hardware device of the same hardware manufacturer is cracked, and the problem of the key is solved. Density, effectively improve the security of data and hardware devices, you can use the root of trust program to generate a unique key corresponding to the hardware device.
  • the hardware device has a dedicated hardware root program.
  • the first key can be generated by accessing a hardware trust root program built in the hardware device.
  • the hardware trust root program may include a TEE.
  • the hardware trust root program may be accessed through the first interface, where The interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • the first interface may include an interface in the linux SGX driver; if the hardware new trusted root program is TEE, the first interface may include a GP Client API, wherein the GP Client API is The name of the interface that is compatible with the TEE.
  • the hardware device may include at least one of a hardware root program and a software root program to ensure that the first key is generated regardless of whether the hardware device has hardware security capability, and the first key is generated. The reliability of the key.
  • Step 302 Encrypt data according to the first key.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security.
  • the hardware root program built into the hardware device can be accessed to generate a first key, which improves the reliability of generating the first key.
  • FIG. 4 a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 401 Generate a first key uniquely corresponding to the hardware device by using a software root program.
  • the key may not be written into the hardware code.
  • the first root key is generated by the root of the trust program, and the generated key can uniquely correspond to the hardware device.
  • the possibility of obtaining the first key directly from the code by the hacker is reduced, and on the other hand, even if some The key of the hardware device is cracked, and the key in the same type of hardware device or hardware device belonging to the same hardware manufacturer is still secure, so that the security of the data and the hardware device can be effectively improved.
  • the hardware trust root program since some hardware devices may not have hardware that the hardware trust root program depends on, in order to ensure that the hardware device capable of generating hardware or the like can generate the first key, the reliability of the first key is improved. To ensure the security of data and hardware devices, while reducing costs, you can call the software root program to generate the first key.
  • Step 402 Decrypt the encrypted data according to the first key.
  • the encrypted data can be decrypted according to the first key.
  • the encrypted data may be the encrypted data to be encrypted in the foregoing.
  • the encrypted data may be decrypted according to the first key according to the foregoing method of encrypting the data according to the first key. For example, if the data to be encrypted is encrypted by using the first key, the first secret may be adopted. The key decrypts the encrypted data; if the plurality of keys including the first key are used to encrypt the encrypted data, another key of the plurality of keys other than the first key may be generated, The plurality of keys including the first key decrypt the encrypted data.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • FIG. 5 a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 501 Generate a first key uniquely corresponding to the hardware device by using a software root program.
  • Step 502 Acquire encrypted data through the second interface.
  • the encrypted data of each data source can be obtained through a unified interface, that is, the second interface.
  • the encrypted second key and/or check data saved corresponding to the encrypted data may also be acquired through the second interface.
  • the second encryption key may be a key randomly generated for the encrypted data.
  • the second key and/or the check data may be obtained from the storage location; if the second key and/or the check data Corresponding relationship between the storage location and the storage location of the encrypted data, the storage location of the second key and/or the verification data may be determined according to the storage location of the encrypted data, thereby obtaining the second key and / or verify the data.
  • the second key and/or the check data may not be acquired in the step, but when the second key and/or the check data are needed later. And then obtain the second key and / or check data.
  • Step 503 Decrypt the encrypted data according to the first key.
  • the possibility that multiple keys are cracked is smaller than the possibility that one key is cracked, in order to improve the security of data and hardware devices, it may be generated. Determining, by the first key, an encrypted second key, the encrypted second key is saved corresponding to the encrypted data, and decrypting the encrypted first by using the first key The second key obtains a second key, and the second key is used to decrypt the encrypted data. That is, to improve the security of data and hardware devices through hierarchical key management.
  • Step 504 Acquire verification data, where the verification data is saved corresponding to the encrypted data, and the verification data is used to verify the integrity of the decryption result.
  • the verification data may be acquired to verify the decrypted result.
  • the decryption result is the result of decrypting the encrypted data, and the decrypted result can be the data to be encrypted in the foregoing.
  • the verification data may be generated according to the decryption result, and the generated verification data is compared with the obtained verification data. If they are consistent, the decryption result is determined to be complete, otherwise the decryption result is determined to have no integrity.
  • a first hash value including the decrypted result, and correspondingly, a second hash value of the decrypted result may be generated, and if the second hash value is consistent with the first hash value, confirming The decryption result is complete. If the second hash value does not coincide with the first hash value, it is confirmed that the decrypted result is not complete.
  • the first hash value is a hash value of the data to be encrypted determined in the process of encrypting the data to be encrypted in the foregoing; the second hash value is a hash value generated according to the decrypted data. If the data to be encrypted is consistent with the decrypted result, that is, the decrypted result has completeness, the first hash value and the second hash value should also be consistent.
  • the check data including the first hash value may be obtained, the second hash value of the decrypted result is generated, and the first hash value is compared with the second hash value to determine the first hash value and the second hash. Whether the values are consistent.
  • the first data information of the data to be encrypted is included in the test data, and correspondingly, the second attribute information of the decrypted result may be obtained, and the first attribute information is compared with the second attribute information, and if they are consistent, the decryption result is determined to be complete. Otherwise, it is determined that the decryption result is not complete.
  • the first attribute information is attribute information generated according to the data to be encrypted
  • the second attribute information is attribute information generated according to the decryption result. If the data to be encrypted is consistent with the decrypted result, that is, the decrypted result has completeness, the first attribute information It should also be consistent with the second attribute information.
  • step 504 is an optional step.
  • Step 505 outputting a decryption result through the second interface.
  • the encryption result may be output to the application as the data source, and the system architecture in the hardware device is simplified, the development cost of the application is lowered, and the application is improved. And the security and reliability of the hardware device, the decryption result can be output through the unified interface, that is, the second interface.
  • the decryption result may be output to the data source of the encrypted data through the second interface.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • the first key can be generated by the hardware trust root program or the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • a unified second interface can be provided, and the encrypted data or the output decrypted result can be obtained through the second interface, thereby ensuring that each application can use the functions of the trusted root program through a unified interface, thereby enabling the hardware device to
  • the system architecture is more concise, which also reduces the development cost of the application, and reduces the problem that the application decrypts the data caused by the first interface adaptation error of the hardware trust root program, and improves the reliability of decrypting the data. It also improves the security and reliability of data and hardware devices.
  • the encrypted second key can be decrypted by using the first key, and the encrypted data is decrypted by using the second key. Since multiple keys are less likely to be cracked, the effective improvement is effective. The complexity of data being cracked further increases the security of data and hardware devices.
  • FIG. 6 a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
  • Step 601 Generate a first key uniquely corresponding to the hardware device by using a root of trust program.
  • the key of the hardware device of the same type or the hardware device of the same hardware manufacturer is cracked, and the problem of the key is solved. Density, effectively improve the security of data and hardware devices, you can use the root of trust program to generate a unique key corresponding to the hardware device.
  • the hardware device has a dedicated hardware root program.
  • a dedicated hardware root program In order to improve the reliability of generating the first key, it is ensured that the machine and the device can be secured, thereby improving the security of the data and the hardware device. Accessing the hardware trust root program built in the hardware device to generate the first key.
  • the hardware trusted root program may be accessed through the first interface.
  • the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • Step 602 Decrypt the encrypted data according to the first key.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security.
  • the hardware root program built into the hardware device can be accessed to generate a first key, which improves the reliability of generating the first key.
  • FIG. 7 a flowchart of a data processing method according to an embodiment of the present application is shown. The specific steps include:
  • step 701 the hardware trust root program or the software trust root program generates a root key.
  • the root key may include the first key in the foregoing.
  • the root key may be generated by the hardware trust root; if the hardware device does not have the hardware that the hardware root program depends on, The root key can be generated by the software trust root.
  • step 702 the root key for secure storage is saved by the hardware trust root program or the software trust root program.
  • step 703 the file key is encrypted by using a root key through a hardware root program or a software root program.
  • the file key is a key for encrypting the data to be encrypted in the foregoing, and may include, for example, the second key in the foregoing.
  • Step 704 encrypting the data to be encrypted by the file key, and storing the file key encrypted by the root key.
  • the root key is not directly used for encrypting the data to be encrypted, but is used for encrypting the file key for encrypting the encrypted data.
  • the root key is not directly used to decrypt the encrypted data.
  • the file key used to decrypt the encrypted data is decrypted, which ensures that different keys can be provided for different hardware devices and different data for encryption or decryption, which reduces the possibility of data being cracked. Increased security of data and hardware devices.
  • Step 705 Provide a secure storage function to the application layer through a unified interface.
  • the data to be encrypted submitted by the application can be received through a unified interface, and the encrypted result is output to the application level; or the encrypted data submitted by the application is received, and the decrypted result is output to the application. .
  • the unified interface may include the second interface in the foregoing.
  • FIG. 8 a flow diagram of a data encryption method in accordance with one embodiment of the present application is shown. The specific steps include:
  • Step 801 The trusted root program generates a first key, and saves the first key in a storage location corresponding to the trusted root program.
  • Step 802 The root program encrypts the second key by using the first key.
  • Step 803 encrypting the encrypted data by using the second key
  • Step 804 Generate a hash value of the data to be encrypted.
  • Step 805 Combine the encrypted data to be encrypted, the hash value of the data to be encrypted, and the second key encrypted by the first key into one file for storage.
  • Step 901 The root program is trusted to read the encrypted data.
  • Step 902 The root program decrypts the second key by using the first key.
  • Step 903 decrypting the encrypted data by using the second key
  • Step 904 generating a hash value of the decrypted result
  • Step 905 Determine that the generated hash value is consistent with the hash value of the previously saved data to be encrypted.
  • step 906 the decryption result is output.
  • the apparatus includes:
  • the first key generation module 1001 is configured to generate, by using a software root program, a first key uniquely corresponding to the hardware device;
  • the data encryption module 1002 is configured to encrypt data according to the first key.
  • the data encryption module includes:
  • a key random generation sub-module configured to randomly generate a second key
  • a data encryption submodule configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
  • the device further includes:
  • a second key encryption module configured to encrypt the second key by using the first key.
  • the device further includes:
  • a second key storage module configured to save the encrypted second key corresponding to the encrypted data to be encrypted.
  • the device further includes:
  • the verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
  • the verification data generating module includes:
  • a hash value determining submodule is configured to determine a hash value of the data to be encrypted.
  • the device further includes:
  • the data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
  • an encryption result output module configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • the apparatus includes:
  • the first key generation module 1101 is configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • the data encryption module 1102 is configured to encrypt data according to the first key.
  • the first key generation module includes:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • the hardware device has a dedicated hardware root program, and the first key generation sub-module is further configured to:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • the first root key corresponding to the hardware device can be generated by using the root of the trust program, and the data is encrypted according to the first key, thereby reducing the hacker or the like to obtain the first key directly from the code. It is also possible to ensure that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the security of data and hardware devices. Sex.
  • the apparatus includes:
  • the first key generation module 1201 is configured to generate, by using a software root program, a first key uniquely corresponding to the hardware device;
  • the data decryption module 1202 is configured to decrypt the encrypted data according to the first key.
  • the data decryption module includes:
  • a key acquisition submodule configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data
  • a second key decrypting submodule configured to decrypt the encrypted second key by using the first key to obtain a second key
  • a data decryption submodule for decrypting the encrypted data using the second key.
  • the device further includes:
  • a verification data acquisition module configured to acquire verification data, where the verification data is saved corresponding to the encrypted data
  • An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
  • the verification data includes a first hash value of the decryption result
  • the integrity verification module includes:
  • a second hash value generating submodule configured to generate a second hash value of the decrypted result
  • the integrity verification confirmation submodule is configured to compare the second hash value with the first hash value, and confirm that the decryption result has integrity.
  • the device further includes:
  • the decryption result output module is configured to output the decryption result through the second interface.
  • the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code.
  • the possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices.
  • Security Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
  • FIG. 13 there is shown a structural block diagram of a data decryption apparatus according to an embodiment of the present application, the apparatus comprising:
  • the first key generation module 1301 is configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • the data decryption module 1302 is configured to decrypt the encrypted data according to the first key.
  • the first key generation module includes:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • the hardware device has a dedicated hardware root program, and the first key generation sub-module is further configured to:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • the first root key corresponding to the hardware device can be generated by using the root program, and the data is decrypted according to the first key, thereby reducing the hacker or the like to obtain the first key directly from the code. It is also possible to ensure that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the security of data and hardware devices. Sex.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • Embodiments of the present application can be implemented as a system for performing a desired configuration using any suitable hardware, firmware, software, or any combination thereof.
  • FIG. 14 schematically illustrates an exemplary system (or apparatus) 1400 that can be used to implement various embodiments described in this application.
  • FIG. 14 illustrates an exemplary system 1400 having one or more processors 1402, a system control module (chipset) coupled to at least one of processor(s) 1402. 1404, system memory 1406 coupled to system control module 1404, non-volatile memory (NVM)/storage device 1408 coupled to system control module 1404, one or more inputs/outputs coupled to system control module 1404 Device 1410, and a network interface 1412 that is coupled to system control module 1406.
  • processors 1402 system control module
  • system memory 1406 coupled to system control module 1404
  • NVM non-volatile memory
  • storage device 1408 coupled to system control module 1404
  • inputs/outputs coupled to system control module 1404 Device 1410
  • network interface 1412 that is coupled to system control module 1406.
  • Processor 1402 can include one or more single or multiple core processors, and processor 1402 can comprise any combination of general purpose or special purpose processors (eg, graphics processors, application processors, baseband processors, etc.).
  • system 1400 can be implemented as a hardware device as described in embodiments of the present application.
  • system 1400 can include one or more computer readable media having instructions (eg, system memory 1406 or NVM/storage device 1408) and in combination with the one or more computer readable media configured to One or more processors 1402 that execute instructions to implement the modules to perform the actions described herein.
  • processors 1402 that execute instructions to implement the modules to perform the actions described herein.
  • system control module 1404 can include any suitable interface controller to provide to at least one of processor(s) 1402 and/or any suitable device or component in communication with system control module 1404. Any suitable interface.
  • System control module 1404 can include a memory controller module to provide an interface to system memory 1406.
  • the memory controller module can be a hardware module, a software module, and/or a firmware module.
  • System memory 1406 can be used, for example, to load and store data and/or instructions for system 1400.
  • system memory 1406 can include any suitable volatile memory, such as a suitable DRAM.
  • system memory 1406 can include double data rate type quad synchronous dynamic random access memory (DDR4 SDRAM).
  • system control module 1404 can include one or more input/output controllers to provide an interface to NVM/storage device 1408 and input/output device(s) 1410.
  • NVM/storage device 1408 can be used to store data and/or instructions.
  • NVM/storage device 1408 may comprise any suitable non-volatile memory (eg, flash memory) and/or may include any suitable non-volatile storage device(s) (eg, one or more hard disk drives (HDD), one or more compact disc (CD) drives and/or one or more digital versatile disc (DVD) drives).
  • HDD hard disk drives
  • CD compact disc
  • DVD digital versatile disc
  • NVM/storage device 1408 can include storage resources that are physically part of the device on which system 1400 is installed, or that can be accessed by the device without having to be part of the device.
  • the NVM/storage device 1408 can be accessed via the network via the input/output device(s) 1410.
  • the input/output device(s) 1410 can provide an interface to the system 1400 to communicate with any other suitable device, and the input/output device 1410 can include a communication component, an audio component, a sensor component, and the like.
  • Network interface 1412 can provide an interface for system 1400 to communicate over one or more networks, and system 1400 can interact with one or more of the wireless networks in accordance with any one or more of the wireless network standards and/or protocols.
  • the components communicate wirelessly, such as by accessing a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof for wireless communication.
  • At least one of the processor(s) 1402 can be packaged with logic of one or more controllers (eg, memory controller modules) of the system control module 1404.
  • at least one of the processor(s) 1402 can be packaged with the logic of one or more controllers of the system control module 1404 to form a system in package (SiP).
  • at least one of the processor(s) 1402 can be integrated on the same mold as the logic of one or more controllers of the system control module 1404.
  • at least one of the processor(s) 1402 can be integrated with the logic of one or more controllers of the system control module 1404 on the same mold to form a system on a chip (SoC).
  • SoC system on a chip
  • system 1400 can be, but is not limited to, a workstation, a desktop computing device, or a mobile computing device (eg, a laptop computing device, a handheld computing device, a tablet, a netbook, etc.).
  • system 1400 can have more or fewer components and/or different architectures.
  • system 1400 includes one or more cameras, a keyboard, a liquid crystal display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an application specific integrated circuit ( ASIC) and speakers.
  • LCD liquid crystal display
  • ASIC application specific integrated circuit
  • the display screen can be implemented as a touch screen display to receive an input signal from the user.
  • the touch panel includes one or more touch sensors to sense touches, slides, and gestures on the touch panel.
  • the touch sensor may sense not only the boundary of the touch or sliding action, but also the duration and pressure associated with the touch or slide operation.
  • the embodiment of the present application further provides a non-volatile readable storage medium, where the storage medium stores one or more programs, and when the one or more modules are applied to the terminal device, the terminal may be The device executes the instructions of the method steps in the embodiment of the present application.
  • An apparatus comprising: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, The apparatus is caused to perform a method performed by a hardware device as in the embodiment of the present application.
  • Also provided in one example is one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause the apparatus to perform a method performed by a hardware device in an embodiment of the present application.
  • the embodiment of the present application discloses a data encryption and decryption method and device.
  • Example 1 A data encryption method, including:
  • Example 2 may include the method of example 1, the encrypting data according to the first key comprising:
  • the data to be encrypted is encrypted by using the second key, and the first key is used to encrypt the second key.
  • Example 3 may include the method of example 2, the method further comprising:
  • Example 4 may include the method of example 3, after the encrypting the second key with the first key, the method further comprises:
  • the encrypted second key is saved corresponding to the encrypted data to be encrypted.
  • Example 5 may include the method of example 1, the method further comprising:
  • Check data for verifying the integrity of the data to be encrypted is generated, and the check data is saved corresponding to the encrypted data to be encrypted.
  • Example 6 may include the method of example 5, the generating verification data for verifying integrity of data to be encrypted comprises:
  • Example 7 may include the method of example 1, before encrypting data according to the first key, the method further comprising:
  • the method further includes:
  • Example 8 a data decryption method, comprising:
  • the encrypted data is decrypted according to the first key.
  • Example 9 may include the method of example 8, the decrypting the encrypted data according to the first key comprises:
  • the encrypted data is decrypted using the second key.
  • Example 10 can include the method of example 8, the method further comprising:
  • the check data is used to verify the integrity of the decrypted result.
  • the example 11 may include the method of example 10, the check data includes a first hash value of the decrypted result, and the integrity of verifying the decrypted result by using the check data comprises:
  • Example 12 may include the method of example 8, the method further comprising:
  • the decryption result is output through the second interface.
  • Example 13 a data encryption method, comprising:
  • the example 14 may include the method of example 13, the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
  • Example 15 may include the method of example 14, the hardware device having a dedicated hardware trust root program, the accessing the hardware trust root program built into the hardware device comprising:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • Example 16 a data decryption method, comprising:
  • the encrypted data is decrypted according to the first key.
  • the example 17 may include the method of example 16, the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
  • Example 18 may include the method of example 17, the hardware device having a dedicated hardware trust root program, the accessing the hardware trust root program built into the hardware device comprising:
  • the hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  • Example 19 A data encryption device, comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a software root program
  • a data encryption module configured to encrypt data according to the first key.
  • Example 20 can include the apparatus of example 19, the data encryption module comprising:
  • a key random generation sub-module configured to randomly generate a second key
  • a data encryption submodule configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
  • Example 21 can include the apparatus of example 20, the apparatus further comprising:
  • a second key encryption module configured to encrypt the second key by using the first key.
  • Example 22 can include the apparatus of example 19, the apparatus further comprising:
  • the verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
  • Example 23 may include the device of example 19, the device further comprising:
  • the data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
  • an encryption result output module configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
  • Example 24 A data decryption apparatus comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a software root program
  • a data decrypting module configured to decrypt the encrypted data according to the first key.
  • Example 25 can include the apparatus of example 24, the data decryption module comprising:
  • a key acquisition submodule configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data
  • a second key decrypting submodule configured to decrypt the encrypted second key by using the first key to obtain a second key
  • a data decryption submodule for decrypting the encrypted data using the second key.
  • Example 26 can include the apparatus of example 24, the apparatus further comprising:
  • a verification data acquisition module configured to acquire verification data, where the verification data is saved corresponding to the encrypted data
  • An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
  • Example 27 can include the apparatus of example 24, the apparatus further comprising:
  • the decryption result output module is configured to output the decryption result through the second interface.
  • Example 28 A data encryption device, comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • a data encryption module configured to encrypt data according to the first key.
  • Example 29 may include the apparatus of example 28, the first key generation module comprising:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • Example 30 A data decryption apparatus comprising:
  • a first key generation module configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program
  • a data decrypting module configured to decrypt the encrypted data according to the first key.
  • Example 31 may include the apparatus of example 30, the first key generation module comprising:
  • the first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  • Example 32 an apparatus comprising: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, causing the device A method of one or more of Example 1 - Example 18 is performed.
  • Example 33 one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause the apparatus to perform the method of one or more of Examples 1 - 18.

Abstract

An embodiment of the present application provides a data encryption, decryption method and device. The data encryption method comprises: generating, using a software trust rooter, a first secret key uniquely corresponding to a hardware device, and encrypting the data according to the first secret key. The present application can reduce the possibility that a hacker or the like directly acquires and obtains the first secret key from a code, and also ensures that even if the secret key of a certain hardware device is decrypted, the secret key in the hardware device which falls within the same category or belongs to a same hardware manufacturer of the described hardware device is secure. Therefore, the security of the data and the hardware device is effectively improved, In addition, whether the hardware device has hardware security capacities or not, a first secret key can be ensured to be generated, thereby improving the reliability of generating the first secret key.

Description

数据加密、解密方法及装置Data encryption and decryption method and device
本申请要求2018年03月29日递交的申请号为201810274311.5、发明名称为“数据加密、解密方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application No. 20110127431, filed on Mar. 29,,,,,,,,,,,,,,,,,,,,,,,,,,,
技术领域Technical field
本申请涉及计算机技术领域,特别是涉及一种数据加密、解密方法及装置。The present application relates to the field of computer technologies, and in particular, to a data encryption and decryption method and apparatus.
背景技术Background technique
随着物联网和计算机技术的发展,大量硬件安全能力较差且资源受限的硬件设备开始投入使用,比如作为物联网终端节点的各种硬件设备,这些硬件设备通常价格低廉、没有或者难以设置安全保护,没有硬件安全能力,因此该硬件设备中的数据很容易被黑客等获取得到,安全性较差。With the development of the Internet of Things and computer technology, a large number of hardware devices with poor hardware security capabilities and limited resources have been put into use, such as various hardware devices as IoT terminal nodes, which are usually inexpensive, have no or difficult to set up. Protection, there is no hardware security capability, so the data in the hardware device is easily obtained by hackers and the like, and the security is poor.
现有技术中,可以将密钥写入硬件设备的代码中,从而能够通过该密钥对硬件设备中的数据进行加密。但将密钥写入硬件设备的代码中的方式,难以做到一机(硬件设备)一密,即同一类或同一硬件厂商的硬件设备中的密钥是相同的,因此,当一个硬件设备中的密钥被破解时,同一类或同一硬件厂商的其它硬件设备的密钥便都会泄露,从而难以保证数据安全,导致数据和硬件设备的安全性较低。In the prior art, a key can be written into the code of the hardware device, so that the data in the hardware device can be encrypted by the key. But the way to write the key into the code of the hardware device is difficult to achieve one machine (hardware device), that is, the key in the hardware device of the same class or the same hardware manufacturer is the same, therefore, when a hardware device When the key in the key is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer will be leaked, which makes it difficult to ensure data security, resulting in low security of data and hardware devices.
发明内容Summary of the invention
鉴于上述问题,提出了本申请以便提供一种克服上述问题或者至少部分地解决上述问题的数据加密、解密方法及装置。In view of the above problems, the present application has been made in order to provide a data encryption and decryption method and apparatus that overcomes the above problems or at least partially solves the above problems.
本申请提供了一种数据加密方法,包括:The application provides a data encryption method, including:
采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
根据所述第一密钥加密数据。Encrypting data according to the first key.
可选的,所述根据所述第一密钥加密数据包括:Optionally, the encrypting the data according to the first key includes:
随机生成第二密钥;Randomly generating a second key;
采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。The data to be encrypted is encrypted by using the second key, and the first key is used to encrypt the second key.
可选的,所述方法还包括:Optionally, the method further includes:
采用所述第一密钥加密所述第二密钥。Encrypting the second key with the first key.
可选的,在所述采用所述第一密钥加密所述第二密钥之后,所述方法还包括:Optionally, after the encrypting the second key by using the first key, the method further includes:
将已加密的第二密钥与已加密的待加密数据对应保存。The encrypted second key is saved corresponding to the encrypted data to be encrypted.
可选的,所述方法还包括:Optionally, the method further includes:
生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。Check data for verifying the integrity of the data to be encrypted is generated, and the check data is saved corresponding to the encrypted data to be encrypted.
可选的,所述生成用于验证待加密数据的完整性的校验数据包括:Optionally, the generating verification data for verifying integrity of the data to be encrypted includes:
确定所述待加密数据的哈希值。Determining a hash value of the data to be encrypted.
可选的,在根据所述第一密钥加密数据之前,所述方法还包括:Optionally, before the data is encrypted according to the first key, the method further includes:
提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;Providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted by using the second interface;
在所述根据所述第一密钥加密数据之后,所述方法还包括:After the data is encrypted according to the first key, the method further includes:
通过所述第二接口向所述待加密数据的数据源输出加密结果。And outputting an encryption result to the data source of the data to be encrypted through the second interface.
本申请还提供了一种数据解密方法,包括:The application also provides a data decryption method, including:
采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
可选的,所述根据所述第一密钥解密已加密数据包括:Optionally, the decrypting the encrypted data according to the first key includes:
生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存;Generating the first key, and acquiring an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;Decrypting the encrypted second key with the first key to obtain a second key;
采用所述第二密钥解密所述已加密数据。The encrypted data is decrypted using the second key.
可选的,所述方法还包括:Optionally, the method further includes:
获取校验数据,所述校验数据与所述已加密数据对应保存;Obtaining verification data, where the verification data is saved corresponding to the encrypted data;
采用所述校验数据校验解密结果的完整性。The check data is used to verify the integrity of the decrypted result.
可选的,所述校验数据包括所述解密结果的第一哈希值,所述采用所述校验数据校验解密结果的完整性包括:Optionally, the verification data includes a first hash value of the decryption result, and the integrity of the decryption result by using the verification data includes:
生成所述解密结果的第二哈希值;Generating a second hash value of the decrypted result;
比对所述第二哈希值与所述第一哈希值一致,则确认所述解密结果具有完整性。Comparing the second hash value with the first hash value, confirming that the decrypted result has integrity.
可选的,所述方法还包括:Optionally, the method further includes:
通过第二接口输出解密结果。The decryption result is output through the second interface.
本申请还提供了一种数据加密方法,包括:The application also provides a data encryption method, including:
采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
根据所述第一密钥加密数据。Encrypting data according to the first key.
可选的,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:Optionally, the generating, by using the trusted root program, the first key that uniquely corresponds to the hardware device includes:
访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
可选的,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:Optionally, the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
本申请还提供了一种数据解密方法,包括:The application also provides a data decryption method, including:
采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
可选的,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:Optionally, the generating, by using the trusted root program, the first key that uniquely corresponds to the hardware device includes:
访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
可选的,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:Optionally, the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
本申请还提供了一种数据加密装置,包括:The application also provides a data encryption device, including:
第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
可选的,所述数据加密模块包括:Optionally, the data encryption module includes:
密钥随机生成子模块,用于随机生成第二密钥;a key random generation sub-module, configured to randomly generate a second key;
数据加密子模块,用于采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。a data encryption submodule, configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
可选的,所述装置还包括:Optionally, the device further includes:
第二密钥加密模块,用于采用所述第一密钥加密所述第二密钥。And a second key encryption module, configured to encrypt the second key by using the first key.
可选的,所述装置还包括:Optionally, the device further includes:
校验数据生成模块,用于生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。The verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
可选的,所述装置还包括:Optionally, the device further includes:
待加密数据接收模块,用于提供接收待加密数据的第二接口,并通过所述第二接口 接收所述待加密数据;The data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
加密结果输出模块,用于通过所述第二接口向所述待加密数据的数据源输出加密结果。And an encryption result output module, configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
本申请还提供了一种数据解密装置,包括:The application also provides a data decryption device, comprising:
第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
可选的,所述数据解密模块包括:Optionally, the data decryption module includes:
密钥获取子模块,用于生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存;a key acquisition submodule, configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
第二密钥解密子模块,用于采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;a second key decrypting submodule, configured to decrypt the encrypted second key by using the first key to obtain a second key;
数据解密子模块,用于采用所述第二密钥解密所述已加密数据。a data decryption submodule for decrypting the encrypted data using the second key.
可选的,所述装置还包括:Optionally, the device further includes:
校验数据获取模块,用于获取校验数据,所述校验数据与所述已加密数据对应保存;a verification data acquisition module, configured to acquire verification data, where the verification data is saved corresponding to the encrypted data;
完整性验证模块,用于采用所述校验数据校验解密结果的完整性。An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
可选的,所述装置还包括:Optionally, the device further includes:
解密结果输出模块,用于通过第二接口输出解密结果。The decryption result output module is configured to output the decryption result through the second interface.
本申请还提供了一种数据加密装置,包括:The application also provides a data encryption device, including:
第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
可选的,所述第一密钥生成模块包括:Optionally, the first key generation module includes:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
本申请还提供了一种数据解密装置,包括:The application also provides a data decryption device, comprising:
第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
可选的,所述第一密钥生成模块包括:Optionally, the first key generation module includes:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
本申请还提供了一种计算机设备,包括存储器、处理器及存储在存储器上并可在处 理器上运行的计算机程序,所述处理器执行所述计算机程序时实现如前述的一个或多个的方法。The present application also provides a computer device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, the processor executing the computer program to implement one or more of the foregoing method.
本申请还提供了一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如前述的一个或多个的方法。The application also provides a computer readable storage medium having stored thereon a computer program that, when executed by a processor, implements one or more of the methods described above.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
上述说明仅是本申请技术方案的概述,为了能够更清楚了解本申请的技术手段,而可依照说明书的内容予以实施,并且为了让本申请的上述和其它目的、特征和优点能够更明显易懂,以下特举本申请的具体实施方式。The above description is only an overview of the technical solutions of the present application, and the technical means of the present application can be more clearly understood, and the above and other objects, features and advantages of the present application can be more clearly understood. The following is a specific embodiment of the present application.
附图说明DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其它的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本申请的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not intended to be limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1示出了根据本申请一个实施例一的一种数据加密方法流程图;FIG. 1 is a flowchart of a data encryption method according to a first embodiment of the present application;
图2示出了根据本申请一个实施例二的另一种数据加密方法流程图;FIG. 2 is a flowchart of another data encryption method according to a second embodiment of the present application;
图3示出了根据本申请一个实施例三的另一种数据加密方法流程图;FIG. 3 is a flowchart of another data encryption method according to a third embodiment of the present application;
图4示出了根据本申请一个实施例四的一种数据解密方法流程图;4 is a flowchart of a data decryption method according to a fourth embodiment of the present application;
图5示出了根据本申请一个实施例五的另一种数据解密方法流程图;FIG. 5 is a flowchart of another data decryption method according to an embodiment 5 of the present application;
图6示出了根据本申请一个实施例六的另一种数据解密方法流程图;FIG. 6 is a flowchart of another data decryption method according to an embodiment 6 of the present application;
图7示出了根据本申请一个实施例的一种数据处理方法流程图FIG. 7 shows a flow chart of a data processing method according to an embodiment of the present application.
图8示出了根据本申请一个实施例的一种数据加密方法流程图;FIG. 8 is a flowchart of a data encryption method according to an embodiment of the present application;
图9示出了根据本申请一个实施例的一种数据解密方法流程图;FIG. 9 is a flowchart of a data decryption method according to an embodiment of the present application;
图10示出了根据本申请一个实施例七的一种数据加密装置的结构框图;FIG. 10 is a structural block diagram of a data encryption apparatus according to a seventh embodiment of the present application;
图11示出了根据本申请一个实施例八的另一种数据加密装置的结构框图;FIG. 11 is a structural block diagram of another data encryption apparatus according to an eighth embodiment of the present application;
图12示出了根据本申请一个实施例九的一种数据解密装置的结构框图;FIG. 12 is a structural block diagram of a data decryption apparatus according to an embodiment 9 of the present application;
图13示出了根据本申请一个实施例十的另一种数据解密装置的结构框图;FIG. 13 is a structural block diagram of another data decryption apparatus according to an embodiment 10 of the present application;
图14示出了根据本申请一个实施例的一种示例性系统的结构框图。Figure 14 shows a block diagram of an exemplary system in accordance with one embodiment of the present application.
具体实施方式detailed description
下面将参照附图更详细地描述本申请示例性实施例。虽然附图中显示了本申请示例性实施例,然而应当理解,可以以各种形式实现本申请而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本申请,并且能够将本申请的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While the exemplary embodiments of the present invention are shown in the drawings, it is understood that the invention may be embodied in various forms and not limited by the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be more fully understood, and the scope of the application can be fully conveyed to those skilled in the art.
为了便于本领域技术人员深入理解本申请实施例,以下将首先介绍本申请实施例中所涉及的专业术语的定义。In order to facilitate a person skilled in the art to deeply understand the embodiments of the present application, the definitions of the technical terms involved in the embodiments of the present application will be first introduced below.
信任根程序,又称信任根,指被硬件设备上运行的操作认为一直可信的功能集合,信任根单独的为硬件设备提供可信任的加解密服务。该信任根程序可以包括硬件信任根程序和软件信任根程序中的至少一种。其中,硬件信任根程序需要依赖相应的硬件,可以包括基于intel SGX(intel Software Guard Extensions,英特尔软件防护扩展指令)或基于TEE(Trusted Execution Environment,可信执行环境)的硬件信任根程序,软件信任根程序可以包括KM(key manager,密钥管理模块)。当然,在实际应用中,信任根程序还可以包括其它的硬件信任根程序或软件信任根程序,此处不再一一赘述。The root program of trust, also known as the root of trust, refers to a set of functions that are considered to be always trusted by operations running on the hardware device. The root of trust provides a trusted encryption and decryption service for the hardware device. The trusted root program may include at least one of a hardware trust root program and a software trust root program. The hardware root program depends on the corresponding hardware, and may include a hardware trust root program based on Intel SGX (Intel Software Guard Extensions) or TEE (Trusted Execution Environment). The root program can include KM (key manager, key management module). Of course, in practical applications, the root program of trust may also include other hardware root programs or software root programs, which are not repeated here.
第一密钥由信任根程序根据硬件设备的设备唯一标识派生而成,从而与该硬件设备唯一对应,第一密钥可以用于对该硬件设备中的数据进行加密。The first key is derived from the trusted root program according to the device unique identifier of the hardware device, so as to uniquely correspond to the hardware device, and the first key can be used to encrypt the data in the hardware device.
其中,设备唯一标识用于唯一标识一个电子设备,比如,该设备唯一标识可以包括IMEI(International Mobile Equipment Identity,国际移动设备识别码)或MAC(Media Access Control,媒体访问控制)地址。The device unique identifier is used to uniquely identify an electronic device. For example, the device unique identifier may include an IMEI (International Mobile Equipment Identity) or a MAC (Media Access Control) address.
硬件设备可以各种物联网终端或设备,比如应用于气象或环境监测的各种探测器、或者家庭中的智能音箱等智能家居设备、当然,也可以包括手机、智能手表、VR(Virtual Reality,虚拟现实)设备、平板电脑、电子书阅读器、MP3(Moving Picture Experts Group Audio Layer III,动态影像专家压缩标准音频层面3,)播放器、MP4(Moving Picture Experts Group Audio Layer IV,动态影像专家压缩标准音频层面4)播放器、膝上型便携计算机、车载电脑、台式计算机、机顶盒、可穿戴设备等等。该硬件设备能够与远程服务器进行交互,获取客户端、插件、数据加密或解密服务,且可以包括下图10-14的任一装置,实施图1-9的任一方法,从而对数据进行加密或解密。The hardware device can be various IoT terminals or devices, such as various detectors for weather or environmental monitoring, or smart home devices such as smart speakers in the home. Of course, it can also include mobile phones, smart watches, and VR (Virtual Reality, Virtual reality) devices, tablets, e-book readers, MP3 (Moving Picture Experts Group Audio Layer III), MP4 (Moving Picture Experts Group Audio Layer IV) Standard audio level 4) Players, laptops, on-board computers, desktop computers, set-top boxes, wearable devices, and more. The hardware device can interact with a remote server to obtain a client, a plug-in, a data encryption or decryption service, and can include any of the devices in FIG. 10-14 below, implementing any of the methods of FIG. 1-9 to encrypt the data. Or decrypt.
客户端可以包括至少一个应用程序。该客户端能够运行在定位设备中,从而实现本申请实施例提供的数据加密或解密方法。The client can include at least one application. The client can be run in the positioning device to implement the data encryption or decryption method provided by the embodiment of the present application.
插件可以包括在运行于定位设备的应用程序中,从而实现本申请实施例提供的数据加密或解密方法。The plug-in may be included in an application running in the positioning device, thereby implementing the data encryption or decryption method provided by the embodiment of the present application.
本申请实施例可以应用于物联网设备等硬件设备中的数据加密或解密的场景,比如边缘网关等。由于直接将密钥写在硬件设备的代码中,会导致一个硬件设备中的密钥被破解时,同一类或同一硬件厂商的其它硬件设备的密钥便都会泄露,从而难以保证数据安全,导致数据和硬件设备的安全性较低,因此,为确保一机一密,进而提高数据和硬件设备的安全性,本申请实施例提供了一种数据加密方法。在本申请实施例中,可以采用信任根程序生成与硬件设备唯一对应的第一密钥,并根据第一密钥对数据进行加密,由于不需要将密钥直接写在硬件设备的代码中,一方面减少了黑客等获取得到密钥可能,另一方面即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,进而能够通过安全的密钥实现数据的安全存储,能够有效地提高数据和硬件设备的安全性。另外,由于某些硬件设备中可能并不具有硬件信任根程序所依赖的硬件,即不具备硬件安全能力,因此,为了确保无论有无硬件安全能力的硬件设备均能够生成第一密钥,提高第一密钥的可靠性,进而确保数据和硬件设备的安全性,同时降低成本,可以调用软件信任根程序,生成第一密钥。也即是,通过软件信任根程序提供安全性较好的密钥管理功能。The embodiment of the present application can be applied to a scenario of encrypting or decrypting data in a hardware device such as an Internet of Things device, such as an edge gateway. Since the key is directly written in the code of the hardware device, when the key in one hardware device is cracked, the keys of other hardware devices of the same type or the same hardware manufacturer are leaked, thereby making it difficult to ensure data security, resulting in security. The security of the data and the hardware device is low. Therefore, in order to ensure the security of the data and the hardware device, the embodiment of the present application provides a data encryption method. In the embodiment of the present application, the first root key corresponding to the hardware device may be generated by using a trusted root program, and the data is encrypted according to the first key. Since the key is not required to be directly written in the code of the hardware device, On the one hand, it reduces the possibility of obtaining a key by a hacker or the like. On the other hand, even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe. The secure storage of data through a secure key can effectively improve the security of data and hardware devices. In addition, since some hardware devices may not have hardware that the hardware trust root program depends on, that is, they do not have hardware security capabilities, therefore, in order to ensure that the hardware device capable of generating hardware or security can generate the first key, The reliability of the first key, which in turn ensures the security of the data and hardware devices, while reducing costs, can call the software root program to generate the first key. That is, the software trust root program provides a secure key management function.
本申请实施例可以实现为客户端或插件,硬件设备可以从远程服务器获取并安装该客户端或插件,从而通过该客户端或插件来实施本申请实施例所提供的数据加密或解密方法。当然,本申请实施例也可以以软件的形式部署在远程服务器上,定位设备可以通过访问该远程服务器从而获取数据加密或解密服务。The embodiment of the present application can be implemented as a client or a plug-in. The hardware device can obtain and install the client or the plug-in from the remote server, so that the data encryption or decryption method provided by the embodiment of the present application is implemented by the client or the plug-in. Of course, the embodiment of the present application may also be deployed in a form of software on a remote server, and the positioning device may obtain a data encryption or decryption service by accessing the remote server.
实施例一Embodiment 1
参照图1,示出了根据本申请一个实施例的一种数据加密方法流程图,具体步骤包括:Referring to FIG. 1, a flowchart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
步骤101,采用软件信任根程序生成与硬件设备唯一对应的第一密钥。Step 101: Generate a first key uniquely corresponding to the hardware device by using a software root program.
为了避免直接将密钥写入硬件设备中的代码而难以实现的一机一密的问题以及进一步导致的数据和硬件设备的安全性较低的问题,可以不将密钥写入硬件代码,而是采用信任根程序生成第一密钥,且生成的密钥能够与硬件设备唯一对应,一方面减少了黑客 等直接从代码中获取得到第一密钥的可能,另一方面确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,从而能够有效地提高数据和硬件设备的安全性。另外,由于某些硬件设备中可能并不具有硬件信任根程序所依赖的硬件,即不具备硬件安全能力,因此,为了确保无论有无硬件安全能力的硬件设备均能够生成第一密钥,提高第一密钥的可靠性,进而确保数据和硬件设备的安全性,同时降低成本,可以调用软件信任根程序,生成第一密钥。也即是,通过软件信任根程序提供安全性较好的密钥管理功能。In order to avoid the problem of one machine and one secret that is difficult to implement by directly writing the key into the code in the hardware device and the further problem of lower security of data and hardware devices, the key may not be written into the hardware code. The first root key is generated by the root of the trust program, and the generated key can uniquely correspond to the hardware device. On the one hand, the possibility of obtaining the first key directly from the code by the hacker is reduced, and on the other hand, even if some The key of the hardware device is cracked, and the key in the same type of hardware device or hardware device belonging to the same hardware manufacturer is still secure, so that the security of the data and the hardware device can be effectively improved. In addition, since some hardware devices may not have hardware that the hardware trust root program depends on, that is, they do not have hardware security capabilities, therefore, in order to ensure that the hardware device capable of generating hardware or security can generate the first key, The reliability of the first key, which in turn ensures the security of the data and hardware devices, while reducing costs, can call the software root program to generate the first key. That is, the software trust root program provides a secure key management function.
其中,软件信任根程序可以包括KM。Among them, the software root program can include KM.
可以获取硬件设备的设备唯一标识,采用信任根程序,基于该设备唯一标识,派生得到第一密钥。由于不同硬件设备到的设备唯一标识是不同的,因此,不同硬件设备所得到的第一密钥也是不同的。The device unique identifier of the hardware device can be obtained, and the first key is derived based on the unique identifier of the device by using a trusted root program. Since the unique identifiers of the devices from different hardware devices are different, the first keys obtained by different hardware devices are also different.
步骤102,根据所述第一密钥加密数据。Step 102: Encrypt data according to the first key.
由前述可知,第一密钥是采用信任根程序生成且与硬件设备唯一对应的,能够有效提高数据和硬件设备的安全性,因此可以根据第一密钥对数据进行加密。It can be seen from the foregoing that the first key is generated by the root of the trust program and uniquely corresponding to the hardware device, and can effectively improve the security of the data and the hardware device, so the data can be encrypted according to the first key.
可以获取硬件设备中的待加密数据,采用第一密钥对该待加密数据进行加密,当然,在实际应用中,可以根据第一密钥,采用更加复杂的加密方式,对待加密数据进行加密,比如,为了进一步提高加密效果,增加对已加密数据进行破解的复杂程度,提高数据和硬件设备的安全性,可以生成更多的密钥,采用包括第一密钥在内的多个密钥对待加密数据进行加密等等。The data to be encrypted in the hardware device can be obtained, and the data to be encrypted is encrypted by using the first key. Of course, in the actual application, the encrypted data can be encrypted according to the first key and using a more complicated encryption method. For example, in order to further improve the encryption effect, increase the complexity of cracking encrypted data, and improve the security of data and hardware devices, more keys can be generated and treated with multiple keys including the first key. Encrypt data for encryption and more.
待加密数据可以包括硬件设备中对安全性要求较高的数据,比如用户密码、用户指纹特征、用户面部特征、用户虹膜特征、硬件设备中应用程序的应用程序密钥等中的至少一种数据,当然,在实际应用中,可以包括硬件设备中的其它数据,比如用户指定的数据。The data to be encrypted may include data with high security requirements in the hardware device, such as user password, user fingerprint feature, user facial feature, user iris feature, application key of the application in the hardware device, and the like. Of course, in practical applications, other data in the hardware device, such as user-specified data, may be included.
已加密数据为根据第一密钥对待加密数据进行加密之后的结果,该已加密数据能够根据第一密钥进行解密,从而再次得到待加密数据。The encrypted data is a result of encrypting the data to be encrypted according to the first key, and the encrypted data can be decrypted according to the first key, thereby obtaining the data to be encrypted again.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全 能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
实施例二Embodiment 2
参照图2,示出了根据本申请一个实施例的一种数据加密方法流程图,具体步骤包括:Referring to FIG. 2, a flow chart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
步骤201,采用软件信任根程序生成与硬件设备唯一对应的第一密钥。Step 201: Generate a first key uniquely corresponding to the hardware device by using a software root program.
其中,采用信任根程序生成与硬件设备唯一对应地第一密钥的方式,可以参见前述中的相关描述,此处不在一一赘述。For a method of generating a first key corresponding to a hardware device by using a root program, refer to the related description in the foregoing, and details are not described herein.
当然,在实际应用中,硬件设备中可以包括硬件信任根程序和软件信任根程序中的至少一种。Of course, in a practical application, at least one of a hardware trust root program and a software trust root program may be included in the hardware device.
另外,可以将生成的第一密钥存储在于信任根程序对应的存储位置,比如存储在KM保护的存储区域内。In addition, the generated first key may be stored in a storage location corresponding to the trusted root program, such as in a KM protected storage area.
步骤202,提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据。Step 202: Provide a second interface that receives data to be encrypted, and receives the data to be encrypted through the second interface.
由前述可知,硬件设备中可能包括硬件信任根程序和/或软件信任根程序,甚至可能包括一个以上的硬件信任根程序,这可能导致具有多个针对硬件信任根程序的第一接口,进而导致硬件设备中的系统架构混乱,应用层中的应用程序需要进行复杂繁重的适配,不仅提高应用程序的开发成本,也可能会出现适配错误等问题,进而导致难以对数据加密或其它问题,降低了数据和硬件设备的安全性和可靠性。因此,可以为应用层中的应用程序提供统一的接口,即第二接口,接收待加密数,从而通过第二接口将信任根程序封装在底层,使各应用程序能够通过统一的接口使用信任根程序的各项功能,进而使硬件设备中的系统架构更加简洁、降低应用程序的开发成本、提高应用程序和硬件设备的安全性和可靠性。It can be seen from the foregoing that the hardware device may include a hardware root program and/or a software root program, and may even include more than one hardware root program, which may result in having multiple first interfaces for the hardware root program, thereby causing The system architecture in the hardware device is confusing, and the application in the application layer needs to perform complicated and heavy adaptation, which not only increases the development cost of the application, but also may cause problems such as adaptation errors, which may make it difficult to encrypt data or other problems. Reduce the security and reliability of data and hardware devices. Therefore, a unified interface can be provided for the application in the application layer, that is, the second interface receives the number to be encrypted, thereby encapsulating the trusted root program at the bottom layer through the second interface, so that each application can use the root of trust through a unified interface. The various functions of the program, in turn, make the system architecture in the hardware device more compact, reduce the development cost of the application, and improve the security and reliability of the application and the hardware device.
可以通过硬件或软件的形式,提供面向应用层的第二接口,通过第二接口接收来自应用层的数据,并根据第一接口或软件信任根程序,对接收到的数据进行转换,使转换后的数据符合第一接口或软件信任根程序的数据类型或标准。The second interface facing the application layer may be provided in the form of hardware or software, the data from the application layer is received through the second interface, and the received data is converted according to the first interface or the software trusted root program, so that the converted data is converted The data conforms to the data type or standard of the first interface or software trusted root program.
待加密数据为需要通过密钥进行加密的数据,该待加密数据可以包括来源与任一应用程序的任意数据。The data to be encrypted is data that needs to be encrypted by a key, and the data to be encrypted may include any data of a source and any application.
步骤203,随机生成第二密钥,采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。Step 203: Randomly generate a second key, and encrypt the data to be encrypted by using the second key, where the first key is used to encrypt the second key.
为了有效地提高数据被破解的复杂程度,进一步减少数据被破解的可能,可以在第一密钥的基础上,再生成第二密钥,通过第二密钥对待加密数据进行加密,并通过第一密钥加密第二密钥,也即是,通过分层密钥管理,来提高数据和硬件设备的安全性。由于多个密钥均被破解的可能性,比一个密钥被破解的可能小,当然也就提高了数据和硬件设备的安全性。另外,由于第二密钥是随机生成的,因此,可以确保对各待加密数据所采用的密钥均不同,即使硬件设备中某个加密的数据被破解,其它加密的数据依然是安全的,从而进一步提高了数据和硬件设备的安全性。In order to effectively improve the complexity of data cracking and further reduce the possibility of data being cracked, a second key may be generated on the basis of the first key, and the encrypted data is encrypted by the second key, and passed through A key encrypts the second key, that is, through layered key management, to improve the security of data and hardware devices. Since the possibility of multiple keys being cracked is less than the possibility of a key being cracked, of course, the security of data and hardware devices is improved. In addition, since the second key is randomly generated, it can be ensured that the keys used for each data to be encrypted are different, and even if an encrypted data in the hardware device is cracked, other encrypted data is still safe. This further enhances the security of data and hardware devices.
其中,可以通过前述中的信任根程序,通过密钥生成算法来生成第二密钥。The second key may be generated by a key generation algorithm by using the trust root program in the foregoing.
分层密钥管理,指通过不同的方式生成多个密钥,各密钥分别进行存储和管理,通过多个密钥对数据进行加密,或者,通过其中一部分密钥对数据进行加密,并通过其中的其它密钥对加密数据的密钥进行加密,有效提高加密的复杂程度,使黑客等难以获取到所有密钥,进而也就难以对破解被加密的信息,进而提高被加密的信息的安全性。Hierarchical key management refers to generating multiple keys in different ways. Each key is stored and managed separately. The data is encrypted by multiple keys, or the data is encrypted by some of the keys. The other key encrypts the key of the encrypted data, effectively improving the complexity of the encryption, making it difficult for the hacker to obtain all the keys, and thus it is difficult to crack the encrypted information, thereby improving the security of the encrypted information. Sex.
当然,在实际应用中,还可以更多的密钥,采用相似的方式,通过该多个密钥对待加密数据进行加密,从而进一步提高数据和硬件设备的安全性。Of course, in practical applications, more keys can be used, and the encrypted data is encrypted by the multiple keys in a similar manner, thereby further improving the security of data and hardware devices.
步骤204,采用所述第一密钥加密所述第二密钥。Step 204: Encrypt the second key by using the first key.
为了减少第二密钥被破解的可能,进而减少加密的数据被加密的可能,提高数据和硬件设备安全性,可以用第一密钥对第二密钥进行加密。In order to reduce the possibility that the second key is cracked, thereby reducing the possibility that the encrypted data is encrypted, and improving the security of the data and the hardware device, the second key may be encrypted with the first key.
其中,对于采用第一密钥加密的第二密钥,可以进行保存。Wherein, the second key encrypted by the first key can be saved.
在本申请实施例中,可选的,为了却确保后续该数据的合法用户能够正常获取第二密钥以对加密的待加密数据进行解密,提高数据加密的可靠性,可以将已加密的第二密钥与已加密的待加密数据对应保存。In the embodiment of the present application, optionally, in order to ensure that a legitimate user who subsequently obtains the data can obtain the second key to decrypt the encrypted data to be encrypted, and improve the reliability of the data encryption, the encrypted first The second key is saved corresponding to the encrypted data to be encrypted.
可以将加密的第二密钥与加密的待加密数据存储在同一存储位置,或者,将加密的第二密钥和加密的待加密数据分别存储至不同的存储位置,并存储加密的第二密钥所在的存储位置与加密的待加密数据所在的存储位置之间的对应关系。当然,在实际应用中,可以通过其它方式,将加密的第二密钥与加密的待加密数据进行对应保存。The encrypted second key may be stored in the same storage location as the encrypted data to be encrypted, or the encrypted second key and the encrypted data to be encrypted may be separately stored to different storage locations, and the encrypted second secret may be stored. The correspondence between the storage location where the key is located and the storage location where the encrypted data to be encrypted is located. Of course, in an actual application, the encrypted second key may be correspondingly saved with the encrypted data to be encrypted.
另外,在本申请实施例的另一可选实施例中,为了提高对数据进行加密的效率,也可以不再生成第二密钥,而是直接采用第一密钥对待加密数据进行加密,即第一密钥即为用于对待加密数据进行加密的密钥。或者,在本申请的另一可选实施例中,还可以在通过第一密钥加密待加密数据的基础上,通过第二密钥对第一密钥进行加密,并将已加密的第一密钥与已加密的待加密数据对应保存。In addition, in another optional embodiment of the embodiment of the present application, in order to improve the efficiency of encrypting data, the second key may not be generated, but the first key is directly used to encrypt the encrypted data, that is, The first key is the key used to encrypt the encrypted data. Alternatively, in another optional embodiment of the present application, the first key may be encrypted by the second key on the basis of encrypting the data to be encrypted by using the first key, and the encrypted first The key is saved corresponding to the encrypted data to be encrypted.
其中,采用第一密钥对待加密数据进行加密的方式,可以与采用第二密钥对待加密数据进行加密的方式相同,此处不在一一赘述。The manner of encrypting the data to be encrypted by using the first key may be the same as the method of encrypting the data to be encrypted by using the second key, and details are not described herein.
步骤205,生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。Step 205: Generate verification data for verifying the integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
为了便于后续对加密的待加密数据进行解密后,验证所得到的待加密数据是否完整,以进一步提高数据和硬件设备的安全性,可以生成待加密数据的校验数据,并将校验数据与已加密的待加密数据进行对应保存。In order to facilitate subsequent decryption of the encrypted data to be encrypted, and verifying whether the obtained data to be encrypted is complete, to further improve the security of the data and the hardware device, the verification data of the data to be encrypted may be generated, and the verification data may be The encrypted data to be encrypted is saved correspondingly.
检验数据为用于对待加密数据进行验证,包括完整性验证。The verification data is used for verification of the data to be encrypted, including integrity verification.
其中,用于完整性验证的校验数据可以包括哈希值。Wherein, the verification data for integrity verification may include a hash value.
哈希值为根据文件数据(比如待加密数据)进行运算得到的二进制值,用于对该文件数据进行完整性验证。The hash value is a binary value obtained by computing data based on file data (such as data to be encrypted) for integrity verification of the file data.
在本申请实施例中,可选的,为了确保后续能够通过待加密数据的哈希值,对待加密数据进行完整性验证,从而提高数据和硬件设备的安全性,可以确定所述待加密数据的哈希值。In the embodiment of the present application, optionally, in order to ensure that the data to be encrypted can be integrity verified by the hash value of the data to be encrypted, thereby improving the security of the data and the hardware device, the data to be encrypted may be determined. Hash value.
当然,在实际为应用中,为了确保后续能够对待加密数据进行验证,校验信息也可以包括其它信息,比如用于完整性验证的校验信息还可以包括待加密数据的属性信息,相应的,可以确定待加密数据的属性信息,将确定的属性信息作为该校验数据。Of course, in actual applications, in order to ensure that the encrypted data can be verified later, the verification information may also include other information, such as the verification information used for integrity verification, and may also include attribute information of the data to be encrypted, correspondingly, The attribute information of the data to be encrypted may be determined, and the determined attribute information is used as the check data.
其中,属性信息为说明待加密数据所具有属性的信息,比如,该属性信息可以包括待加密数据的大小和数据类型中的至少一个。The attribute information is information indicating an attribute of the data to be encrypted, for example, the attribute information may include at least one of a size and a data type of the data to be encrypted.
待加密数据的大小,用于说明待加密数据所包括的数据量的多少。The size of the data to be encrypted, used to describe the amount of data included in the data to be encrypted.
待加密数据的类型用于说明待加密数据的格式或类别。The type of data to be encrypted is used to describe the format or category of the data to be encrypted.
另外,将校验数据与已加密的待加密数据对应保存的方式,可以与将已加密的第二密钥与已加密的待加密数据对应保存的方式相同,此处不再一一赘述。In addition, the manner in which the verification data is saved in the encrypted data to be encrypted may be the same as the manner in which the encrypted second key is stored in the encrypted data to be encrypted, and details are not described herein again.
另外,在实际应用中,为了提高加密效率,也可以不生成待加密数据的校验数据,即步骤205为可选的步骤。In addition, in practical applications, in order to improve the encryption efficiency, the verification data of the data to be encrypted may not be generated, that is, step 205 is an optional step.
步骤206,通过所述第二接口向所述待加密数据的数据源输出加密结果。Step 206: Output an encryption result to the data source of the data to be encrypted through the second interface.
为了便于应用程序对加密的待加密数据进行存储或者其它操作,可以向作为数据源的应用程序输出加密结果,且为了使硬件设备中的系统架构更加简洁、降低应用程序的开发成本、提高应用程序和硬件设备的安全性和可靠性,可以通过统一接口,即第二接口,向数据源输出加密结果。In order to facilitate the application to store or perform other operations on the encrypted data to be encrypted, the encryption result may be output to the application as the data source, and the system architecture in the hardware device is simplified, the development cost of the application is lowered, and the application is improved. And the security and reliability of the hardware device, the encrypted result can be output to the data source through the unified interface, that is, the second interface.
数据源为待加密数据的来源,可以包括前述中的应用程序。The data source is the source of the data to be encrypted, and may include the application in the foregoing.
加密结果为对待加密数据进行加密并输出的结果,可以包括加密的待加密数据,当然,在实际应用中,若加密的待加密数据采用第二密钥进行加密,且第二密钥采用第一密钥进行加密,加密结果还可以包括经第一密钥加密的第二密钥;若前述中还生成了待加密数据的校验数据,则该加密结果中还可以包括该校验数据。The result of the encryption is the result of encrypting and outputting the encrypted data, and may include the encrypted data to be encrypted. Of course, in actual applications, if the encrypted data to be encrypted is encrypted by the second key, and the second key is used first The key is encrypted, and the encryption result may further include a second key encrypted by the first key. If the verification data of the data to be encrypted is also generated in the foregoing, the verification result may further include the verification data.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
另外,能够提供统一的第二接口,并通过第二接口接收加密数据或输出加密结果,确保了使各应用程序能够通过统一的接口使用信任根程序的各项功能,进而使硬件设备中的系统架构更加简洁,也降低了应用程序的开发成本,也减少了应用程序对硬件信任根程序的第一接口适配错误而导致的难以对数据加密的问题,提高了对数据进行加密的可靠性,进而也提高了数据和硬件设备的安全性和可靠性。In addition, it is possible to provide a unified second interface and receive encrypted data or output encrypted results through the second interface, thereby ensuring that each application can use the functions of the trusted root program through a unified interface, thereby enabling the system in the hardware device. The architecture is more concise, which also reduces the development cost of the application, and also reduces the difficulty of encrypting the data caused by the application interface error of the first interface of the hardware trust root program, and improves the reliability of encrypting the data. This in turn increases the security and reliability of data and hardware devices.
另外,能够随机生成第二密钥,采用第二密钥对待加密数据进行加密,并采用第一密钥对第二密钥进行加密,由于多个密钥均被破解的可能性较小,且随机生成的第二密钥也能够确保能够针对各待加密数据均使用不同的密钥进行加密,因此有效地提高了数据被破解的复杂程度,从而进一步提高了数据和硬件设备的安全性。In addition, the second key can be randomly generated, the second key is used to encrypt the encrypted data, and the second key is encrypted by using the first key, since the multiple keys are less likely to be cracked, and The randomly generated second key can also ensure that the data to be encrypted is encrypted by using different keys, thereby effectively improving the complexity of the data being cracked, thereby further improving the security of the data and hardware devices.
实施例三Embodiment 3
参照图3,示出了根据本申请一个实施例的一种数据加密方法流程图,具体步骤包括:Referring to FIG. 3, a flowchart of a data encryption method according to an embodiment of the present application is shown. The specific steps include:
步骤301,采用信任根程序生成与硬件设备唯一对应的第一密钥。Step 301: Generate a first key uniquely corresponding to the hardware device by using a root of trust program.
为了减少直接从代码中获取密钥的可能,减少一个硬件设备的密钥别破解,其它与该硬件设备同一类或属于同一硬件厂商的硬件设备的密钥均被破解的问题,实现一机一密,有效提高数据和硬件设备的安全性,可以采用信任根程序,生成与硬件设备唯一对应的密钥。In order to reduce the possibility of directly obtaining the key from the code, the key of the hardware device of the same type or the hardware device of the same hardware manufacturer is cracked, and the problem of the key is solved. Density, effectively improve the security of data and hardware devices, you can use the root of trust program to generate a unique key corresponding to the hardware device.
其中,采用信任根程序生成与硬件设备唯一对应地第一密钥的方式,可以参见前述 中的相关描述,此处不在一一赘述。For the method of generating the first key corresponding to the hardware device by using the root program, refer to the related description in the foregoing, and details are not described herein.
在本申请实施例中,可选的,硬件设备具有专用的硬件信任根程序,为了提高生成第一密钥的可靠性,确保能够实现一机一密,进而提高数据和硬件设备的安全性,可以访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。In the embodiment of the present application, optionally, the hardware device has a dedicated hardware root program. In order to improve the reliability of generating the first key, it is ensured that the machine and the device can be secured, thereby improving the security of the data and the hardware device. The first key can be generated by accessing a hardware trust root program built in the hardware device.
其中,硬件信任根程序可以包括TEE。The hardware trust root program may include a TEE.
在本申请实施例中,可选的,为了确保能够访问硬件信任根程序,提高生成密钥以及后续对待加密数据进行加密的可靠性,可以通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。In the embodiment of the present application, optionally, in order to ensure that the hardware trust root program can be accessed, and the reliability of generating the key and subsequently encrypting the encrypted data is improved, the hardware trust root program may be accessed through the first interface, where The interface type of the first interface is adapted to the program type of the hardware trusted root program.
例如,若硬件信任根程序为intel SGX,则第一接口可以包括linux SGX驱动程序中的接口;若硬件新信任根程序为TEE,则第一接口可以包括GP Client API,其中,GP Client API为与TEE适配的接口名称。For example, if the hardware trusted root program is intel SGX, the first interface may include an interface in the linux SGX driver; if the hardware new trusted root program is TEE, the first interface may include a GP Client API, wherein the GP Client API is The name of the interface that is compatible with the TEE.
当然,在实际应用中,硬件设备可以包括硬件信任根程序和软件信任根程序中的至少一种,从而确保无论硬件设备是否具备硬件安全能力,均能够生成第一密钥,确保生成第一密钥的可靠性。Of course, in practical applications, the hardware device may include at least one of a hardware root program and a software root program to ensure that the first key is generated regardless of whether the hardware device has hardware security capability, and the first key is generated. The reliability of the key.
步骤302,根据所述第一密钥加密数据。Step 302: Encrypt data according to the first key.
其中,根据第一密钥加密数据的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner of encrypting data according to the first key, refer to the related description in the foregoing, and details are not described herein again.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security.
其次,对于具有硬件安全能力的硬件设备,能够访问该硬件设备内置的硬件信任根程序,生成第一密钥,提高了生成第一密钥的可靠性。Secondly, for a hardware device with hardware security capability, the hardware root program built into the hardware device can be accessed to generate a first key, which improves the reliability of generating the first key.
实施例四Embodiment 4
参照图4,示出了根据本申请一个实施例的一种数据解密方法流程图,具体步骤包括:Referring to FIG. 4, a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
步骤401,采用软件信任根程序生成与硬件设备唯一对应的第一密钥。Step 401: Generate a first key uniquely corresponding to the hardware device by using a software root program.
为了避免直接将密钥写入硬件设备中的代码而难以实现的一机一密的问题以及进一步导致的数据和硬件设备的安全性较低的问题,可以不将密钥写入硬件代码,而是采用 信任根程序生成第一密钥,且生成的密钥能够与硬件设备唯一对应,一方面减少了黑客等直接从代码中获取得到第一密钥的可能,另一方面确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,从而能够有效地提高数据和硬件设备的安全性。另外,由于某些硬件设备中可能并不具有硬件信任根程序所依赖的硬件,因此,为了确保无论有无硬件安全能力的硬件设备均能够生成第一密钥,提高第一密钥的可靠性,进而确保数据和硬件设备的安全性,同时降低成本,可以调用软件信任根程序,生成第一密钥。In order to avoid the problem of one machine and one secret that is difficult to implement by directly writing the key into the code in the hardware device and the further problem of lower security of data and hardware devices, the key may not be written into the hardware code. The first root key is generated by the root of the trust program, and the generated key can uniquely correspond to the hardware device. On the one hand, the possibility of obtaining the first key directly from the code by the hacker is reduced, and on the other hand, even if some The key of the hardware device is cracked, and the key in the same type of hardware device or hardware device belonging to the same hardware manufacturer is still secure, so that the security of the data and the hardware device can be effectively improved. In addition, since some hardware devices may not have hardware that the hardware trust root program depends on, in order to ensure that the hardware device capable of generating hardware or the like can generate the first key, the reliability of the first key is improved. To ensure the security of data and hardware devices, while reducing costs, you can call the software root program to generate the first key.
其中,采用信任根程序生成与硬件设备唯一对应的第一密钥的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner in which the first root key corresponding to the hardware device is generated by using the root program, refer to the related description in the foregoing, and details are not described herein again.
步骤402,根据所述第一密钥解密已加密数据。Step 402: Decrypt the encrypted data according to the first key.
为了确保已加密数据的合法用户能够正常得到被加密的数据,可以根据第一密钥对已加密数据进行解密。In order to ensure that the legitimate user of the encrypted data can obtain the encrypted data normally, the encrypted data can be decrypted according to the first key.
其中,已加密数据即可以为前述中加密的待加密数据。The encrypted data may be the encrypted data to be encrypted in the foregoing.
可以根据前述中根据第一密钥对数据进行加密的方式,根据第一密钥对已加密数据进行解密,比如,若采用第一密钥对该待加密数据进行加密,则可以采用第一密钥对已加密数据进行解密;若采用包括第一密钥在内的多个密钥对待加密数据进行加密,则可以生成该多个密钥中除第一密钥之外的其它密钥,采用包括第一密钥在内的该多个密钥,对已加密数据进行解密。The encrypted data may be decrypted according to the first key according to the foregoing method of encrypting the data according to the first key. For example, if the data to be encrypted is encrypted by using the first key, the first secret may be adopted. The key decrypts the encrypted data; if the plurality of keys including the first key are used to encrypt the encrypted data, another key of the plurality of keys other than the first key may be generated, The plurality of keys including the first key decrypt the encrypted data.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行解密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
实施例五Embodiment 5
参照图5,示出了根据本申请一个实施例的一种数据解密方法流程图,具体步骤包括:Referring to FIG. 5, a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
步骤501,采用软件信任根程序生成与硬件设备唯一对应的第一密钥。Step 501: Generate a first key uniquely corresponding to the hardware device by using a software root program.
其中,采用信任根程序生成与硬件设备唯一对应的第一密钥的方式,可以参见前述 中的相关描述,此处不再一一赘述。For the manner in which the first root key corresponding to the hardware device is generated by using the root program, refer to the related description in the foregoing, and no further details are provided herein.
步骤502,通过第二接口获取已加密数据。Step 502: Acquire encrypted data through the second interface.
为了硬件设备中的系统架构更加简洁、降低应用程序的开发成本、提高应用程序和硬件设备的安全性和可靠性,可以通过统一的接口,即第二接口,获取各数据源的已加密数据。In order to simplify the system architecture in the hardware device, reduce the development cost of the application, and improve the security and reliability of the application and the hardware device, the encrypted data of each data source can be obtained through a unified interface, that is, the second interface.
当然,在实际应用中,还可以通过第二接口获取与已加密数据对应保存的加密的第二密钥和/或校验数据。Of course, in an actual application, the encrypted second key and/or check data saved corresponding to the encrypted data may also be acquired through the second interface.
其中,第二加密密钥可以为针对被加密的数据随机生成的密钥。The second encryption key may be a key randomly generated for the encrypted data.
若第二密钥和/或校验数据,与已加密数据在同一存储位置,则可以从该存储位置获取第二密钥和/或校验数据;若第二密钥和/或校验数据的存储位置,与已加密数据的存储位置之间存在对应关系,则可以根据已加密数据的存储位置,确定第二密钥和/或校验数据的存储位置,进而获取得到第二密钥和/或校验数据。If the second key and/or the check data are in the same storage location as the encrypted data, the second key and/or the check data may be obtained from the storage location; if the second key and/or the check data Corresponding relationship between the storage location and the storage location of the encrypted data, the storage location of the second key and/or the verification data may be determined according to the storage location of the encrypted data, thereby obtaining the second key and / or verify the data.
另外,在本申请实施例的另一可选实施例中,也可以不在步骤中获取第二密钥和/或校验数据,而是在后续需要使用第二密钥和/或校验数据时,再获取第二密钥和/或校验数据。In addition, in another optional embodiment of the embodiment of the present application, the second key and/or the check data may not be acquired in the step, but when the second key and/or the check data are needed later. And then obtain the second key and / or check data.
步骤503,根据所述第一密钥解密已加密数据。Step 503: Decrypt the encrypted data according to the first key.
其中,根据第一密钥解密已加密数据的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner of decrypting the encrypted data according to the first key, refer to the related description in the foregoing, and details are not described herein again.
在本申请实施例中,可选的,由前述可知,由于多个密钥均被破解的可能性,比一个密钥被破解的可能小,所以为了提高数据和硬件设备的安全性,可以生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存,采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥,采用所述第二密钥解密所述已加密数据。也即是,通过分层密钥管理,来提高数据和硬件设备的安全性。In the embodiment of the present application, optionally, as described above, since the possibility that multiple keys are cracked is smaller than the possibility that one key is cracked, in order to improve the security of data and hardware devices, it may be generated. Determining, by the first key, an encrypted second key, the encrypted second key is saved corresponding to the encrypted data, and decrypting the encrypted first by using the first key The second key obtains a second key, and the second key is used to decrypt the encrypted data. That is, to improve the security of data and hardware devices through hierarchical key management.
其中,生成第一密钥的方式、以及获取第二密钥的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner of generating the first key and the manner of obtaining the second key, refer to the related description in the foregoing, and details are not described herein again.
步骤504,获取校验数据,所述校验数据与所述已加密数据对应保存,采用所述校验数据校验解密结果的完整性。Step 504: Acquire verification data, where the verification data is saved corresponding to the encrypted data, and the verification data is used to verify the integrity of the decryption result.
为了便于已加密数据进行解密后,验证所得到的解密结果是否完整,以进一步提高数据和硬件设备的安全性,可以获取校验数据,以对该解密结果进行校验。In order to facilitate the decryption of the encrypted data and verify whether the obtained decryption result is complete, to further improve the security of the data and the hardware device, the verification data may be acquired to verify the decrypted result.
解密结果为对已加密数据进行解密的结果,该解密结果即可以为前述中的待加密数 据。The decryption result is the result of decrypting the encrypted data, and the decrypted result can be the data to be encrypted in the foregoing.
可以根据解密结果生成校验数据,将生成的校验数据与获取到的校验数据进行比较,若一致,则确定解密结果具有完整性,否则确定解密结果不具有完整性。The verification data may be generated according to the decryption result, and the generated verification data is compared with the obtained verification data. If they are consistent, the decryption result is determined to be complete, otherwise the decryption result is determined to have no integrity.
在本申请实施例中,可选的,为了确保解密结果与加密前的待加密数据一致,即确保对解密结果的完整性进行验证,进一步提高数据和硬件设备的安全性,所述校验数据包括所述解密结果的第一哈希值,相应的,可以生成所述解密结果的第二哈希值,比对所述第二哈希值与所述第一哈希值一致,则确认所述解密结果具有完整性。若第二哈希值与第一哈希值不一致,则确认解密结果不具有完整性。In the embodiment of the present application, optionally, in order to ensure that the decryption result is consistent with the data to be encrypted before encryption, that is, the integrity of the decrypted result is verified, and the security of the data and the hardware device is further improved, and the verification data is further improved. a first hash value including the decrypted result, and correspondingly, a second hash value of the decrypted result may be generated, and if the second hash value is consistent with the first hash value, confirming The decryption result is complete. If the second hash value does not coincide with the first hash value, it is confirmed that the decrypted result is not complete.
其中,第一哈希值即为前述中对待加密数据进行加密的过程中所确定的该待加密数据的哈希值;第二哈希值即为根据解密数据生成的哈希值。若待加密数据与解密结果一致,即解密结果具有完整性,则第一哈希值与第二哈希值也应当一致。The first hash value is a hash value of the data to be encrypted determined in the process of encrypting the data to be encrypted in the foregoing; the second hash value is a hash value generated according to the decrypted data. If the data to be encrypted is consistent with the decrypted result, that is, the decrypted result has completeness, the first hash value and the second hash value should also be consistent.
可以获取包括第一哈希值的校验数据,生成解密结果的第二哈希值,将第一哈希值与第二哈希值进行比较,以确定第一哈希值与第二哈希值是否一致。The check data including the first hash value may be obtained, the second hash value of the decrypted result is generated, and the first hash value is compared with the second hash value to determine the first hash value and the second hash. Whether the values are consistent.
其中,获取校验数据的方式可以参见前述中的相关描述,此处不再一一赘述。For the manner of obtaining the verification data, refer to the related description in the foregoing, and details are not described herein again.
另外,在本申请实施的另一可选实施例中,为了确保解密结果与加密前的待加密数据一致,即确保对解密结果的完整性进行验证,进一步提高数据和硬件设备的安全性,校验数据中包括待加密数据的第一属性信息,相应的,还可以获取解密结果的第二属性信息,将第一属性信息与第二属性信息进行比较,若一致,则确定解密结果具有完整性,否则确定解密结果不具有完整性。In addition, in another optional embodiment of the implementation of the present application, in order to ensure that the decryption result is consistent with the data to be encrypted before encryption, that is, to ensure the integrity of the decrypted result, and further improve the security of the data and hardware devices, The first data information of the data to be encrypted is included in the test data, and correspondingly, the second attribute information of the decrypted result may be obtained, and the first attribute information is compared with the second attribute information, and if they are consistent, the decryption result is determined to be complete. Otherwise, it is determined that the decryption result is not complete.
其中,第一属性信息为根据待加密数据生成的属性信息,第二属性信息为根据解密结果生成的属性信息,若待加密数据与解密结果一致,即解密结果具有完整性,则第一属性信息与第二属性信息也应当一致。The first attribute information is attribute information generated according to the data to be encrypted, and the second attribute information is attribute information generated according to the decryption result. If the data to be encrypted is consistent with the decrypted result, that is, the decrypted result has completeness, the first attribute information It should also be consistent with the second attribute information.
另外,在实际应用中,为了提高解密效率,也可以不对解密结果进行完整性验证,即步骤504为可选的步骤。In addition, in practical applications, in order to improve the decryption efficiency, integrity verification may not be performed on the decrypted result, that is, step 504 is an optional step.
步骤505,通过第二接口输出解密结果。 Step 505, outputting a decryption result through the second interface.
为了便于应用程序对加密的待加密数据进行存储或者其它操作,可以向作为数据源的应用程序输出加密结果,且为了使硬件设备中的系统架构更加简洁、降低应用程序的开发成本、提高应用程序和硬件设备的安全性和可靠性,可以通过统一接口,即第二接口,输出解密结果。In order to facilitate the application to store or perform other operations on the encrypted data to be encrypted, the encryption result may be output to the application as the data source, and the system architecture in the hardware device is simplified, the development cost of the application is lowered, and the application is improved. And the security and reliability of the hardware device, the decryption result can be output through the unified interface, that is, the second interface.
其中,可以通过第二接口,向已加密数据的数据源输出解密结果。The decryption result may be output to the data source of the encrypted data through the second interface.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行解密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
其次,能够通过硬件信任根程序或软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。Secondly, the first key can be generated by the hardware trust root program or the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
另外,能够提供统一的第二接口,并通过第二接口获取已加密数据或输出解密结果,确保了使各应用程序能够通过统一的接口使用信任根程序的各项功能,进而使硬件设备中的系统架构更加简洁,也降低了应用程序的开发成本,也减少了应用程序对硬件信任根程序的第一接口适配错误而导致的难以对数据解密的问题,提高了对数据进行解密的可靠性,进而也提高了数据和硬件设备的安全性和可靠性。In addition, a unified second interface can be provided, and the encrypted data or the output decrypted result can be obtained through the second interface, thereby ensuring that each application can use the functions of the trusted root program through a unified interface, thereby enabling the hardware device to The system architecture is more concise, which also reduces the development cost of the application, and reduces the problem that the application decrypts the data caused by the first interface adaptation error of the hardware trust root program, and improves the reliability of decrypting the data. It also improves the security and reliability of data and hardware devices.
另外,能够采用第一密钥对已加密的第二密钥进行解密,并采用第二密钥对已加密数据进行解密,由于多个密钥均被破解的可能性较小,因此有效地提高了数据被破解的复杂程度,从而进一步提高了数据和硬件设备的安全性。In addition, the encrypted second key can be decrypted by using the first key, and the encrypted data is decrypted by using the second key. Since multiple keys are less likely to be cracked, the effective improvement is effective. The complexity of data being cracked further increases the security of data and hardware devices.
实施例六Embodiment 6
参照图6,示出了根据本申请一个实施例的一种数据解密方法流程图,具体步骤包括:Referring to FIG. 6, a flowchart of a data decryption method according to an embodiment of the present application is shown. The specific steps include:
步骤601,采用信任根程序生成与硬件设备唯一对应的第一密钥。Step 601: Generate a first key uniquely corresponding to the hardware device by using a root of trust program.
为了减少直接从代码中获取密钥的可能,减少一个硬件设备的密钥别破解,其它与该硬件设备同一类或属于同一硬件厂商的硬件设备的密钥均被破解的问题,实现一机一密,有效提高数据和硬件设备的安全性,可以采用信任根程序,生成与硬件设备唯一对应的密钥。In order to reduce the possibility of directly obtaining the key from the code, the key of the hardware device of the same type or the hardware device of the same hardware manufacturer is cracked, and the problem of the key is solved. Density, effectively improve the security of data and hardware devices, you can use the root of trust program to generate a unique key corresponding to the hardware device.
其中,采用信任根程序生成与硬件设备唯一对应的第一密钥的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner in which the first root key corresponding to the hardware device is generated by using the root program, refer to the related description in the foregoing, and details are not described herein again.
在本申请实施例中,可选的,硬件设备具有专用的硬件信任根程序,为了提高生成第一密钥的可靠性,确保能够实现一机一密,进而提高数据和硬件设备的安全性,访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。In the embodiment of the present application, optionally, the hardware device has a dedicated hardware root program. In order to improve the reliability of generating the first key, it is ensured that the machine and the device can be secured, thereby improving the security of the data and the hardware device. Accessing the hardware trust root program built in the hardware device to generate the first key.
在本申请实施例中,可选的,为了确保能够访问硬件信任根程序,提高生成密钥以及后续对加密的待加密数据进行解密的可靠性,可以通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。In the embodiment of the present application, optionally, in order to ensure that the hardware trusted root program can be accessed, and the reliability of generating the key and subsequently decrypting the encrypted data to be encrypted is improved, the hardware trusted root program may be accessed through the first interface. The interface type of the first interface is adapted to the program type of the hardware trusted root program.
步骤602,根据所述第一密钥解密已加密数据。Step 602: Decrypt the encrypted data according to the first key.
其中,根据第一密钥解密已加密数据的方式,可以参见前述中的相关描述,此处不再一一赘述。For the manner of decrypting the encrypted data according to the first key, refer to the related description in the foregoing, and details are not described herein again.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行解密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security.
其次,对于具有硬件安全能力的硬件设备,能够访问该硬件设备内置的硬件信任根程序,生成第一密钥,提高了生成第一密钥的可靠性。Secondly, for a hardware device with hardware security capability, the hardware root program built into the hardware device can be accessed to generate a first key, which improves the reliability of generating the first key.
本领域的技术人员应可理解,上述实施例中的方法步骤并非每一个都必不可少,在具体状况下,可以省略其中的一个或多个步骤,只要能够实现对数据进行加密或解密的技术目的。本发明并不限定的实施例中步骤的数量及其顺序,本发明的保护范围当以权利要求书的限定为准。It should be understood by those skilled in the art that the method steps in the above embodiments are not indispensable, and in a specific case, one or more steps may be omitted as long as the technology for encrypting or decrypting data can be implemented. purpose. The invention is not limited to the number of steps and the order of the steps in the embodiments, and the scope of the invention is defined by the claims.
为了便于本领域技术人员更好地理解本申请,以下通过一个具体的示例对本申请实施例的一种数据处理、加密和解密方法进行说明,具体包括如下步骤:In order to facilitate a person skilled in the art to better understand the present application, a data processing, encryption and decryption method of the embodiment of the present application is described below by a specific example, and specifically includes the following steps:
参照图7,示出了本申请实施例的一种数据处理方法流程图。具体步骤包括:Referring to FIG. 7, a flowchart of a data processing method according to an embodiment of the present application is shown. The specific steps include:
步骤701,硬件信任根程序或软件信任根程序生成根密钥。In step 701, the hardware trust root program or the software trust root program generates a root key.
其中,根密钥可以包括前述中第一密钥。The root key may include the first key in the foregoing.
若硬件设备中设置有硬件信任根程序所依赖的硬件(即具有硬件安全能力)时,可以通过硬件信任根生成根密钥;若硬件设备中未设置有硬件信任根程序所依赖的硬件时,可以通过软件信任根生成根密钥。If the hardware device is provided with hardware that the hardware root program relies on (that is, has hardware security capability), the root key may be generated by the hardware trust root; if the hardware device does not have the hardware that the hardware root program depends on, The root key can be generated by the software trust root.
步骤702,通过硬件信任根程序或软件信任根程序保存用于安全存储的根密钥。In step 702, the root key for secure storage is saved by the hardware trust root program or the software trust root program.
步骤703,通过硬件信任根程序或软件信任根程序,使用根密钥对文件密钥进行加密。In step 703, the file key is encrypted by using a root key through a hardware root program or a software root program.
其中,文件密钥为对前述中的待加密数据进行加密的密钥,比如,可以包括前述中 的第二密钥。The file key is a key for encrypting the data to be encrypted in the foregoing, and may include, for example, the second key in the foregoing.
步骤704,通过文件密钥加密待加密数据,并存储通过根密钥加密后的文件密钥。 Step 704, encrypting the data to be encrypted by the file key, and storing the file key encrypted by the root key.
由上述可知,根密钥不直接用于对待加密数据进行加密,而是用于对待加密数据进行加密的文件密钥进行加密,相应的,根密钥也不直接用于对已加密数据进行解密,而是用于对已加密数据进行解密的文件密钥进行解密,可以确保针对不同的硬件设备以及不同的数据,均能够提供不同的密钥进行加密或解密,减少了数据被破解的可能,提高了数据和硬件设备的安全性。It can be seen from the above that the root key is not directly used for encrypting the data to be encrypted, but is used for encrypting the file key for encrypting the encrypted data. Correspondingly, the root key is not directly used to decrypt the encrypted data. Instead, the file key used to decrypt the encrypted data is decrypted, which ensures that different keys can be provided for different hardware devices and different data for encryption or decryption, which reduces the possibility of data being cracked. Increased security of data and hardware devices.
步骤705,通过统一的接口,向应用层提供安全存储功能。Step 705: Provide a secure storage function to the application layer through a unified interface.
可以通过统一的接口接收应用程序提交的待加密数据(比如应用程序的敏感数据),并向该应用程度输出加密结果;或者,接收应用程序提交的已加密数据,并向该应用程序输出解密结果。The data to be encrypted submitted by the application (such as sensitive data of the application) can be received through a unified interface, and the encrypted result is output to the application level; or the encrypted data submitted by the application is received, and the decrypted result is output to the application. .
其中,统一的接口可以包括前述中的第二接口。The unified interface may include the second interface in the foregoing.
参照图8,示出了本申请一个实施例的一种数据加密方法的流程图。具体步骤包括:Referring to Figure 8, a flow diagram of a data encryption method in accordance with one embodiment of the present application is shown. The specific steps include:
步骤801,信任根程序生成第一密钥,并将第一密钥保存在信任根程序对应的存储位置;Step 801: The trusted root program generates a first key, and saves the first key in a storage location corresponding to the trusted root program.
步骤802,信任根程序通过第一密钥加密第二密钥;Step 802: The root program encrypts the second key by using the first key.
步骤803,通过第二密钥对待加密数据进行加密; Step 803, encrypting the encrypted data by using the second key;
步骤804,生成待加密数据的哈希值;Step 804: Generate a hash value of the data to be encrypted.
步骤805,将被加密的待加密数据、待加密数据的哈希值和经第一密钥加密的第二密钥组合成一个文件进行存储。Step 805: Combine the encrypted data to be encrypted, the hash value of the data to be encrypted, and the second key encrypted by the first key into one file for storage.
参照图9,示出了本申请一个实施例的一种数据解密方法的流程图。具体步骤包括:Referring to Figure 9, a flow diagram of a data decryption method in accordance with one embodiment of the present application is shown. The specific steps include:
步骤901,信任根程序读取已加密数据;Step 901: The root program is trusted to read the encrypted data.
步骤902,信任根程序通过第一密钥解密第二密钥;Step 902: The root program decrypts the second key by using the first key.
步骤903,通过第二密钥解密已加密数据; Step 903, decrypting the encrypted data by using the second key;
步骤904,生成解密结果的哈希值; Step 904, generating a hash value of the decrypted result;
步骤905,确定所生成的哈希值与原先保存的待加密数据的哈希值一致;Step 905: Determine that the generated hash value is consistent with the hash value of the previously saved data to be encrypted.
步骤906,输出解密结果。In step 906, the decryption result is output.
实施例七Example 7
参照图10,示出了根据本申请一个实施例的一种数据加密装置的结构框图,该装置包括:Referring to FIG. 10, a block diagram of a data encryption apparatus according to an embodiment of the present application is shown. The apparatus includes:
第一密钥生成模块1001,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;The first key generation module 1001 is configured to generate, by using a software root program, a first key uniquely corresponding to the hardware device;
数据加密模块1002,用于根据所述第一密钥加密数据。The data encryption module 1002 is configured to encrypt data according to the first key.
可选的,所述数据加密模块包括:Optionally, the data encryption module includes:
密钥随机生成子模块,用于随机生成第二密钥;a key random generation sub-module, configured to randomly generate a second key;
数据加密子模块,用于采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。a data encryption submodule, configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
可选的,所述装置还包括:Optionally, the device further includes:
第二密钥加密模块,用于采用所述第一密钥加密所述第二密钥。And a second key encryption module, configured to encrypt the second key by using the first key.
可选的,所述装置还包括:Optionally, the device further includes:
第二密钥存储模块,用于将已加密的第二密钥与已加密的待加密数据对应保存。And a second key storage module, configured to save the encrypted second key corresponding to the encrypted data to be encrypted.
可选的,所述装置还包括:Optionally, the device further includes:
校验数据生成模块,用于生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。The verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
可选的,所述校验数据生成模块包括:Optionally, the verification data generating module includes:
哈希值确定子模块,用于确定所述待加密数据的哈希值。A hash value determining submodule is configured to determine a hash value of the data to be encrypted.
可选的,所述装置还包括:Optionally, the device further includes:
待加密数据接收模块,用于提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;The data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
加密结果输出模块,用于通过所述第二接口向所述待加密数据的数据源输出加密结果。And an encryption result output module, configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and then the data is encrypted according to the first key, thereby reducing the hacker and the like to obtain the first secret directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
实施例八Example eight
参照图11,示出了根据本申请一个实施例的一种数据加密装置的结构框图,该装置包括:Referring to FIG. 11, a block diagram of a data encryption apparatus according to an embodiment of the present application is shown. The apparatus includes:
第一密钥生成模块1101,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;The first key generation module 1101 is configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据加密模块1102,用于根据所述第一密钥加密数据。The data encryption module 1102 is configured to encrypt data according to the first key.
可选的,所述第一密钥生成模块包括:Optionally, the first key generation module includes:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
可选的,所述硬件设备具有专用的硬件信任根程序,所述第一密钥生成子模块还用于:Optionally, the hardware device has a dedicated hardware root program, and the first key generation sub-module is further configured to:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
在本申请实施例中,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行加密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。In the embodiment of the present application, the first root key corresponding to the hardware device can be generated by using the root of the trust program, and the data is encrypted according to the first key, thereby reducing the hacker or the like to obtain the first key directly from the code. It is also possible to ensure that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the security of data and hardware devices. Sex.
实施例九Example nine
参照图12,示出了根据本申请一个实施例的一种数据解密装置的结构框图,该装置包括:Referring to FIG. 12, a block diagram of a data decryption apparatus according to an embodiment of the present application is shown. The apparatus includes:
第一密钥生成模块1201,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;The first key generation module 1201 is configured to generate, by using a software root program, a first key uniquely corresponding to the hardware device;
数据解密模块1202,用于根据所述第一密钥解密已加密数据。The data decryption module 1202 is configured to decrypt the encrypted data according to the first key.
可选的,所述数据解密模块包括:Optionally, the data decryption module includes:
密钥获取子模块,用于生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存;a key acquisition submodule, configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
第二密钥解密子模块,用于采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;a second key decrypting submodule, configured to decrypt the encrypted second key by using the first key to obtain a second key;
数据解密子模块,用于采用所述第二密钥解密所述已加密数据。a data decryption submodule for decrypting the encrypted data using the second key.
可选的,所述装置还包括:Optionally, the device further includes:
校验数据获取模块,用于获取校验数据,所述校验数据与所述已加密数据对应保存;a verification data acquisition module, configured to acquire verification data, where the verification data is saved corresponding to the encrypted data;
完整性验证模块,用于采用所述校验数据校验解密结果的完整性。An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
可选的,所述校验数据包括所述解密结果的第一哈希值,所述完整性验证模块包括:Optionally, the verification data includes a first hash value of the decryption result, and the integrity verification module includes:
第二哈希值生成子模块,用于生成所述解密结果的第二哈希值;a second hash value generating submodule, configured to generate a second hash value of the decrypted result;
完整性验证确认子模块,用于比对所述第二哈希值与所述第一哈希值一致,则确认所述解密结果具有完整性。The integrity verification confirmation submodule is configured to compare the second hash value with the first hash value, and confirm that the decryption result has integrity.
可选的,所述装置还包括:Optionally, the device further includes:
解密结果输出模块,用于通过第二接口输出解密结果。The decryption result output module is configured to output the decryption result through the second interface.
在本申请实施例中,首先,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行解密,减少了黑客等直接从代码中获取得到第一密钥的可能,同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。其次,能够通过软件信任根程序生成第一密钥,确保了无论硬件设备是否具有硬件安全能力,都能够生成第一密钥,提高了生成第一密钥的可靠性。In the embodiment of the present application, first, the first root key corresponding to the hardware device is generated by using the root of the trust program, and the data is decrypted according to the first key, thereby reducing the first secret obtained by the hacker or the like directly from the code. The possibility of the key also ensures that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the data and hardware devices. Security. Secondly, the first key can be generated by the software trust root program, which ensures that the first key can be generated regardless of whether the hardware device has hardware security capability, and the reliability of generating the first key is improved.
实施例十Example ten
参照图13,示出了根据本申请一个实施例的一种数据解密装置的结构框图,该装置包括:Referring to FIG. 13, there is shown a structural block diagram of a data decryption apparatus according to an embodiment of the present application, the apparatus comprising:
第一密钥生成模块1301,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;The first key generation module 1301 is configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据解密模块1302,用于根据所述第一密钥解密已加密数据。The data decryption module 1302 is configured to decrypt the encrypted data according to the first key.
可选的,所述第一密钥生成模块包括:Optionally, the first key generation module includes:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
可选的,所述硬件设备具有专用的硬件信任根程序,所述第一密钥生成子模块还用于:Optionally, the hardware device has a dedicated hardware root program, and the first key generation sub-module is further configured to:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
在本申请实施例中,能够采用信任根程序生成与硬件设备唯一对应的第一密钥,进而根据第一密钥对数据进行解密,减少了黑客等直接从代码中获取得到第一密钥的可能, 同时也确保了即使某个硬件设备的密钥被破解,与该硬件设备同一类或属于同一硬件厂商的硬件设备中的密钥依然是安全的,有效地提高了数据和硬件设备的安全性。In the embodiment of the present application, the first root key corresponding to the hardware device can be generated by using the root program, and the data is decrypted according to the first key, thereby reducing the hacker or the like to obtain the first key directly from the code. It is also possible to ensure that even if the key of a hardware device is cracked, the key in the same type of hardware device as the hardware device or the hardware device belonging to the same hardware manufacturer is still safe, effectively improving the security of data and hardware devices. Sex.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本申请实施例可被实现为使用任意适当的硬件,固件,软件,或及其任意组合进行想要的配置的系统。图14示意性地示出了可被用于实现本申请中所述的各个实施例的示例性系统(或装置)1400。Embodiments of the present application can be implemented as a system for performing a desired configuration using any suitable hardware, firmware, software, or any combination thereof. FIG. 14 schematically illustrates an exemplary system (or apparatus) 1400 that can be used to implement various embodiments described in this application.
对于一个实施例,图14示出了示例性系统1400,该系统具有一个或多个处理器1402、被耦合到(一个或多个)处理器1402中的至少一个的系统控制模块(芯片组)1404、被耦合到系统控制模块1404的系统存储器1406、被耦合到系统控制模块1404的非易失性存储器(NVM)/存储设备1408、被耦合到系统控制模块1404的一个或多个输入/输出设备1410,以及被耦合到系统控制模块1406的网络接口1412。For one embodiment, FIG. 14 illustrates an exemplary system 1400 having one or more processors 1402, a system control module (chipset) coupled to at least one of processor(s) 1402. 1404, system memory 1406 coupled to system control module 1404, non-volatile memory (NVM)/storage device 1408 coupled to system control module 1404, one or more inputs/outputs coupled to system control module 1404 Device 1410, and a network interface 1412 that is coupled to system control module 1406.
处理器1402可包括一个或多个单核或多核处理器,处理器1402可包括通用处理器或专用处理器(例如图形处理器、应用处理器、基频处理器等)的任意组合。在一些实施例中,系统1400能够作为本申请实施例中所述的硬件设备。 Processor 1402 can include one or more single or multiple core processors, and processor 1402 can comprise any combination of general purpose or special purpose processors (eg, graphics processors, application processors, baseband processors, etc.). In some embodiments, system 1400 can be implemented as a hardware device as described in embodiments of the present application.
在一些实施例中,系统1400可包括具有指令的一个或多个计算机可读介质(例如,系统存储器1406或NVM/存储设备1408)以及与该一个或多个计算机可读介质相合并被配置为执行指令以实现模块从而执行本申请中所述的动作的一个或多个处理器1402。In some embodiments, system 1400 can include one or more computer readable media having instructions (eg, system memory 1406 or NVM/storage device 1408) and in combination with the one or more computer readable media configured to One or more processors 1402 that execute instructions to implement the modules to perform the actions described herein.
对于一个实施例,系统控制模块1404可包括任意适当的接口控制器,以向(一个或多个)处理器1402中的至少一个和/或与系统控制模块1404通信的任意适当的设备或组件提供任意适当的接口。For one embodiment, system control module 1404 can include any suitable interface controller to provide to at least one of processor(s) 1402 and/or any suitable device or component in communication with system control module 1404. Any suitable interface.
系统控制模块1404可包括存储器控制器模块,以向系统存储器1406提供接口。存储器控制器模块可以是硬件模块、软件模块和/或固件模块。 System control module 1404 can include a memory controller module to provide an interface to system memory 1406. The memory controller module can be a hardware module, a software module, and/or a firmware module.
系统存储器1406可被用于例如为系统1400加载和存储数据和/或指令。对于一个实施例,系统存储器1406可包括任意适当的易失性存储器,例如,适当的DRAM。在一些实施例中,系统存储器1406可包括双倍数据速率类型四同步动态随机存取存储器(DDR4SDRAM)。 System memory 1406 can be used, for example, to load and store data and/or instructions for system 1400. For one embodiment, system memory 1406 can include any suitable volatile memory, such as a suitable DRAM. In some embodiments, system memory 1406 can include double data rate type quad synchronous dynamic random access memory (DDR4 SDRAM).
对于一个实施例,系统控制模块1404可包括一个或多个输入/输出控制器,以向 NVM/存储设备1408及(一个或多个)输入/输出设备1410提供接口。For one embodiment, system control module 1404 can include one or more input/output controllers to provide an interface to NVM/storage device 1408 and input/output device(s) 1410.
例如,NVM/存储设备1408可被用于存储数据和/或指令。NVM/存储设备1408可包括任意适当的非易失性存储器(例如,闪存)和/或可包括任意适当的(一个或多个)非易失性存储设备(例如,一个或多个硬盘驱动器(HDD)、一个或多个光盘(CD)驱动器和/或一个或多个数字通用光盘(DVD)驱动器)。For example, NVM/storage device 1408 can be used to store data and/or instructions. NVM/storage device 1408 may comprise any suitable non-volatile memory (eg, flash memory) and/or may include any suitable non-volatile storage device(s) (eg, one or more hard disk drives ( HDD), one or more compact disc (CD) drives and/or one or more digital versatile disc (DVD) drives).
NVM/存储设备1408可包括在物理上作为系统1400被安装在其上的设备的一部分的存储资源,或者其可被该设备访问而不必作为该设备的一部分。例如,NVM/存储设备1408可通过网络经由(一个或多个)输入/输出设备1410进行访问。NVM/storage device 1408 can include storage resources that are physically part of the device on which system 1400 is installed, or that can be accessed by the device without having to be part of the device. For example, the NVM/storage device 1408 can be accessed via the network via the input/output device(s) 1410.
(一个或多个)输入/输出设备1410可为系统1400提供接口以与任意其他适当的设备通信,输入/输出设备1410可以包括通信组件、音频组件、传感器组件等。网络接口1412可为系统1400提供接口以通过一个或多个网络通信,系统1400可根据一个或多个无线网络标准和/或协议中的任意标准和/或协议来与无线网络的一个或多个组件进行无线通信,例如接入基于通信标准的无线网络,如WiFi,2G或3G,或它们的组合进行无线通信。The input/output device(s) 1410 can provide an interface to the system 1400 to communicate with any other suitable device, and the input/output device 1410 can include a communication component, an audio component, a sensor component, and the like. Network interface 1412 can provide an interface for system 1400 to communicate over one or more networks, and system 1400 can interact with one or more of the wireless networks in accordance with any one or more of the wireless network standards and/or protocols. The components communicate wirelessly, such as by accessing a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof for wireless communication.
对于一个实施例,(一个或多个)处理器1402中的至少一个可与系统控制模块1404的一个或多个控制器(例如,存储器控制器模块)的逻辑封装在一起。对于一个实施例,(一个或多个)处理器1402中的至少一个可与系统控制模块1404的一个或多个控制器的逻辑封装在一起以形成系统级封装(SiP)。对于一个实施例,(一个或多个)处理器1402中的至少一个可与系统控制模块1404的一个或多个控制器的逻辑集成在同一模具上。对于一个实施例,(一个或多个)处理器1402中的至少一个可与系统控制模块1404的一个或多个控制器的逻辑集成在同一模具上以形成片上系统(SoC)。For one embodiment, at least one of the processor(s) 1402 can be packaged with logic of one or more controllers (eg, memory controller modules) of the system control module 1404. For one embodiment, at least one of the processor(s) 1402 can be packaged with the logic of one or more controllers of the system control module 1404 to form a system in package (SiP). For one embodiment, at least one of the processor(s) 1402 can be integrated on the same mold as the logic of one or more controllers of the system control module 1404. For one embodiment, at least one of the processor(s) 1402 can be integrated with the logic of one or more controllers of the system control module 1404 on the same mold to form a system on a chip (SoC).
在各个实施例中,系统1400可以但不限于是:工作站、台式计算设备或移动计算设备(例如,膝上型计算设备、手持计算设备、平板电脑、上网本等)。在各个实施例中,系统1400可具有更多或更少的组件和/或不同的架构。例如,在一些实施例中,系统1400包括一个或多个摄像机、键盘、液晶显示器(LCD)屏幕(包括触屏显示器)、非易失性存储器端口、多个天线、图形芯片、专用集成电路(ASIC)和扬声器。In various embodiments, system 1400 can be, but is not limited to, a workstation, a desktop computing device, or a mobile computing device (eg, a laptop computing device, a handheld computing device, a tablet, a netbook, etc.). In various embodiments, system 1400 can have more or fewer components and/or different architectures. For example, in some embodiments, system 1400 includes one or more cameras, a keyboard, a liquid crystal display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an application specific integrated circuit ( ASIC) and speakers.
其中,如果显示器包括触摸面板,显示屏可以被实现为触屏显示器,以接收来自用户的输入信号。触摸面板包括一个或多个触摸传感器以感测触摸、滑动和触摸面板上的手势。所述触摸传感器可以不仅感测触摸或滑动动作的边界,而且还检测与所述触摸或滑动操作相关的持续时间和压力。Wherein, if the display comprises a touch panel, the display screen can be implemented as a touch screen display to receive an input signal from the user. The touch panel includes one or more touch sensors to sense touches, slides, and gestures on the touch panel. The touch sensor may sense not only the boundary of the touch or sliding action, but also the duration and pressure associated with the touch or slide operation.
本申请实施例还提供了一种非易失性可读存储介质,该存储介质中存储有一个或多个模块(programs),该一个或多个模块被应用在终端设备时,可以使得该终端设备执行本申请实施例中各方法步骤的指令(instructions)。The embodiment of the present application further provides a non-volatile readable storage medium, where the storage medium stores one or more programs, and when the one or more modules are applied to the terminal device, the terminal may be The device executes the instructions of the method steps in the embodiment of the present application.
在一个示例中提供了一种装置,包括:一个或多个处理器;和,其上存储的有指令的一个或多个机器可读介质,当由所述一个或多个处理器执行时,使得所述装置执行如本申请实施例中硬件设备执行的方法。An apparatus is provided, in one example, comprising: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, The apparatus is caused to perform a method performed by a hardware device as in the embodiment of the present application.
在一个示例中还提供了一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得装置执行如本申请实施例中硬件设备执行的方法。Also provided in one example is one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause the apparatus to perform a method performed by a hardware device in an embodiment of the present application.
本申请实施例公开了一种数据加密、解密方法和装置。The embodiment of the present application discloses a data encryption and decryption method and device.
示例1、一种数据加密方法,包括:Example 1. A data encryption method, including:
采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
根据所述第一密钥加密数据。Encrypting data according to the first key.
示例2可包括示例1所述的方法,所述根据所述第一密钥加密数据包括:Example 2 may include the method of example 1, the encrypting data according to the first key comprising:
随机生成第二密钥;Randomly generating a second key;
采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。The data to be encrypted is encrypted by using the second key, and the first key is used to encrypt the second key.
示例3可包括示例2所述的方法,所述方法还包括:Example 3 may include the method of example 2, the method further comprising:
采用所述第一密钥加密所述第二密钥。Encrypting the second key with the first key.
示例4可包括示例3所述的方法,在所述采用所述第一密钥加密所述第二密钥之后,所述方法还包括:Example 4 may include the method of example 3, after the encrypting the second key with the first key, the method further comprises:
将已加密的第二密钥与已加密的待加密数据对应保存。The encrypted second key is saved corresponding to the encrypted data to be encrypted.
示例5可包括示例1所述的方法,所述方法还包括:Example 5 may include the method of example 1, the method further comprising:
生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。Check data for verifying the integrity of the data to be encrypted is generated, and the check data is saved corresponding to the encrypted data to be encrypted.
示例6可包括示例5所述的方法,所述生成用于验证待加密数据的完整性的校验数据包括:Example 6 may include the method of example 5, the generating verification data for verifying integrity of data to be encrypted comprises:
确定所述待加密数据的哈希值。Determining a hash value of the data to be encrypted.
示例7可包括示例1所述的方法,在根据所述第一密钥加密数据之前,所述方法还包括:Example 7 may include the method of example 1, before encrypting data according to the first key, the method further comprising:
提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;Providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted by using the second interface;
在所述根据所述第一密钥加密数据之后,所述方法还包括:After the data is encrypted according to the first key, the method further includes:
通过所述第二接口向所述待加密数据的数据源输出加密结果。And outputting an encryption result to the data source of the data to be encrypted through the second interface.
示例8、一种数据解密方法,包括:Example 8, a data decryption method, comprising:
采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
示例9可包括示例8所述的方法,所述根据所述第一密钥解密已加密数据包括:Example 9 may include the method of example 8, the decrypting the encrypted data according to the first key comprises:
生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存;Generating the first key, and acquiring an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;Decrypting the encrypted second key with the first key to obtain a second key;
采用所述第二密钥解密所述已加密数据。The encrypted data is decrypted using the second key.
示例10可包括示例8所述的方法,所述方法还包括:Example 10 can include the method of example 8, the method further comprising:
获取校验数据,所述校验数据与所述已加密数据对应保存;Obtaining verification data, where the verification data is saved corresponding to the encrypted data;
采用所述校验数据校验解密结果的完整性。The check data is used to verify the integrity of the decrypted result.
示例11可包括示例10所述的方法,所述校验数据包括所述解密结果的第一哈希值,所述采用所述校验数据校验解密结果的完整性包括:The example 11 may include the method of example 10, the check data includes a first hash value of the decrypted result, and the integrity of verifying the decrypted result by using the check data comprises:
生成所述解密结果的第二哈希值;Generating a second hash value of the decrypted result;
比对所述第二哈希值与所述第一哈希值一致,则确认所述解密结果具有完整性。Comparing the second hash value with the first hash value, confirming that the decrypted result has integrity.
示例12可包括示例8所述的方法,所述方法还包括:Example 12 may include the method of example 8, the method further comprising:
通过第二接口输出解密结果。The decryption result is output through the second interface.
示例13、一种数据加密方法,包括:Example 13, a data encryption method, comprising:
采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
根据所述第一密钥加密数据。Encrypting data according to the first key.
示例14可包括示例13所述的方法,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:The example 14 may include the method of example 13, the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
示例15可包括示例14所述的方法,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:Example 15 may include the method of example 14, the hardware device having a dedicated hardware trust root program, the accessing the hardware trust root program built into the hardware device comprising:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
示例16、一种数据解密方法,包括:Example 16, a data decryption method, comprising:
采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
示例17可包括示例16所述的方法,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:The example 17 may include the method of example 16, the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
示例18可包括示例17所述的方法,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:Example 18 may include the method of example 17, the hardware device having a dedicated hardware trust root program, the accessing the hardware trust root program built into the hardware device comprising:
通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
示例19、一种数据加密装置,包括:Example 19: A data encryption device, comprising:
第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
示例20可包括示例19所述的装置,所述数据加密模块包括:Example 20 can include the apparatus of example 19, the data encryption module comprising:
密钥随机生成子模块,用于随机生成第二密钥;a key random generation sub-module, configured to randomly generate a second key;
数据加密子模块,用于采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。a data encryption submodule, configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
示例21可包括示例20所述的装置,所述装置还包括:Example 21 can include the apparatus of example 20, the apparatus further comprising:
第二密钥加密模块,用于采用所述第一密钥加密所述第二密钥。And a second key encryption module, configured to encrypt the second key by using the first key.
示例22可包括示例19所述的装置,所述装置还包括:Example 22 can include the apparatus of example 19, the apparatus further comprising:
校验数据生成模块,用于生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。The verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
示例23可包括示例19所述的装置,所述装置还包括:Example 23 may include the device of example 19, the device further comprising:
待加密数据接收模块,用于提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;The data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
加密结果输出模块,用于通过所述第二接口向所述待加密数据的数据源输出加密结果。And an encryption result output module, configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
示例24、一种数据解密装置,包括:Example 24: A data decryption apparatus comprising:
第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
示例25可包括示例24所述的装置,所述数据解密模块包括:Example 25 can include the apparatus of example 24, the data decryption module comprising:
密钥获取子模块,用于生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述已加密数据对应保存;a key acquisition submodule, configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
第二密钥解密子模块,用于采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;a second key decrypting submodule, configured to decrypt the encrypted second key by using the first key to obtain a second key;
数据解密子模块,用于采用所述第二密钥解密所述已加密数据。a data decryption submodule for decrypting the encrypted data using the second key.
示例26可包括示例24所述的装置,所述装置还包括:Example 26 can include the apparatus of example 24, the apparatus further comprising:
校验数据获取模块,用于获取校验数据,所述校验数据与所述已加密数据对应保存;a verification data acquisition module, configured to acquire verification data, where the verification data is saved corresponding to the encrypted data;
完整性验证模块,用于采用所述校验数据校验解密结果的完整性。An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
示例27可包括示例24所述的装置,所述装置还包括:Example 27 can include the apparatus of example 24, the apparatus further comprising:
解密结果输出模块,用于通过第二接口输出解密结果。The decryption result output module is configured to output the decryption result through the second interface.
示例28、一种数据加密装置,包括:Example 28: A data encryption device, comprising:
第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
示例29可包括示例28所述的装置,所述第一密钥生成模块包括:Example 29 may include the apparatus of example 28, the first key generation module comprising:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
示例30、一种数据解密装置,包括:Example 30. A data decryption apparatus comprising:
第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
示例31可包括示例30所述的装置,所述第一密钥生成模块包括:Example 31 may include the apparatus of example 30, the first key generation module comprising:
第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
示例32、一种装置,包括:一个或多个处理器;和其上存储的有指令的一个或多个机器可读介质,当由所述一个或多个处理器执行时,使得所述装置执行如示例1-示例18一个或多个的方法。Example 32, an apparatus comprising: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, causing the device A method of one or more of Example 1 - Example 18 is performed.
示例33、一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得装置执行如示例1-示例18一个或多个的方法。Example 33, one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause the apparatus to perform the method of one or more of Examples 1 - 18.
虽然某些实施例是以说明和描述为目的的,各种各样的替代、和/或、等效的实施方案、或计算来达到同样的目的实施例示出和描述的实现,不脱离本申请的实施范围。本申请旨在覆盖本文讨论的实施例的任何修改或变化。因此,显然本文描述的实施例仅由 权利要求和它们的等同物来限定。The present invention has been shown and described for the purposes of illustration and description, and various embodiments and embodiments The scope of implementation. This application is intended to cover any adaptations or variations of the embodiments discussed herein. Therefore, it is apparent that the embodiments described herein are limited only by the claims and their equivalents.

Claims (33)

  1. 一种数据加密方法,其特征在于,包括:A data encryption method, comprising:
    采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
    根据所述第一密钥加密数据。Encrypting data according to the first key.
  2. 根据权利要求1所述的方法,其特征在于,所述根据所述第一密钥加密数据包括:The method according to claim 1, wherein said encrypting data according to said first key comprises:
    随机生成第二密钥;Randomly generating a second key;
    采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。The data to be encrypted is encrypted by using the second key, and the first key is used to encrypt the second key.
  3. 根据权利要求2所述的方法,其特征在于,所述方法还包括:The method of claim 2, wherein the method further comprises:
    采用所述第一密钥加密所述第二密钥。Encrypting the second key with the first key.
  4. 根据权利要求3所述的方法,其特征在于,在所述采用所述第一密钥加密所述第二密钥之后,所述方法还包括:The method according to claim 3, wherein after the encrypting the second key by using the first key, the method further comprises:
    将已加密的第二密钥与已加密的待加密数据对应保存。The encrypted second key is saved corresponding to the encrypted data to be encrypted.
  5. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。Check data for verifying the integrity of the data to be encrypted is generated, and the check data is saved corresponding to the encrypted data to be encrypted.
  6. 根据权利要求5所述的方法,其特征在于,所述生成用于验证待加密数据的完整性的校验数据包括:The method according to claim 5, wherein the generating the verification data for verifying the integrity of the data to be encrypted comprises:
    确定所述待加密数据的哈希值。Determining a hash value of the data to be encrypted.
  7. 根据权利要求1所述的方法,其特征在于,在根据所述第一密钥加密数据之前,所述方法还包括:The method of claim 1, wherein before encrypting the data according to the first key, the method further comprises:
    提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;Providing a second interface for receiving data to be encrypted, and receiving the data to be encrypted by using the second interface;
    在所述根据所述第一密钥加密数据之后,所述方法还包括:After the data is encrypted according to the first key, the method further includes:
    通过所述第二接口向所述待加密数据的数据源输出加密结果。And outputting an encryption result to the data source of the data to be encrypted through the second interface.
  8. 一种数据解密方法,其特征在于,包括:A data decryption method, comprising:
    采用软件信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a software root program;
    根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
  9. 根据权利要求8所述的方法,其特征在于,所述根据所述第一密钥解密已加密数据包括:The method according to claim 8, wherein said decrypting the encrypted data according to the first key comprises:
    生成所述第一密钥,以及,获取已加密的第二密钥,所述已加密的第二密钥与所述 已加密数据对应保存;Generating the first key, and acquiring an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
    采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;Decrypting the encrypted second key with the first key to obtain a second key;
    采用所述第二密钥解密所述已加密数据。The encrypted data is decrypted using the second key.
  10. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method of claim 8 further comprising:
    获取校验数据,所述校验数据与所述已加密数据对应保存;Obtaining verification data, where the verification data is saved corresponding to the encrypted data;
    采用所述校验数据校验解密结果的完整性。The check data is used to verify the integrity of the decrypted result.
  11. 根据权利要求10所述的方法,其特征在于,所述校验数据包括所述解密结果的第一哈希值,所述采用所述校验数据校验解密结果的完整性包括:The method according to claim 10, wherein the verification data includes a first hash value of the decryption result, and the integrity of the decryption result by the verification data comprises:
    生成所述解密结果的第二哈希值;Generating a second hash value of the decrypted result;
    比对所述第二哈希值与所述第一哈希值一致,则确认所述解密结果具有完整性。Comparing the second hash value with the first hash value, confirming that the decrypted result has integrity.
  12. 根据权利要求8所述的方法,其特征在于,所述方法还包括:The method of claim 8 further comprising:
    通过第二接口输出解密结果。The decryption result is output through the second interface.
  13. 一种数据加密方法,其特征在于,包括:A data encryption method, comprising:
    采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
    根据所述第一密钥加密数据。Encrypting data according to the first key.
  14. 根据权利要求13所述的方法,其特征在于,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:The method according to claim 13, wherein the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
    访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
  15. 根据权利要求14所述的方法,其特征在于,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:The method according to claim 14, wherein the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
    通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  16. 一种数据解密方法,其特征在于,包括:A data decryption method, comprising:
    采用信任根程序生成与硬件设备唯一对应的第一密钥;Generating a first key uniquely corresponding to the hardware device by using a root of trust program;
    根据所述第一密钥解密已加密数据。The encrypted data is decrypted according to the first key.
  17. 根据权利要求16所述的方法,其特征在于,所述采用信任根程序生成与硬件设备唯一对应的第一密钥包括:The method according to claim 16, wherein the generating the first key uniquely corresponding to the hardware device by using the root of the trust program comprises:
    访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。Accessing the hardware trust root program built in the hardware device to generate the first key.
  18. 根据权利要求17所述的方法,其特征在于,所述硬件设备具有专用的硬件信任根程序,所述访问所述硬件设备内置的硬件信任根程序包括:The method according to claim 17, wherein the hardware device has a dedicated hardware root program, and the hardware root program built into the hardware device includes:
    通过第一接口访问所述硬件信任根程序,所述第一接口的接口类型与所述硬件信任根程序的程序类型适配。The hardware trusted root program is accessed through the first interface, and the interface type of the first interface is adapted to the program type of the hardware trusted root program.
  19. 一种数据加密装置,其特征在于,包括:A data encryption device, comprising:
    第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
    数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
  20. 根据权利要求19所述的装置,其特征在于,所述数据加密模块包括:The device according to claim 19, wherein the data encryption module comprises:
    密钥随机生成子模块,用于随机生成第二密钥;a key random generation sub-module, configured to randomly generate a second key;
    数据加密子模块,用于采用所述第二密钥加密待加密数据,所述第一密钥用于加密所述第二密钥。a data encryption submodule, configured to encrypt data to be encrypted by using the second key, where the first key is used to encrypt the second key.
  21. 根据权利要求20所述的装置,其特征在于,所述装置还包括:The device of claim 20, wherein the device further comprises:
    第二密钥加密模块,用于采用所述第一密钥加密所述第二密钥。And a second key encryption module, configured to encrypt the second key by using the first key.
  22. 根据权利要求19所述的装置,其特征在于,所述装置还包括:The device of claim 19, wherein the device further comprises:
    校验数据生成模块,用于生成用于验证待加密数据的完整性的校验数据,所述校验数据与已加密的待加密数据对应保存。The verification data generating module is configured to generate verification data for verifying integrity of the data to be encrypted, and the verification data is saved corresponding to the encrypted data to be encrypted.
  23. 根据权利要求19所述的装置,其特征在于,所述装置还包括:The device of claim 19, wherein the device further comprises:
    待加密数据接收模块,用于提供接收待加密数据的第二接口,并通过所述第二接口接收所述待加密数据;The data receiving module to be encrypted is configured to provide a second interface for receiving data to be encrypted, and receive the data to be encrypted through the second interface;
    加密结果输出模块,用于通过所述第二接口向所述待加密数据的数据源输出加密结果。And an encryption result output module, configured to output an encryption result to the data source of the data to be encrypted by using the second interface.
  24. 一种数据解密装置,其特征在于,包括:A data decryption device, comprising:
    第一密钥生成模块,用于采用软件信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a software root program;
    数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
  25. 根据权利要求24所述的装置,其特征在于,所述数据解密模块包括:The apparatus according to claim 24, wherein said data decryption module comprises:
    密钥获取子模块,用于生成所述第一密钥,以及,获取已加密的第二密钥,所述已 加密的第二密钥与所述已加密数据对应保存;a key acquisition submodule, configured to generate the first key, and obtain an encrypted second key, where the encrypted second key is saved corresponding to the encrypted data;
    第二密钥解密子模块,用于采用所述第一密钥解密所述已加密的第二密钥,获得第二密钥;a second key decrypting submodule, configured to decrypt the encrypted second key by using the first key to obtain a second key;
    数据解密子模块,用于采用所述第二密钥解密所述已加密数据。a data decryption submodule for decrypting the encrypted data using the second key.
  26. 根据权利要求24所述的装置,其特征在于,所述装置还包括:The device according to claim 24, wherein the device further comprises:
    校验数据获取模块,用于获取校验数据,所述校验数据与所述已加密数据对应保存;a verification data acquisition module, configured to acquire verification data, where the verification data is saved corresponding to the encrypted data;
    完整性验证模块,用于采用所述校验数据校验解密结果的完整性。An integrity verification module is configured to verify the integrity of the decrypted result by using the verification data.
  27. 根据权利要求24所述的装置,其特征在于,所述装置还包括:The device according to claim 24, wherein the device further comprises:
    解密结果输出模块,用于通过第二接口输出解密结果。The decryption result output module is configured to output the decryption result through the second interface.
  28. 一种数据加密装置,其特征在于,包括:A data encryption device, comprising:
    第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
    数据加密模块,用于根据所述第一密钥加密数据。And a data encryption module, configured to encrypt data according to the first key.
  29. 根据权利要求28所述的装置,其特征在于,所述第一密钥生成模块包括:The device according to claim 28, wherein the first key generation module comprises:
    第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  30. 一种数据解密装置,其特征在于,包括:A data decryption device, comprising:
    第一密钥生成模块,用于采用信任根程序生成与硬件设备唯一对应的第一密钥;a first key generation module, configured to generate a first key uniquely corresponding to the hardware device by using a root of trust program;
    数据解密模块,用于根据所述第一密钥解密已加密数据。And a data decrypting module, configured to decrypt the encrypted data according to the first key.
  31. 根据权利要求30所述的装置,其特征在于,所述第一密钥生成模块包括:The device according to claim 30, wherein the first key generation module comprises:
    第一密钥生成子模块,用于访问所述硬件设备内置的硬件信任根程序,生成所述第一密钥。The first key generation submodule is configured to access a hardware root program built in the hardware device to generate the first key.
  32. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如权利要求1至18中任一项所述的方法。A computer device comprising a memory, a processor, and a computer program stored on the memory and operable on the processor, wherein the processor executes the computer program to implement any one of claims 1 to 18 The method described in the item.
  33. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至18中任一项所述的方法。A computer readable storage medium having stored thereon a computer program, wherein the computer program is executed by a processor to implement the method of any one of claims 1 to 18.
PCT/CN2019/078419 2018-03-29 2019-03-18 Data encryption, decryption method and device WO2019184740A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810274311.5 2018-03-29
CN201810274311.5A CN110324138B (en) 2018-03-29 2018-03-29 Data encryption and decryption method and device

Publications (1)

Publication Number Publication Date
WO2019184740A1 true WO2019184740A1 (en) 2019-10-03

Family

ID=68060948

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/078419 WO2019184740A1 (en) 2018-03-29 2019-03-18 Data encryption, decryption method and device

Country Status (3)

Country Link
CN (1) CN110324138B (en)
TW (1) TWI793215B (en)
WO (1) WO2019184740A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114828007A (en) * 2022-04-30 2022-07-29 佛山技研智联科技有限公司 Data processing method, device and system based on edge gateway and edge gateway

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598482A (en) * 2020-11-20 2022-06-07 福州数据技术研究院有限公司 Encryption communication method and system for server and intelligent edge gateway
CN112699393B (en) * 2020-12-31 2022-12-23 南方电网科学研究院有限责任公司 Parallel bus data transmission method and device
CN113364760A (en) * 2021-06-01 2021-09-07 平安科技(深圳)有限公司 Data encryption processing method and device, computer equipment and storage medium
EP4145762B1 (en) * 2021-09-06 2023-10-25 Axis AB Method and system for enabling secure processing of data using a processing application
CN113973123B (en) * 2021-10-27 2023-08-29 广东卓维网络有限公司 Multi-access mode encryption Internet of things communication method and system
CN114936365B (en) * 2022-01-27 2023-03-24 华为技术有限公司 System, method and device for protecting secret data
CN115828289B (en) * 2023-02-16 2023-05-30 中信天津金融科技服务有限公司 Encryption method and system for digitized file

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595213A (en) * 2012-02-22 2012-07-18 深圳创维-Rgb电子有限公司 Security certificate method and system of credible TV terminal
US8839455B1 (en) * 2009-09-23 2014-09-16 Parallels IP Holdings GmbH Security domain in virtual environment
CN106656915A (en) * 2015-10-30 2017-05-10 深圳市中电智慧信息安全技术有限公司 Cloud security server based on trusted computing

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8423762B2 (en) * 2006-07-25 2013-04-16 Northrop Grumman Systems Corporation Common access card heterogeneous (CACHET) system and method
JP5070005B2 (en) * 2007-11-01 2012-11-07 株式会社日立製作所 Arithmetic apparatus, arithmetic method and computer system
CN201181472Y (en) * 2008-02-29 2009-01-14 北京华大恒泰科技有限责任公司 Hardware key device and movable memory system
US8700893B2 (en) * 2009-10-28 2014-04-15 Microsoft Corporation Key certification in one round trip
US8874916B2 (en) * 2012-09-28 2014-10-28 Intel Corporation Introduction of discrete roots of trust
EP2912588A4 (en) * 2012-10-25 2016-06-29 Intel Corp Anti-theft in firmware
CN103455756B (en) * 2013-08-02 2016-12-28 国家电网公司 A kind of course control method based on trust computing
CN106452786A (en) * 2013-09-30 2017-02-22 华为技术有限公司 Encryption and decryption processing method, apparatus and device
CN107534551B (en) * 2015-07-30 2021-02-09 慧与发展有限责任合伙企业 Method, computing device and computer readable medium for providing encrypted data
CN105681032B (en) * 2016-01-08 2017-09-12 腾讯科技(深圳)有限公司 Method for storing cipher key, key management method and device
US10268844B2 (en) * 2016-08-08 2019-04-23 Data I/O Corporation Embedding foundational root of trust using security algorithms
CN106533663B (en) * 2016-11-01 2019-06-25 广东浪潮大数据研究有限公司 Data ciphering method, encryption method, apparatus and data decryption method, decryption method, apparatus
CN106980794B (en) * 2017-04-01 2020-03-17 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN107273738A (en) * 2017-06-22 2017-10-20 努比亚技术有限公司 A kind of method of controlling security, terminal and computer-readable recording medium
CN107454590A (en) * 2017-07-26 2017-12-08 上海斐讯数据通信技术有限公司 A kind of data ciphering method, decryption method and wireless router
CN107465504A (en) * 2017-08-15 2017-12-12 上海与德科技有限公司 A kind of method and device for improving key safety

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8839455B1 (en) * 2009-09-23 2014-09-16 Parallels IP Holdings GmbH Security domain in virtual environment
CN102595213A (en) * 2012-02-22 2012-07-18 深圳创维-Rgb电子有限公司 Security certificate method and system of credible TV terminal
CN106656915A (en) * 2015-10-30 2017-05-10 深圳市中电智慧信息安全技术有限公司 Cloud security server based on trusted computing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"A Passing Computer Programmer. About TPM", CSDN BLOG, 24 February 2017 (2017-02-24), Retrieved from the Internet <URL:https://blog.csdn.net/lovely_girl1126/article/detai-ls/56843326> *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114828007A (en) * 2022-04-30 2022-07-29 佛山技研智联科技有限公司 Data processing method, device and system based on edge gateway and edge gateway

Also Published As

Publication number Publication date
TWI793215B (en) 2023-02-21
CN110324138A (en) 2019-10-11
CN110324138B (en) 2022-05-24
TW201942784A (en) 2019-11-01

Similar Documents

Publication Publication Date Title
WO2019184740A1 (en) Data encryption, decryption method and device
US11347857B2 (en) Key and certificate distribution method, identity information processing method, device, and medium
EP2877955B1 (en) Providing access to encrypted data
US10078599B2 (en) Application access control method and electronic apparatus implementing the same
US10409984B1 (en) Hierarchical data security measures for a mobile device
WO2016058487A1 (en) Information processing method and apparatus
US10073985B2 (en) Apparatus and method for trusted execution environment file protection
US20220006617A1 (en) Method and apparatus for data storage and verification
US20200004696A1 (en) Techniques for multi-domain memory encryption
US20190286816A1 (en) Behavior recognition, data processing method and apparatus
TW201530344A (en) Application program access protection method and application program access protection device
WO2022126644A1 (en) Model protection device, method, and computing device
CN114629639A (en) Key management method and device based on trusted execution environment and electronic equipment
US20150227755A1 (en) Encryption and decryption methods of a mobile storage on a file-by-file basis
US11934539B2 (en) Method and apparatus for storing and processing application program information
US11520859B2 (en) Display of protected content using trusted execution environment
CN109960935B (en) Method, device and storage medium for determining trusted state of TPM (trusted platform Module)
WO2015154469A1 (en) Database operation method and device
KR20210132721A (en) Secure communication when accessing the network
KR20140088414A (en) Memory device, system and verifying method for verifying of secure data storage
WO2016173116A1 (en) Method and device for accessing storage data
WO2017020449A1 (en) Fingerprint reading method and user equipment
US20210194705A1 (en) Certificate generation method
CN114244565B (en) Key distribution method, device, equipment and storage medium
CN103491439A (en) Set top box protection method and system, set top box and encryption device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19775810

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19775810

Country of ref document: EP

Kind code of ref document: A1