WO2023274011A1 - Method and apparatus for protecting data in otp memory, and device and storage medium - Google Patents

Method and apparatus for protecting data in otp memory, and device and storage medium Download PDF

Info

Publication number
WO2023274011A1
WO2023274011A1 PCT/CN2022/100710 CN2022100710W WO2023274011A1 WO 2023274011 A1 WO2023274011 A1 WO 2023274011A1 CN 2022100710 W CN2022100710 W CN 2022100710W WO 2023274011 A1 WO2023274011 A1 WO 2023274011A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
area
otp memory
security
otp
Prior art date
Application number
PCT/CN2022/100710
Other languages
French (fr)
Chinese (zh)
Inventor
唐伟
Original Assignee
湖南国科微电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 湖南国科微电子股份有限公司 filed Critical 湖南国科微电子股份有限公司
Publication of WO2023274011A1 publication Critical patent/WO2023274011A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Definitions

  • the present application relates to the field of OTP memory, in particular to a data protection method, device, equipment and storage medium in the OTP memory.
  • OTP One Time Programmable , one-time programmable
  • OTP memory can meet the requirements of high confidentiality and high reliability to a certain extent due to its non-volatile and high reliability of stored data.
  • OTP memory Through research on the OTP memory, the data stability of the OTP memory is improved at the level of physical manufacturing, but the lack of data protection reduces the security of data storage.
  • the object of the present invention is to provide a data protection method, device, equipment and medium in an OTP memory, which can enhance the security and confidentiality of the OTP data after programming.
  • the specific plan is as follows:
  • the application discloses a data protection method in an OTP memory, including:
  • the acquiring the target key includes:
  • the target encryption algorithm includes Advanced Data Encryption Standard, Triple Data Encryption Standard and SM4 encryption algorithm.
  • the acquiring the target key includes:
  • the random value is used as the target key and stored in the random data area of the OTP memory.
  • the encrypted secure data after storing the encrypted secure data in the secure data area of the OTP memory, it further includes:
  • the random data area, the security data area and the parameter configuration area are respectively configured for read and/or write operations.
  • the method for protecting data in the OTP memory also includes:
  • the locally stored data information is sent to the system external module through the local interface output module, so that the system external module uses the data information to generate a key.
  • the judging whether the data in the secure data area is encrypted it also includes:
  • the encrypted data in the secure data area is decrypted to obtain the decrypted post-safety data
  • the local interface output module sends the locally stored data information in the random data area, the parameter configuration area and the latch state configuration area, and the decrypted security data to the system external module.
  • the application discloses a data protection device in an OTP memory, including:
  • the target key acquisition module is used to obtain the target key after receiving the programming request sent by the OTP memory;
  • Data and encryption algorithm acquisition module used to obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm
  • An encryption storage module configured to encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the OTP memory data area.
  • an electronic device comprising:
  • a processor is configured to execute the computer program to implement the aforementioned method for protecting data in the OTP memory.
  • the present application discloses a computer-readable storage medium for storing a computer program; wherein when the computer program is executed by a processor, the aforementioned OTP memory data protection method is implemented.
  • the target key after receiving the programming request sent by the OTP memory, obtain the target key; obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm; use the target encryption
  • the algorithm and the target key encrypt the security data to be encrypted to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
  • the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption.
  • the security and confidentiality can enhance the security and confidentiality of OTP data after programming, and prevent data from being tampered with or important sensitive data from being illegally stolen.
  • Fig. 1 is a flow chart of a data protection method in an OTP memory provided by the application
  • Fig. 2 is a kind of specific target algorithm configuration method provided by the present application.
  • Fig. 3 is the flow chart of a kind of specific data protection method in OTP memory that the application provides;
  • Figure 4 is a specific target key configuration method provided by the present application.
  • Fig. 5 provides the hardware architecture of a kind of concrete OTP storage system provided by the application and the hardware structural representation in the OTP controller;
  • Fig. 6 is a kind of OTP initialization flowchart that the present application provides
  • Fig. 7 is a kind of specific OTP initialization flowchart that the present application provides
  • FIG. 8 is a flow chart of a specific random value acquisition method provided by the present application.
  • FIG. 9 is a schematic structural diagram of a data protection device in an OTP memory provided by the present application.
  • FIG. 10 is a structural diagram of an electronic device provided by the present application.
  • the present application proposes a data protection method in an OTP memory, which can enhance the security and confidentiality of the OTP data after programming.
  • the embodiment of the present application discloses a method for protecting data in an OTP memory, which is applied to an OTP controller, as shown in Figure 1, the method may include the following steps:
  • Step S11 Obtain the target key after receiving the programming request sent by the OTP memory.
  • the target key is obtained.
  • the OTP memory initiates a programming request to the OTP controller through an external serial port, and the OTP controller actively obtains the target key after receiving the programming request. key.
  • the acquiring the target key may include: reading the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and using the fixed key as the target key key, that is, a fixed key can be stored in the key configuration field of the parameter configuration area of the OTP storage area in advance, and the OTP controller reads the key configuration in the parameter configuration area of the OTP memory after receiving the programming request sent by the OTP memory.
  • Step S12 Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm.
  • secure data to be encrypted is acquired, wherein the above-mentioned secure data to be encrypted includes but not limited to data with high security requirements such as security root key and identity information, and reads the parameter configuration area of the above-mentioned OTP memory to determine Find out the target encryption algorithm, specifically, you can determine the corresponding target encryption algorithm according to the fields in the parameter configuration area.
  • the target encryption algorithm includes but not limited to Advanced Encryption Standard (Advanced Encryption Standard, AES), Triple Data Encryption Standard (Triple Data Encryption Standard, TDES) and SM4 encryption algorithm, it can be understood that the parameter configuration The area pre-stores the character string with mapping relationship and the corresponding algorithm type.
  • a specific algorithm configuration method is shown in Figure 2.
  • PROGRAM_MODE field is set as the target algorithm configuration field.
  • PROGRAM_MODE value is 2'b00, encryption is not treated Secure data is encrypted; when PROGRAM_MODE is 2'b01, use AES algorithm for encryption; when PROGRAM_MODE is 2'b10, use SM4 algorithm for encryption; when PROGRAM_MODE is 2'b11, use TDES algorithm for encryption.
  • Step S13 Encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
  • the above-mentioned secure data to be encrypted is encrypted according to the determined target encryption algorithm and target key to obtain encrypted secure data, and the encrypted secure data is stored in the secure data area of the OTP memory.
  • the target key is obtained; the security data to be encrypted is obtained, and the parameter configuration area of the OTP memory is read to determine the target encryption algorithm; Encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data in the security data area of the OTP memory.
  • the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption.
  • the embodiment of the present application discloses a specific OTP memory data protection method, as shown in Figure 3, the method may include the following steps:
  • Step S21 After receiving the programming request sent by the OTP memory, send a random number request to the random number generator, and obtain the random value fed back by the random number generator.
  • a random number request is sent to a random number generator (TRNG, True Random Number Generator), and the random value fed back by the random number generator is obtained.
  • TRNG True Random Number Generator
  • Step S22 Use the random value as the target key, and store it in the random data area of the OTP memory.
  • the above-mentioned random value is used as the target key, and stored in the random data area of the above-mentioned OTP memory.
  • a random value can also be used as an encryption key for secure data.
  • Step S23 Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm.
  • Step S24 Encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
  • Step S25 Using the latch state configuration area of the OTP memory, perform latch configuration for read and/or write operations on the random data area, the security data area, and the parameter configuration area, respectively.
  • the latch state configuration area of the OTP memory is used for programming and configuration, and the random data area, the security data area and the parameter configuration area are respectively locked for reading and/or writing operations. Save configuration.
  • the programming operation of the parameter configuration area and the security data area can be latched to prevent the area from being programmed for the second time.
  • the read operation of the random data area is latched, so that the area cannot be read by other external modules such as the host computer, so as to ensure the randomness and unpredictability of the value of this part of the area, and to improve the confidentiality and security of encryption and decryption.
  • a hardware architecture of an OTP storage system and a hardware structure in an OTP controller are provided.
  • HOST initiates a programming or read operation request to OTP as a host
  • TRNG is a true random number generator.
  • the OTP controller sends a random number request to the TRNG module, applies for a set of 128BIT random number data, and programs this set of data into the OTP security data area
  • OTP_WRAPPER is the OTP controller, where, OTP_ASYNC is the synchronous module that external host computer carries out programming or read operation to OTP
  • OTP_CTRL is the main control module of OTP controller, understandably, in the present embodiment, programming address and programming data are sent to OTP_ASYNC module after synchronizing, send to OTP
  • OTP_INIT is the initialization control module of OTP, which is responsible for reading each area of OTP in stages after the OTP is powered on, completing the
  • This module is used to encrypt sensitive security data, and then send the encrypted data to the OTP_PROGRAM module.
  • the OTP_ALGO module is used to provide decryption of secure data.
  • the OTP_OUTPUT module is an interface module between OTP_WRAPPER and external modules, and outputs security-sensitive data.
  • the OTP memory in this embodiment is divided into four areas, the random data area OTP_TRNG_RANDOM_AREA is used to program and store 128BIT random numbers, which are generated by the external true random number generation module TRNG for subsequent encryption and decryption operation processing, and , after the latch state is programmed to 1, this area is guaranteed to be invisible to the external HOST and external modules;
  • the security data area OTP_SECURITY_AREA is used to program and store security-sensitive data;
  • the parameter configuration area OTP_CONFIGURE_AREA is used to program and store hardware configuration data, for example 2bit is used to configure the PROGRAM_MODE field of the encryption and decryption algorithm, and the 1bit encryption and decryption key selection is used to configure the PROGRAM_KEY_SEL field;
  • the latch status configuration area OTP_LOCK_AREA is used to program and store latch status information.
  • step S23 and step S24 reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.
  • a series of security protection measures such as random number processing on the encryption and decryption keys and encrypted data decryption are only completed by the OTP controller in the OTP initialization stage, which improves the security of programming into the OTP.
  • Security and confidentiality of sensitive data The random value provided by the true random number generator ensures the randomness and uncertainty of the value programmed into the secure data area, that is, the randomness of the key used to encrypt the secure data, which improves the impossibility of encryption and decryption of the confidential data predictability.
  • the data latch mechanism ensures the invisibility of the random key and the data validity of the security-sensitive data programming area during the data use process. As a result, when the external host performs a read operation on the sensitive data programmed in the secure data area, the read value is encrypted data, thereby improving the security and confidentiality of the data.
  • the embodiment of the present application discloses an OTP initialization process, as shown in Figure 6, which may include the following steps:
  • Step S31 When receiving the startup signal sent by the random number generator after the system is reset, read the random number flag in the random data area of the OTP memory to determine whether there is a random number in the random data area.
  • the true random number generator automatically completes the initialization configuration, and pulls the signal TRNG_READY to 1.
  • the OTP controller receives the signal, Initiate the read operation of the OTP memory of OTP_INIT_STEP1 in the first stage. In this stage, other non-sensitive data areas and the random number flag TRNG_RANDOM_KEY_READY field are read. If the flag is 1, it means that the OTP has 128BIT random number in the production stage.
  • the flag bit is 0, it means that the random storage area is not programmed, and the OTP initialization process skips to the end OTP_INIT_FINISH, that is, during the OTP initialization process, the reading process of the security data area will be skipped , and directly end the initialization process of the entire OTP. In this case, since the security data area has not been programmed and initialized to read, the valid signal of the sensitive data will always remain in a low state.
  • Step S32 If it exists, read the data information in the random data area, security data area, parameter configuration area and latch state configuration area in the OTP memory, and store the data information locally.
  • the OTP power-on initialization enters the second stage OTP_INIT_STEP2, and the OTP controller reads the random data area, security data area, parameter configuration area and The data information in the state configuration area is latched, and the above data information is stored in a local memory.
  • the random number flag is 0, after the initialization process is completed, it is necessary to initiate a request for programming random numbers to the OTP controller through the external serial port, as shown in Figure 8.
  • the OTP controller After receiving the request, the OTP controller sends a request to the random number module Request a group of 128BIT random numbers, and program the requested true random numbers into the above random data area.
  • program the random number flag to 1. That is, configure the random number programming request start register of the OTP controller through the external serial port, and initiate the entire random number request and programming operation.
  • Step S33 According to the algorithm configuration field in the parameter configuration area, determine whether the data in the secure data area is encrypted.
  • the third stage of the OTP power-on initialization process read the algorithm configuration field in the above-mentioned parameter configuration area, and judge whether the data in the above-mentioned security data area is encrypted, that is, by reading the data shown in Figure 2 Algorithm configuration field PROGRAM_MODE shown to determine whether the above security data is encrypted or the corresponding encryption algorithm.
  • Step S34 If encrypted, decrypt the encrypted data in the secure data area according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field , get the decrypted security data.
  • the encrypted data in the secure data area is decrypted according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field , get the decrypted security data. That is, the decryption operation is performed on the read security data, the decryption algorithm is selected through the PROGRAM_MODE field, and the decryption key is selected through the PROGRAM_KEY_SEL field.
  • Step S35 Send the locally stored data information in the random data area, the parameter configuration area and the latch state configuration area, as well as the decrypted security data to the outside of the system through the local interface output module module, so that the external modules of the system use the data information to generate a key.
  • the decryption after the decryption is completed, enter the OUTPUT stage, and send the decrypted security-sensitive data in the third stage and other data read during the second stage initialization to the OTP_OUTPUT module for output to the external module of the system, so that the external module of the system can use the above data information Generate keys from the root key and identity information in the security data, and pull the valid signal of sensitive data to 1. If it is not encrypted, the locally stored data information read by the second stage initialization is directly sent to the external module of the system through the local interface output module, and then the external module of the system can use the root key and identity information in the secure data area, etc. Generate the corresponding key.
  • the random number flag in the random data area in the OTP memory is read to determine whether there is a random value in the random data area. . If it exists, then read the data information in the random data area, security data area, parameter configuration area and latch state configuration area in the OTP memory, and store the data information locally. Then, according to the algorithm configuration field in the parameter configuration area, it is judged whether the data in the secure data area is encrypted.
  • the encrypted data in the secure data area is decrypted to obtain the decrypted post-safety data.
  • the embodiment of the present application also discloses a data protection device in an OTP memory, as shown in Figure 9, the device includes:
  • the target key acquisition module 11 is used to acquire the target key after receiving the programming request sent by the OTP memory;
  • Data and encryption algorithm acquisition module 12 used to obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
  • An encryption storage module 13 configured to encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the OTP memory Secure data area.
  • the target key is obtained; the security data to be encrypted is obtained, and the parameter configuration area of the OTP memory is read to determine the target encryption algorithm;
  • the target encryption algorithm and the target key encrypt the security data to be encrypted to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
  • the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption.
  • the security and confidentiality can enhance the security and confidentiality of OTP data after programming, and prevent data from being tampered with or important sensitive data from being illegally stolen.
  • the target key acquisition module 11 may specifically include:
  • a first key acquisition unit configured to read the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and use the fixed key as the target key;
  • the second key acquisition unit is configured to send a random number request to a random number generator, and obtain a random value fed back by the random number generator; use the random value as the target key, and store it in the OTP Random data area of memory.
  • the data protection device in the OTP memory may specifically include:
  • the latch module is used to utilize the latch state configuration area of the OTP memory to carry out the latch configuration of the read operation and/or write operation to the random data area, the security data area and the parameter configuration area respectively.
  • the data protection device in the OTP memory may specifically include:
  • the initialization module is used to read the random number flag bit of the random data area in the OTP memory when receiving the start signal sent by the random number generator after the system is reset, so as to determine whether the random number in the random data area is There is a random value; if it exists, read the data information in the random data area, the security data area, the parameter configuration area and the latch state configuration area, and store the data information locally; According to the algorithm configuration field in the parameter configuration area, it is judged whether the data in the safe data area is encrypted; if it is not encrypted, the data information stored locally is sent to the system external module through the local interface output module , so that the external module of the system uses the data information to generate a key.
  • the initialization module may specifically include:
  • the decryption module is configured to, if the data in the secure data area is encrypted, encrypt the secure data according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field
  • the encrypted data in the area is decrypted to obtain the decrypted security data; through the local interface output module, the data information in the locally stored random data area, the parameter configuration area and the latch state configuration area, and
  • the decrypted security data is sent to the external module of the system.
  • the embodiment of the present application also discloses an electronic device, as shown in FIG. 10 , and the content in the figure should not be regarded as any limitation on the application scope of the present application.
  • FIG. 10 is a schematic structural diagram of an electronic device 20 provided in an embodiment of the present application.
  • the electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 .
  • the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the OTP in-memory data protection method disclosed in any of the foregoing embodiments.
  • the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20;
  • the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here;
  • the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.
  • the memory 22 as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon include an operating system 221, a computer program 222, and data 223 including security data to be encrypted.
  • the storage method can be temporary storage or permanent storage.
  • the operating system 221 is used to manage and control each hardware device and computer program 222 on the electronic device 20, so as to realize the operation and processing of the massive data 223 in the memory 22 by the processor 21, which can be Windows Server, Netware, Unix, Linux, etc.
  • the computer program 222 may further include a computer program capable of completing other specific tasks in addition to the computer program capable of implementing the OTP in-memory data protection method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
  • the embodiment of the present application also discloses a computer storage medium, the computer storage medium stores computer-executable instructions, and when the computer-executable instructions are loaded and executed by a processor, the implementation of any one of the foregoing embodiments is disclosed.
  • the step of the data protection method in the OTP memory is disclosed.
  • each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other.
  • the description is relatively simple, and for the related information, please refer to the description of the method part.
  • RAM random access memory
  • ROM read-only memory
  • EEPROM electrically programmable ROM
  • EEPROM electrically erasable programmable ROM
  • registers hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

Abstract

A method and apparatus for protecting data in an OTP memory, and a device and a storage medium. The method comprises: after a programming request sent by an OTP memory is received, acquiring a target key; acquiring security data to be encrypted, and reading a parameter configuration area of the OTP memory, so as to determine a target encryption algorithm; and encrypting said security data by using the target encryption algorithm and the target key, so as to obtain encrypted security data, and storing the encrypted security data in a security data area of the OTP memory. It can be seen that an OTP controller encrypts security sensitive data and then programs same to a security data area, and performs hardware selection on encryption and decryption algorithms, such that the processing of different encryption and decryption keys and the selection of the encryption and decryption algorithms are realized. Therefore, the security and confidentiality of security data encryption is improved; and the security and confidentiality after OTP data programming can be enhanced, thereby preventing data from being tampered with or preventing important sensitive data from being illegitimately stolen.

Description

一种OTP存储器内数据保护方法、装置、设备及存储介质A method, device, equipment and storage medium for protecting data in an OTP memory
本申请要求于2021年06月30日提交中国专利局、申请号为202110744345.8、发明名称为“一种OTP存储器内数据保护方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application submitted to the China Patent Office on June 30, 2021, the application number is 202110744345.8, and the invention title is "a method, device, equipment and storage medium for data protection in OTP memory", all of which The contents are incorporated by reference in this application.
技术领域technical field
本申请涉及OTP存储器领域,特别涉及一种OTP存储器内数据保护方法、装置、设备及存储介质。The present application relates to the field of OTP memory, in particular to a data protection method, device, equipment and storage medium in the OTP memory.
背景技术Background technique
当前,对产品的安全性能要求越来越高,为满足硬件系统中安全敏感数据的保护需求,例如芯片中安全根密钥以及身份信息等安全性要求较高的敏感数据,OTP(One Time Programmable,一次性可编程)存储器由于其存储数据的非易失性和高可靠性,能够在一定程度上满足高保密性和高可靠性需求,然而如何进一步提升OTP存储器的安全性和可靠性是目前广泛关注的问题。现有技术中,通过对OTP存储器的研究,在物理制造层面提高OTP存储器的数据稳定性,但缺乏对数据的保护,降低了数据存储的安全性。At present, the security performance requirements of products are getting higher and higher. In order to meet the protection requirements of security-sensitive data in hardware systems, such as sensitive data with high security requirements such as security root keys and identity information in chips, OTP (One Time Programmable , one-time programmable) memory can meet the requirements of high confidentiality and high reliability to a certain extent due to its non-volatile and high reliability of stored data. However, how to further improve the security and reliability of OTP memory is currently the issues of widespread concern. In the prior art, through research on the OTP memory, the data stability of the OTP memory is improved at the level of physical manufacturing, but the lack of data protection reduces the security of data storage.
发明内容Contents of the invention
有鉴于此,本发明的目的在于提供一种OTP存储器内数据保护方法、装置、设备及介质,能够增强OTP数据编程后的安全性和机密性。其具体方案如下:In view of this, the object of the present invention is to provide a data protection method, device, equipment and medium in an OTP memory, which can enhance the security and confidentiality of the OTP data after programming. The specific plan is as follows:
第一方面,本申请公开了一种OTP存储器内数据保护方法,包括:In the first aspect, the application discloses a data protection method in an OTP memory, including:
在接收到所述OTP存储器发送的编程请求后获取目标密钥;Obtain the target key after receiving the programming request sent by the OTP memory;
获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加 密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。Utilize the target encryption algorithm and the target key to encrypt the security data to be encrypted to obtain encrypted security data, and store the encrypted security data to the security data area of the OTP memory.
可选的,所述获取目标密钥,包括:Optionally, the acquiring the target key includes:
读取所述OTP存储器的所述参数配置区域中密钥配置字段内预设的固定密钥,并将所述固定密钥作为所述目标密钥。Read the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and use the fixed key as the target key.
可选的,所述目标加密算法包括高级数据加密标准、三重数据加密标准和SM4加密算法。Optionally, the target encryption algorithm includes Advanced Data Encryption Standard, Triple Data Encryption Standard and SM4 encryption algorithm.
可选的,所述获取目标密钥,包括:Optionally, the acquiring the target key includes:
向随机数生成器发送随机数请求,并获取所述随机数生成器反馈的随机数值;Send a random number request to the random number generator, and obtain the random value fed back by the random number generator;
将所述随机数值作为所述目标密钥,并存储至所述OTP存储器的随机数据区域。The random value is used as the target key and stored in the random data area of the OTP memory.
可选的,所述将所述加密后安全数据存储至所述OTP存储器的安全数据区域之后,还包括:Optionally, after storing the encrypted secure data in the secure data area of the OTP memory, it further includes:
利用所述OTP存储器的锁存状态配置区域,分别对所述随机数据区域、所述安全数据区域和所述参数配置区域进行读操作和/或写操作的锁存配置。Using the latch state configuration area of the OTP memory, the random data area, the security data area and the parameter configuration area are respectively configured for read and/or write operations.
可选的,所述OTP存储器内数据保护方法,还包括:Optionally, the method for protecting data in the OTP memory also includes:
当接收到所述随机数生成器在系统复位后发送的启动信号,读取所述OTP存储器中所述随机数据区域的随机数标志位,以判断所述随机数据区域中是否存在随机数值;When receiving the starting signal sent by the random number generator after the system reset, read the random number flag bit of the random data area in the OTP memory, to determine whether there is a random value in the random data area;
若存在,则读取所述随机数据区域、所述安全数据区域、所述参数配置区域和锁存状态配置区域中的数据信息,并将所述数据信息存储至本地;If it exists, read the data information in the random data area, the security data area, the parameter configuration area and the latch state configuration area, and store the data information locally;
根据所述参数配置区域中的算法配置字段,判断所述安全数据区域中的数据是否被加密;judging whether the data in the secure data area is encrypted according to the algorithm configuration field in the parameter configuration area;
若没有被加密,则通过本地的接口输出模块将本地存储的所述数据信息发送给系统外部模块,以便所述系统外部模块利用所述数据信息生成密钥。If not encrypted, the locally stored data information is sent to the system external module through the local interface output module, so that the system external module uses the data information to generate a key.
可选的,所述判断所述安全数据区域中的数据是否被加密之后,还包 括:Optionally, after the judging whether the data in the secure data area is encrypted, it also includes:
若被加密,则根据所述参数配置区域中密钥配置字段对应的目标密钥,并按照所述算法配置字段对应的目标加密算法对所述安全数据区域中的加密后数据进行解密,得到解密后安全数据;If it is encrypted, according to the target key corresponding to the key configuration field in the parameter configuration area, and according to the target encryption algorithm corresponding to the algorithm configuration field, the encrypted data in the secure data area is decrypted to obtain the decrypted post-safety data;
通过本地的接口输出模块将本地存储的所述随机数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,以及所述解密后安全数据发送给所述系统外部模块。The local interface output module sends the locally stored data information in the random data area, the parameter configuration area and the latch state configuration area, and the decrypted security data to the system external module.
第二方面,本申请公开了一种OTP存储器内数据保护装置,包括:In a second aspect, the application discloses a data protection device in an OTP memory, including:
目标密钥获取模块,用于在接收到所述OTP存储器发送的编程请求后获取目标密钥;The target key acquisition module is used to obtain the target key after receiving the programming request sent by the OTP memory;
数据及加密算法获取模块,用于获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;Data and encryption algorithm acquisition module, used to obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
加密存储模块,用于利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。An encryption storage module, configured to encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the OTP memory data area.
第三方面,本申请公开了一种电子设备,包括:In a third aspect, the present application discloses an electronic device, comprising:
存储器,用于保存计算机程序;memory for storing computer programs;
处理器,用于执行所述计算机程序,以实现前述的OTP存储器内数据保护方法。A processor is configured to execute the computer program to implement the aforementioned method for protecting data in the OTP memory.
第四方面,本申请公开了一种计算机可读存储介质,用于存储计算机程序;其中计算机程序被处理器执行时实现前述的OTP存储器内数据保护方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program; wherein when the computer program is executed by a processor, the aforementioned OTP memory data protection method is implemented.
本申请中,在接收到所述OTP存储器发送的编程请求后获取目标密钥;获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。可见,通过OTP控制器对安全敏感数据进行加密后编程至安全数据区域,并对加解密的算法进行硬件选择,实现不同的加解密密钥的处理和加解密算法的选择,提高了安全数据加密的 安全保密性,可以增强OTP数据编程后的安全性和机密性,防止数据被篡改或者重要敏感数据被非法窃取。In the present application, after receiving the programming request sent by the OTP memory, obtain the target key; obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm; use the target encryption The algorithm and the target key encrypt the security data to be encrypted to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory. It can be seen that the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption. The security and confidentiality can enhance the security and confidentiality of OTP data after programming, and prevent data from being tampered with or important sensitive data from being illegally stolen.
附图说明Description of drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention, and those skilled in the art can also obtain other drawings according to the provided drawings without creative work.
图1为本申请提供的一种OTP存储器内数据保护方法流程图;Fig. 1 is a flow chart of a data protection method in an OTP memory provided by the application;
图2为本申请提供的一种具体的目标算法配置方式;Fig. 2 is a kind of specific target algorithm configuration method provided by the present application;
图3为本申请提供的一种具体的OTP存储器内数据保护方法流程图;Fig. 3 is the flow chart of a kind of specific data protection method in OTP memory that the application provides;
图4为本申请提供的一种具体的目标密钥配置方式;Figure 4 is a specific target key configuration method provided by the present application;
图5为本申请提供的一种具体的OTP存储系统的硬件体系结构以及OTP控制器内的硬件结构示意图;Fig. 5 provides the hardware architecture of a kind of concrete OTP storage system provided by the application and the hardware structural representation in the OTP controller;
图6为本申请提供的一种OTP初始化流程图;Fig. 6 is a kind of OTP initialization flowchart that the present application provides;
图7为本申请提供的一种具体的OTP初始化流程图;Fig. 7 is a kind of specific OTP initialization flowchart that the present application provides;
图8为本申请提供的一种具体的随机数值获取方法流程图;FIG. 8 is a flow chart of a specific random value acquisition method provided by the present application;
图9为本申请提供的一种OTP存储器内数据保护装置结构示意图;FIG. 9 is a schematic structural diagram of a data protection device in an OTP memory provided by the present application;
图10为本申请提供的一种电子设备结构图。FIG. 10 is a structural diagram of an electronic device provided by the present application.
具体实施方式detailed description
现有技术中,通过对OTP存储器的研究,在物理制造层面提高OTP存储器的数据稳定性,但缺乏对数据的保护,降低了数据存储的安全性。为克服上述技术问题,本申请提出一种OTP存储器内数据保护方法,能够增强OTP数据编程后的安全性和机密性。In the prior art, through research on the OTP memory, the data stability of the OTP memory is improved at the level of physical manufacturing, but the lack of data protection reduces the security of data storage. In order to overcome the above-mentioned technical problems, the present application proposes a data protection method in an OTP memory, which can enhance the security and confidentiality of the OTP data after programming.
本申请实施例公开了一种OTP存储器内数据保护方法,应用于OTP控制器,参见图1所示,该方法可以包括以下步骤:The embodiment of the present application discloses a method for protecting data in an OTP memory, which is applied to an OTP controller, as shown in Figure 1, the method may include the following steps:
步骤S11:在接收到所述OTP存储器发送的编程请求后获取目标密钥。Step S11: Obtain the target key after receiving the programming request sent by the OTP memory.
本实施例中,在接收到OTP存储器发送的编程请求后,获取目标密钥,可以理解的是,OTP存储器通过外部串口向OTP控制器发起编程请求,OTP控制器接收到编程请求后主动获取目标密钥。本实施例中,所述获取目标密钥,可以包括:读取所述OTP存储器的参数配置区域中密钥配置字段内预设的固定密钥,并将所述固定密钥作为所述目标密钥,即可以预先在OTP存储区的参数配置区域的密钥配置字段存储一个固定密钥,OTP控制器在接收到OTP存储器发送的编程请求后,读取OTP存储器的参数配置区域中密钥配置字段内预设的固定密钥,并将上述固定密钥作为目标密钥以用来加密安全数据。In this embodiment, after receiving the programming request sent by the OTP memory, the target key is obtained. It can be understood that the OTP memory initiates a programming request to the OTP controller through an external serial port, and the OTP controller actively obtains the target key after receiving the programming request. key. In this embodiment, the acquiring the target key may include: reading the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and using the fixed key as the target key key, that is, a fixed key can be stored in the key configuration field of the parameter configuration area of the OTP storage area in advance, and the OTP controller reads the key configuration in the parameter configuration area of the OTP memory after receiving the programming request sent by the OTP memory. The preset fixed key in the field, and use the above fixed key as the target key to encrypt secure data.
步骤S12:获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法。Step S12: Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm.
本实施例中,获取待加密安全数据,其中,上述待加密安全数据包括但不限于安全根密钥和身份信息等安全性要求较高的数据,并读取上述OTP存储器的参数配置区域以确定出目标加密算法,具体的,可以根据参数配置区域的字段确定出对应的目标加密算法。本实施例中,所述目标加密算法包括但不限于高级数据加密标准(Advanced Encryption Standard,AES)、三重数据加密标准(Triple Data Encryption Standard,TDES)和SM4加密算法,可以理解的是,参数配置区域预先存储有存在映射关系的字符串和对应的算法类型,一种具体的算法配置方式例如图2所示,设置PROGRAM_MODE字段为目标算法配置字段,当PROGRAM_MODE值为2’b00时,不对待加密安全数据进行加密;当PROGRAM_MODE为2’b01时,使用AES算法加密;当PROGRAM_MODE为2’b10时,使用SM4算法加密;当PROGRAM_MODE为2’b11时,使用TDES算法加密。In this embodiment, secure data to be encrypted is acquired, wherein the above-mentioned secure data to be encrypted includes but not limited to data with high security requirements such as security root key and identity information, and reads the parameter configuration area of the above-mentioned OTP memory to determine Find out the target encryption algorithm, specifically, you can determine the corresponding target encryption algorithm according to the fields in the parameter configuration area. In this embodiment, the target encryption algorithm includes but not limited to Advanced Encryption Standard (Advanced Encryption Standard, AES), Triple Data Encryption Standard (Triple Data Encryption Standard, TDES) and SM4 encryption algorithm, it can be understood that the parameter configuration The area pre-stores the character string with mapping relationship and the corresponding algorithm type. A specific algorithm configuration method is shown in Figure 2. Set the PROGRAM_MODE field as the target algorithm configuration field. When the PROGRAM_MODE value is 2'b00, encryption is not treated Secure data is encrypted; when PROGRAM_MODE is 2'b01, use AES algorithm for encryption; when PROGRAM_MODE is 2'b10, use SM4 algorithm for encryption; when PROGRAM_MODE is 2'b11, use TDES algorithm for encryption.
步骤S13:利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。Step S13: Encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
本实施例中,根据确定出的目标加密算法和目标密钥对上述待加密安全数据进行加密,得到加密后安全数据,将上述加密后安全数据存储至上述OTP存储器的安全数据区域。In this embodiment, the above-mentioned secure data to be encrypted is encrypted according to the determined target encryption algorithm and target key to obtain encrypted secure data, and the encrypted secure data is stored in the secure data area of the OTP memory.
由上可见,本实施例中,在接收到所述OTP存储器发送的编程请求后获取目标密钥;获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。可见,通过OTP控制器对安全敏感数据进行加密后编程至安全数据区域,并对加解密的算法进行硬件选择,实现不同的加解密密钥的处理和加解密算法的选择,提高了安全数据加密的安全保密性,可以增强OTP数据编程后的安全性和机密性,防止数据被篡改或者重要敏感数据被非法窃取,借助于目前OTP安全可靠性,加以安全有效的数据安全保护机制,用以实现安全敏感数据的有效保护,提高产品或系统中,安全敏感数据的数据安全和数据机密性。As can be seen from the above, in this embodiment, after receiving the programming request sent by the OTP memory, the target key is obtained; the security data to be encrypted is obtained, and the parameter configuration area of the OTP memory is read to determine the target encryption algorithm; Encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data in the security data area of the OTP memory. It can be seen that the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption. It can enhance the security and confidentiality of OTP data after programming, and prevent data from being tampered with or important sensitive data from being illegally stolen. With the help of the current OTP security and reliability, a safe and effective data security protection mechanism is used to realize Effective protection of security-sensitive data, improving data security and data confidentiality of security-sensitive data in products or systems.
本申请实施例公开了一种具体的OTP存储器内数据保护方法,参见图3所示,该方法可以包括以下步骤:The embodiment of the present application discloses a specific OTP memory data protection method, as shown in Figure 3, the method may include the following steps:
步骤S21:在接收到OTP存储器发送的编程请求后,向随机数生成器发送随机数请求,并获取所述随机数生成器反馈的随机数值。Step S21: After receiving the programming request sent by the OTP memory, send a random number request to the random number generator, and obtain the random value fed back by the random number generator.
本实施例中,在接收到OTP存储器发送的编程请求后,向随机数生成器(TRNG,True Random Number Generator)发送随机数请求,并获取上述随机数生成器反馈的随机数值。In this embodiment, after receiving the programming request sent by the OTP memory, a random number request is sent to a random number generator (TRNG, True Random Number Generator), and the random value fed back by the random number generator is obtained.
步骤S22:将所述随机数值作为目标密钥,并存储至所述OTP存储器的随机数据区域。Step S22: Use the random value as the target key, and store it in the random data area of the OTP memory.
本实施例中,将上述随机数值作为目标密钥,并存储至上述OTP存储器的随机数据区域。可以理解的是,除了用固定密钥作为目标密钥外,还可以使用随机数值作为安全数据的加密密钥,具体的,例如图4所示,可以通过在OTP存储器的参数配置区域,设置PROGRAM_KEY_SEL配置字段,当字段为0时,可以选择OTP区间内固定的密钥OTP_KEY作为上述目标密钥,当字段值为1时,选择获取随机数作为上述目标密钥。In this embodiment, the above-mentioned random value is used as the target key, and stored in the random data area of the above-mentioned OTP memory. It can be understood that, in addition to using a fixed key as the target key, a random value can also be used as an encryption key for secure data. Specifically, as shown in Figure 4, you can set PROGRAM_KEY_SEL in the parameter configuration area of the OTP memory Configuration field, when the field is 0, you can select the fixed key OTP_KEY in the OTP interval as the above-mentioned target key, and when the field value is 1, choose to obtain a random number as the above-mentioned target key.
步骤S23:获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法。Step S23: Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm.
步骤S24:利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。Step S24: Encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory.
步骤S25:利用所述OTP存储器的锁存状态配置区域,分别对所述随机数据区域、所述安全数据区域和所述参数配置区域进行读操作和/或写操作的锁存配置。Step S25: Using the latch state configuration area of the OTP memory, perform latch configuration for read and/or write operations on the random data area, the security data area, and the parameter configuration area, respectively.
本实施例中,在编程配置流程的最后,利用所述OTP存储器的锁存状态配置区域进行编程配置,分别对随机数据区域、安全数据区域和参数配置区域进行读操作和/或写操作的锁存配置。具体的,可以对参数配置区域,安全数据区域的编程操作进行锁存,以防止对该区域进行第二次编程。对随机数据区域读操作锁存,使得该区域不能被主机等其他外部模块进行读操作,以保证该部分区域值的随机性和不可预测性,用于提高加解密的机密性和安全性。In this embodiment, at the end of the programming and configuration process, the latch state configuration area of the OTP memory is used for programming and configuration, and the random data area, the security data area and the parameter configuration area are respectively locked for reading and/or writing operations. Save configuration. Specifically, the programming operation of the parameter configuration area and the security data area can be latched to prevent the area from being programmed for the second time. The read operation of the random data area is latched, so that the area cannot be read by other external modules such as the host computer, so as to ensure the randomness and unpredictability of the value of this part of the area, and to improve the confidentiality and security of encryption and decryption.
例如图5所示,提供了一种OTP存储系统的硬件体系结构以及OTP控制器内的硬件结构,HOST作为主机发起对OTP进行编程或者读操作请求,TRNG为真随机数产生器,在OTP工厂生产时,OTP系统初始化阶段,OTP控制器向TRNG模块发出随机数请求,申请一组128BIT的随机数数据,并将该该组数据编程到OTP的安全数据区域;OTP_WRAPPER为OTP控制器,其中,OTP_ASYNC为外部主机对OTP进行编程或者读操作的同步模块;OTP_CTRL为OTP控制器的主控模块,可以理解的,本实施例中将编程地址和编程数据送到OTP_ASYNC模块经同步后,送到OTP主控模块OTP_CTRL;OTP_INIT为OTP的初始化控制模块,负责OTP在上电后,分阶段对OTP中各区域进行读操作,完成整个系统OTP输出值的初始化,并将初始化产生的安全敏感数据送到OTP_OUTPUT,最终送到系统外部其他模块;OTP_PROGRAM为OTP的编程接口模块;OTP_READ模块为OTP的读操作接口模块;OTP_ALGO模块,为OTP控制器中,加解密算法运算模块,内包含SM4、AES以及TDES加解密算法硬件实现模块。该模块用于对敏感安全数据进行加密操作,然后将加密后数据送到OTP_PROGRAM模块。在系统初始化阶段中,OTP_ALGO模块用于提供安全数据的解密。 OTP_OUTPUT模块,为OTP_WRAPPER与外部模块的接口模块,将安全敏感数据输出。For example, as shown in Figure 5, a hardware architecture of an OTP storage system and a hardware structure in an OTP controller are provided. HOST initiates a programming or read operation request to OTP as a host, and TRNG is a true random number generator. During production, at the initialization stage of the OTP system, the OTP controller sends a random number request to the TRNG module, applies for a set of 128BIT random number data, and programs this set of data into the OTP security data area; OTP_WRAPPER is the OTP controller, where, OTP_ASYNC is the synchronous module that external host computer carries out programming or read operation to OTP; OTP_CTRL is the main control module of OTP controller, understandably, in the present embodiment, programming address and programming data are sent to OTP_ASYNC module after synchronizing, send to OTP The main control module OTP_CTRL; OTP_INIT is the initialization control module of OTP, which is responsible for reading each area of OTP in stages after the OTP is powered on, completing the initialization of the OTP output value of the entire system, and sending the security-sensitive data generated by the initialization to OTP_OUTPUT is finally sent to other modules outside the system; OTP_PROGRAM is the OTP programming interface module; OTP_READ module is the OTP read operation interface module; OTP_ALGO module is the encryption and decryption algorithm operation module in the OTP controller, including SM4, AES and TDES Encryption and decryption algorithm hardware implementation module. This module is used to encrypt sensitive security data, and then send the encrypted data to the OTP_PROGRAM module. During the system initialization phase, the OTP_ALGO module is used to provide decryption of secure data. The OTP_OUTPUT module is an interface module between OTP_WRAPPER and external modules, and outputs security-sensitive data.
可以理解的是,本实施例中OTP存储器划分为四个区域,随机数据区域OTP_TRNG_RANDOM_AREA用于编程存储128BIT的随机数,由外部真随机数产生模块TRNG产生,用于后续的加解密操作处理,并且,该区域在锁存状态编程为1后,保证该区域对外部HOST及外部模块均不可见;安全数据区域OTP_SECURITY_AREA用于编程存储安全敏感数据;参数配置区域OTP_CONFIGURE_AREA用于编程存储硬件配置数据,例如2bit用于配置加解密算法的PROGRAM_MODE字段,1bit加解密钥选择配置PROGRAM_KEY_SEL字段;锁存状态配置区域OTP_LOCK_AREA用于编程存储锁存状态信息。It can be understood that the OTP memory in this embodiment is divided into four areas, the random data area OTP_TRNG_RANDOM_AREA is used to program and store 128BIT random numbers, which are generated by the external true random number generation module TRNG for subsequent encryption and decryption operation processing, and , after the latch state is programmed to 1, this area is guaranteed to be invisible to the external HOST and external modules; the security data area OTP_SECURITY_AREA is used to program and store security-sensitive data; the parameter configuration area OTP_CONFIGURE_AREA is used to program and store hardware configuration data, for example 2bit is used to configure the PROGRAM_MODE field of the encryption and decryption algorithm, and the 1bit encryption and decryption key selection is used to configure the PROGRAM_KEY_SEL field; the latch status configuration area OTP_LOCK_AREA is used to program and store latch status information.
其中,关于上述步骤S23、步骤S24的具体过程可以参考前述实施例公开的相应内容,在此不再进行赘述。Wherein, for the specific process of the above-mentioned step S23 and step S24, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.
由上可见,本实施例中,对加解密密钥进行随机数处理以及加密后数据解密仅由OTP控制器在OTP初始化阶段控制完成等一系列的安全保护措施,提升了编程至OTP中的安全敏感数据的安全性和机密性。通过真随机数产生器提供的随机数值,保证了编程至安全数据区域的值的随机性和不确定性,即用于加密安全数据的密钥的随机性,提高了保密数据加解密处理的不可预知性。在此基础上,通过数据锁存机制保证数据在使用过程中,随机密钥的不可见性以及安全敏感数据编程区域的数据有效性。由此一来,对安全数据区域编程的敏感数据,外部主机对其进行读操作时,读取值为进行加密后的数据,提高数据的安全性和机密性。It can be seen from the above that in this embodiment, a series of security protection measures such as random number processing on the encryption and decryption keys and encrypted data decryption are only completed by the OTP controller in the OTP initialization stage, which improves the security of programming into the OTP. Security and confidentiality of sensitive data. The random value provided by the true random number generator ensures the randomness and uncertainty of the value programmed into the secure data area, that is, the randomness of the key used to encrypt the secure data, which improves the impossibility of encryption and decryption of the confidential data predictability. On this basis, the data latch mechanism ensures the invisibility of the random key and the data validity of the security-sensitive data programming area during the data use process. As a result, when the external host performs a read operation on the sensitive data programmed in the secure data area, the read value is encrypted data, thereby improving the security and confidentiality of the data.
本申请实施例公开了一种OTP初始化过程,参见图6所示,可以包括以下步骤:The embodiment of the present application discloses an OTP initialization process, as shown in Figure 6, which may include the following steps:
步骤S31:当接收到随机数生成器在系统复位后发送的启动信号,读取OTP存储器中随机数据区域的随机数标志位,以判断所述随机数据区域中是否存在随机数值。Step S31: When receiving the startup signal sent by the random number generator after the system is reset, read the random number flag in the random data area of the OTP memory to determine whether there is a random number in the random data area.
本实施例中,例如图7所示OTP初始化流程过程中,在系统复位释放之 后,真随机数产生器自动完成初始化配置,并将信号TRNG_READY拉起为1,OTP控制器在接收到信号后,发起第一阶段OTP_INIT_STEP1的OTP存储器的读操作,该阶段中,读取其他非敏感数据区域以及随机数标志位TRNG_RANDOM_KEY_READY字段,若该标志位为1,则表示OTP在生产阶段,已经将128BIT的随机数编程到OTP存储器的安全数据区域,若该标志位为0,则表示随机存储区域未进行编程,OTP初始化流程跳到结束OTP_INIT_FINISH,即OTP初始化过程中,将跳过安全数据区域的读取过程,而直接地结束整个OTP的初始化流程。在这种情况下,安全数据区域由于没有进行编程以及初始化读取,敏感数据的有效信号将一直保持为低状态。In this embodiment, for example, during the OTP initialization process shown in Figure 7, after the system reset is released, the true random number generator automatically completes the initialization configuration, and pulls the signal TRNG_READY to 1. After the OTP controller receives the signal, Initiate the read operation of the OTP memory of OTP_INIT_STEP1 in the first stage. In this stage, other non-sensitive data areas and the random number flag TRNG_RANDOM_KEY_READY field are read. If the flag is 1, it means that the OTP has 128BIT random number in the production stage. If the flag bit is 0, it means that the random storage area is not programmed, and the OTP initialization process skips to the end OTP_INIT_FINISH, that is, during the OTP initialization process, the reading process of the security data area will be skipped , and directly end the initialization process of the entire OTP. In this case, since the security data area has not been programmed and initialized to read, the valid signal of the sensitive data will always remain in a low state.
步骤S32:若存在,则读取OTP存储器中的随机数据区域、安全数据区域、参数配置区域和锁存状态配置区域中的数据信息,并将所述数据信息存储至本地。Step S32: If it exists, read the data information in the random data area, security data area, parameter configuration area and latch state configuration area in the OTP memory, and store the data information locally.
本实施例中,若随机数值存在,即随机数标志位为0,则OTP上电初始化进入第二阶段OTP_INIT_STEP2,OTP控制器读取OTP存储器中的随机数据区域、安全数据区域、参数配置区域和锁存状态配置区域中的数据信息,并将上述数据信息存储至本地存储器。若随机数标标志位为0,在初始化流程完成之后,需通过外部串口,对OTP控制器发起编程随机数的请求,例如图8所示,OTP控制器收到该请求后,对随机数模块请求一组128BIT的随机数,并将请求的真随机数进行编程到上述随机数据区域,待编程完成之后,将随机数标志位编程为1。即通过外部串口对OTP控制器的随机数编程请求开始寄存器进行配置,发起整个随机数请求以及编程操作。In this embodiment, if the random value exists, that is, the random number flag is 0, then the OTP power-on initialization enters the second stage OTP_INIT_STEP2, and the OTP controller reads the random data area, security data area, parameter configuration area and The data information in the state configuration area is latched, and the above data information is stored in a local memory. If the random number flag is 0, after the initialization process is completed, it is necessary to initiate a request for programming random numbers to the OTP controller through the external serial port, as shown in Figure 8. After receiving the request, the OTP controller sends a request to the random number module Request a group of 128BIT random numbers, and program the requested true random numbers into the above random data area. After the programming is completed, program the random number flag to 1. That is, configure the random number programming request start register of the OTP controller through the external serial port, and initiate the entire random number request and programming operation.
步骤S33:根据所述参数配置区域中的算法配置字段,判断所述安全数据区域中的数据是否被加密。Step S33: According to the algorithm configuration field in the parameter configuration area, determine whether the data in the secure data area is encrypted.
本实施例中,存储数据后进入OTP上电初始化过程第三阶段OTP_INIT_STEP3,读取上述参数配置区域中的算法配置字段,判断上述安全数据区域中的数据是否被加密,即通过读取图2所示的算法配置字段PROGRAM_MODE,判断上述安全数据是否被加密或者相应的加密算法。In this embodiment, after storing the data, enter OTP_INIT_STEP3, the third stage of the OTP power-on initialization process, read the algorithm configuration field in the above-mentioned parameter configuration area, and judge whether the data in the above-mentioned security data area is encrypted, that is, by reading the data shown in Figure 2 Algorithm configuration field PROGRAM_MODE shown to determine whether the above security data is encrypted or the corresponding encryption algorithm.
步骤S34:若被加密,则根据所述参数配置区域中密钥配置字段对应的目标密钥,并按照所述算法配置字段对应的目标加密算法对所述安全数据 区域中的加密后数据进行解密,得到解密后安全数据。Step S34: If encrypted, decrypt the encrypted data in the secure data area according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field , get the decrypted security data.
本实施例中,若被加密,则根据上述参数配置区域中密钥配置字段对应的目标密钥,并按照上述算法配置字段对应的目标加密算法对所述安全数据区域中的加密后数据进行解密,得到解密后安全数据。即对读取安全数据进行解密操作处理,通过PROGRAM_MODE字段选择解密的算法,通过PROGRAM_KEY_SEL字段选择解密的密钥。In this embodiment, if encrypted, the encrypted data in the secure data area is decrypted according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field , get the decrypted security data. That is, the decryption operation is performed on the read security data, the decryption algorithm is selected through the PROGRAM_MODE field, and the decryption key is selected through the PROGRAM_KEY_SEL field.
步骤S35:通过本地的接口输出模块将本地存储的所述随机数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,以及所述解密后安全数据发送给所述系统外部模块,以便所述系统外部模块利用所述数据信息生成密钥。Step S35: Send the locally stored data information in the random data area, the parameter configuration area and the latch state configuration area, as well as the decrypted security data to the outside of the system through the local interface output module module, so that the external modules of the system use the data information to generate a key.
本实施例中,解密完成后进入OUTPUT阶段,将第三阶段中解密后的安全敏感数据以及第二阶段初始化读取其他数据送到OTP_OUTPUT模块输出给系统外部模块,以便系统外部模块利用上述数据信息中的安全数据中根密钥和身份信息生成密钥,并将敏感数据有效信号拉高为1。若没有被加密,则通过本地的接口输出模块直接将第二阶段初始化读取的本地存储的数据信息发送系统外部模块,然后系统外部模块就可以利用安全数据区域中的根密钥和身份信息等生成相应的密钥。In this embodiment, after the decryption is completed, enter the OUTPUT stage, and send the decrypted security-sensitive data in the third stage and other data read during the second stage initialization to the OTP_OUTPUT module for output to the external module of the system, so that the external module of the system can use the above data information Generate keys from the root key and identity information in the security data, and pull the valid signal of sensitive data to 1. If it is not encrypted, the locally stored data information read by the second stage initialization is directly sent to the external module of the system through the local interface output module, and then the external module of the system can use the root key and identity information in the secure data area, etc. Generate the corresponding key.
由上可见,本实施例中当接收到随机数生成器在系统复位后发送的启动信号,读取OTP存储器中随机数据区域的随机数标志位,以判断所述随机数据区域中是否存在随机数值。若存在,则读取OTP存储器中的随机数据区域、安全数据区域、参数配置区域和锁存状态配置区域中的数据信息,并将所述数据信息存储至本地。然后,根据所述参数配置区域中的算法配置字段,判断所述安全数据区域中的数据是否被加密。若被加密,则根据所述参数配置区域中密钥配置字段对应的目标密钥,并按照所述算法配置字段对应的目标加密算法对所述安全数据区域中的加密后数据进行解密,得到解密后安全数据。通过本地的接口输出模块将本地存储的所述随机数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,以及所述解密后安全数据发送给所述系统外部模块,以便所述系统外部模块利用所述数据信息生成密钥。可见,本实施例中安全数据的解密,仅发生在 系统上电后的OTP初始化阶段,该部分解密控制,由硬件控制,外部主机等部分不能对其进行控制,保证其独立性和安全性。As can be seen from the above, in this embodiment, when the start signal sent by the random number generator after the system reset is received, the random number flag in the random data area in the OTP memory is read to determine whether there is a random value in the random data area. . If it exists, then read the data information in the random data area, security data area, parameter configuration area and latch state configuration area in the OTP memory, and store the data information locally. Then, according to the algorithm configuration field in the parameter configuration area, it is judged whether the data in the secure data area is encrypted. If it is encrypted, according to the target key corresponding to the key configuration field in the parameter configuration area, and according to the target encryption algorithm corresponding to the algorithm configuration field, the encrypted data in the secure data area is decrypted to obtain the decrypted post-safety data. Send the data information in the random data area, the parameter configuration area and the latch state configuration area stored locally, and the decrypted security data to the system external module through the local interface output module, so that The system external module uses the data information to generate a key. It can be seen that the decryption of security data in this embodiment only occurs in the OTP initialization stage after the system is powered on. This part of the decryption control is controlled by hardware, and external hosts and other parts cannot control it to ensure its independence and security.
相应的,本申请实施例还公开了一种OTP存储器内数据保护装置,参见图9所示,该装置包括:Correspondingly, the embodiment of the present application also discloses a data protection device in an OTP memory, as shown in Figure 9, the device includes:
目标密钥获取模块11,用于在接收到所述OTP存储器发送的编程请求后获取目标密钥;The target key acquisition module 11 is used to acquire the target key after receiving the programming request sent by the OTP memory;
数据及加密算法获取模块12,用于获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;Data and encryption algorithm acquisition module 12, used to obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
加密存储模块13,用于利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。An encryption storage module 13, configured to encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the OTP memory Secure data area.
由上可见,本实施例中在接收到所述OTP存储器发送的编程请求后获取目标密钥;获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。可见,通过OTP控制器对安全敏感数据进行加密后编程至安全数据区域,并对加解密的算法进行硬件选择,实现不同的加解密密钥的处理和加解密算法的选择,提高了安全数据加密的安全保密性,可以增强OTP数据编程后的安全性和机密性,防止数据被篡改或者重要敏感数据被非法窃取。As can be seen from the above, in this embodiment, after receiving the programming request sent by the OTP memory, the target key is obtained; the security data to be encrypted is obtained, and the parameter configuration area of the OTP memory is read to determine the target encryption algorithm; The target encryption algorithm and the target key encrypt the security data to be encrypted to obtain encrypted security data, and store the encrypted security data in the security data area of the OTP memory. It can be seen that the security-sensitive data is encrypted by the OTP controller and then programmed into the secure data area, and the encryption and decryption algorithm is selected by hardware to realize the processing of different encryption and decryption keys and the selection of encryption and decryption algorithms, which improves the security of data encryption. The security and confidentiality can enhance the security and confidentiality of OTP data after programming, and prevent data from being tampered with or important sensitive data from being illegally stolen.
在一些具体实施例中,所述目标密钥获取模块11具体可以包括:In some specific embodiments, the target key acquisition module 11 may specifically include:
第一密钥获取单元,用于读取所述OTP存储器的所述参数配置区域中密钥配置字段内预设的固定密钥,并将所述固定密钥作为所述目标密钥;A first key acquisition unit, configured to read the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and use the fixed key as the target key;
第二密钥获取单元,用于向随机数生成器发送随机数请求,并获取所述随机数生成器反馈的随机数值;将所述随机数值作为所述目标密钥,并存储至所述OTP存储器的随机数据区域。The second key acquisition unit is configured to send a random number request to a random number generator, and obtain a random value fed back by the random number generator; use the random value as the target key, and store it in the OTP Random data area of memory.
在一些具体实施例中,所述OTP存储器内数据保护装置具体可以包括:In some specific embodiments, the data protection device in the OTP memory may specifically include:
锁存模块,用于利用所述OTP存储器的锁存状态配置区域,分别对所 述随机数据区域、所述安全数据区域和所述参数配置区域进行读操作和/或写操作的锁存配置。The latch module is used to utilize the latch state configuration area of the OTP memory to carry out the latch configuration of the read operation and/or write operation to the random data area, the security data area and the parameter configuration area respectively.
在一些具体实施例中,所述OTP存储器内数据保护装置具体可以包括:In some specific embodiments, the data protection device in the OTP memory may specifically include:
初始化模块,用于当接收到所述随机数生成器在系统复位后发送的启动信号,读取所述OTP存储器中所述随机数据区域的随机数标志位,以判断所述随机数据区域中是否存在随机数值;若存在,则读取所述随机数据区域、所述安全数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,并将所述数据信息存储至本地;根据所述参数配置区域中的算法配置字段,判断所述安全数据区域中的数据是否被加密;若没有被加密,则通过本地的接口输出模块将本地存储的所述数据信息发送给系统外部模块,以便所述系统外部模块利用所述数据信息生成密钥。The initialization module is used to read the random number flag bit of the random data area in the OTP memory when receiving the start signal sent by the random number generator after the system is reset, so as to determine whether the random number in the random data area is There is a random value; if it exists, read the data information in the random data area, the security data area, the parameter configuration area and the latch state configuration area, and store the data information locally; According to the algorithm configuration field in the parameter configuration area, it is judged whether the data in the safe data area is encrypted; if it is not encrypted, the data information stored locally is sent to the system external module through the local interface output module , so that the external module of the system uses the data information to generate a key.
在一些具体实施例中,所述初始化模块具体可以包括:In some specific embodiments, the initialization module may specifically include:
解密模块,用于若安全数据区域中的数据被加密,则根据所述参数配置区域中密钥配置字段对应的目标密钥,并按照所述算法配置字段对应的目标加密算法对所述安全数据区域中的加密后数据进行解密,得到解密后安全数据;通过本地的接口输出模块将本地存储的所述随机数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,以及所述解密后安全数据发送给所述系统外部模块。The decryption module is configured to, if the data in the secure data area is encrypted, encrypt the secure data according to the target key corresponding to the key configuration field in the parameter configuration area and according to the target encryption algorithm corresponding to the algorithm configuration field The encrypted data in the area is decrypted to obtain the decrypted security data; through the local interface output module, the data information in the locally stored random data area, the parameter configuration area and the latch state configuration area, and The decrypted security data is sent to the external module of the system.
进一步的,本申请实施例还公开了一种电子设备,参见图10所示,图中的内容不能被认为是对本申请的使用范围的任何限制。Further, the embodiment of the present application also discloses an electronic device, as shown in FIG. 10 , and the content in the figure should not be regarded as any limitation on the application scope of the present application.
图10为本申请实施例提供的一种电子设备20的结构示意图。该电子设备20,具体可以包括:至少一个处理器21、至少一个存储器22、电源23、通信接口24、输入输出接口25和通信总线26。其中,所述存储器22用于存储计算机程序,所述计算机程序由所述处理器21加载并执行,以实现前述任一实施例公开的OTP存储器内数据保护方法中的相关步骤。FIG. 10 is a schematic structural diagram of an electronic device 20 provided in an embodiment of the present application. The electronic device 20 may specifically include: at least one processor 21 , at least one memory 22 , a power supply 23 , a communication interface 24 , an input/output interface 25 and a communication bus 26 . Wherein, the memory 22 is used to store a computer program, and the computer program is loaded and executed by the processor 21 to implement relevant steps in the OTP in-memory data protection method disclosed in any of the foregoing embodiments.
本实施例中,电源23用于为电子设备20上的各硬件设备提供工作电压;通信接口24能够为电子设备20创建与外界设备之间的数据传输通道,其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对 其进行具体限定;输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In this embodiment, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is applicable Any communication protocol in the technical solution of the present application is not specifically limited here; the input and output interface 25 is used to obtain external input data or output data to the external, and its specific interface type can be selected according to specific application needs, here Not specifically limited.
另外,存储器22作为资源存储的载体,可以是只读存储器、随机存储器、磁盘或者光盘等,其上所存储的资源包括操作系统221、计算机程序222及包括待加密安全数据在内的数据223等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a resource storage carrier, can be a read-only memory, random access memory, magnetic disk or optical disk, etc., and the resources stored thereon include an operating system 221, a computer program 222, and data 223 including security data to be encrypted. , the storage method can be temporary storage or permanent storage.
其中,操作系统221用于管理与控制电子设备20上的各硬件设备以及计算机程序222,以实现处理器21对存储器22中海量数据223的运算与处理,其可以是Windows Server、Netware、Unix、Linux等。计算机程序222除了包括能够用于完成前述任一实施例公开的由电子设备20执行的OTP存储器内数据保护方法的计算机程序之外,还可以进一步包括能够用于完成其他特定工作的计算机程序。Wherein, the operating system 221 is used to manage and control each hardware device and computer program 222 on the electronic device 20, so as to realize the operation and processing of the massive data 223 in the memory 22 by the processor 21, which can be Windows Server, Netware, Unix, Linux, etc. The computer program 222 may further include a computer program capable of completing other specific tasks in addition to the computer program capable of implementing the OTP in-memory data protection method performed by the electronic device 20 disclosed in any of the foregoing embodiments.
进一步的,本申请实施例还公开了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令被处理器加载并执行时,实现前述任一实施例公开的OTP存储器内数据保护方法步骤。Further, the embodiment of the present application also discloses a computer storage medium, the computer storage medium stores computer-executable instructions, and when the computer-executable instructions are loaded and executed by a processor, the implementation of any one of the foregoing embodiments is disclosed. The step of the data protection method in the OTP memory.
本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。Each embodiment in this specification is described in a progressive manner, each embodiment focuses on the difference from other embodiments, and the same or similar parts of each embodiment can be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and for the related information, please refer to the description of the method part.
结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of the methods or algorithms described in connection with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术 语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
以上对本发明所提供的一种OTP存储器内数据保护方法、装置、设备及介质进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。The above provides a detailed introduction to the data protection method, device, equipment and medium in a kind of OTP memory provided by the present invention. In this paper, specific examples are used to illustrate the principle and implementation of the present invention. The description of the above embodiments is only used To help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, there will be changes in the specific implementation and scope of application. In summary, this specification The content should not be construed as a limitation of the invention.

Claims (10)

  1. 一种OTP存储器内数据保护方法,其特征在于,应用于OTP控制器,包括:A kind of data protection method in OTP memory, it is characterized in that being applied to OTP controller, comprising:
    在接收到所述OTP存储器发送的编程请求后获取目标密钥;Obtain the target key after receiving the programming request sent by the OTP memory;
    获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;Obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
    利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。Encrypting the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and storing the encrypted security data in the security data area of the OTP memory.
  2. 根据权利要求1所述的OTP存储器内数据保护方法,其特征在于,所述获取目标密钥,包括:The data protection method in OTP memory according to claim 1, is characterized in that, described obtaining target key, comprises:
    读取所述OTP存储器的所述参数配置区域中密钥配置字段内预设的固定密钥,并将所述固定密钥作为所述目标密钥。Read the fixed key preset in the key configuration field in the parameter configuration area of the OTP memory, and use the fixed key as the target key.
  3. 根据权利要求1所述的OTP存储器内数据保护方法,其特征在于,所述目标加密算法包括高级数据加密标准、三重数据加密标准和SM4加密算法。The method for protecting data in the OTP memory according to claim 1, wherein the target encryption algorithm comprises Advanced Data Encryption Standard, Triple Data Encryption Standard and SM4 encryption algorithm.
  4. 根据权利要求1所述的OTP存储器内数据保护方法,其特征在于,所述获取目标密钥,包括:The data protection method in OTP memory according to claim 1, is characterized in that, described obtaining target key, comprises:
    向随机数生成器发送随机数请求,并获取所述随机数生成器反馈的随机数值;Send a random number request to the random number generator, and obtain the random value fed back by the random number generator;
    将所述随机数值作为所述目标密钥,并存储至所述OTP存储器的随机数据区域。The random value is used as the target key and stored in the random data area of the OTP memory.
  5. 根据权利要求4所述的OTP存储器内数据保护方法,其特征在于,所述将所述加密后安全数据存储至所述OTP存储器的安全数据区域之后,还包括:The method for protecting data in the OTP memory according to claim 4, wherein, after storing the encrypted security data into the secure data area of the OTP memory, further comprising:
    利用所述OTP存储器的锁存状态配置区域,分别对所述随机数据区域、所述安全数据区域和所述参数配置区域进行读操作和/或写操作的锁存配置。Using the latch state configuration area of the OTP memory, the random data area, the security data area and the parameter configuration area are respectively configured for read and/or write operations.
  6. 根据权利要求4所述的OTP存储器内数据保护方法,其特征在于, 还包括:The data protection method in OTP memory according to claim 4, is characterized in that, also comprises:
    当接收到所述随机数生成器在系统复位后发送的启动信号,读取所述OTP存储器中所述随机数据区域的随机数标志位,以判断所述随机数据区域中是否存在随机数值;When receiving the starting signal sent by the random number generator after the system reset, read the random number flag bit of the random data area in the OTP memory, to determine whether there is a random value in the random data area;
    若存在,则读取所述随机数据区域、所述安全数据区域、所述参数配置区域和锁存状态配置区域中的数据信息,并将所述数据信息存储至本地;If it exists, read the data information in the random data area, the security data area, the parameter configuration area and the latch state configuration area, and store the data information locally;
    根据所述参数配置区域中的算法配置字段,判断所述安全数据区域中的数据是否被加密;According to the algorithm configuration field in the parameter configuration area, determine whether the data in the secure data area is encrypted;
    若没有被加密,则通过本地的接口输出模块将本地存储的所述数据信息发送给系统外部模块,以便所述系统外部模块利用所述数据信息生成密钥。If not encrypted, the locally stored data information is sent to the system external module through the local interface output module, so that the system external module uses the data information to generate a key.
  7. 根据权利要求6所述的OTP存储器内数据保护方法,其特征在于,所述判断所述安全数据区域中的数据是否被加密之后,还包括:The method for protecting data in the OTP memory according to claim 6, wherein after said judging whether the data in the secure data area is encrypted, it also includes:
    若被加密,则根据所述参数配置区域中密钥配置字段对应的目标密钥,并按照所述算法配置字段对应的目标加密算法对所述安全数据区域中的加密后数据进行解密,得到解密后安全数据;If it is encrypted, according to the target key corresponding to the key configuration field in the parameter configuration area, and according to the target encryption algorithm corresponding to the algorithm configuration field, the encrypted data in the secure data area is decrypted to obtain the decrypted post-safety data;
    通过本地的接口输出模块将本地存储的所述随机数据区域、所述参数配置区域和所述锁存状态配置区域中的数据信息,以及所述解密后安全数据发送给所述系统外部模块。The local interface output module sends the data information stored locally in the random data area, the parameter configuration area and the latch state configuration area, and the decrypted security data to the system external module.
  8. 一种OTP存储器内数据保护装置,其特征在于,应用于OTP控制器,包括:A kind of data protection device in OTP memory, it is characterized in that, is applied to OTP controller, comprises:
    目标密钥获取模块,用于在接收到所述OTP存储器发送的编程请求后获取目标密钥;The target key acquisition module is used to obtain the target key after receiving the programming request sent by the OTP memory;
    数据及加密算法获取模块,用于获取待加密安全数据,并读取所述OTP存储器的参数配置区域以确定出目标加密算法;Data and encryption algorithm acquisition module, used to obtain the security data to be encrypted, and read the parameter configuration area of the OTP memory to determine the target encryption algorithm;
    加密存储模块,用于利用所述目标加密算法和所述目标密钥对所述待加密安全数据进行加密,得到加密后安全数据,并将所述加密后安全数据存储至所述OTP存储器的安全数据区域。An encryption storage module, configured to encrypt the security data to be encrypted by using the target encryption algorithm and the target key to obtain encrypted security data, and store the encrypted security data in the OTP memory data area.
  9. 一种电子设备,其特征在于,包括:An electronic device, characterized in that it comprises:
    存储器,用于保存计算机程序;memory for storing computer programs;
    处理器,用于执行所述计算机程序,以实现如权利要求1至7任一项所述的OTP存储器内数据保护方法。A processor, configured to execute the computer program, so as to realize the method for protecting data in the OTP memory according to any one of claims 1 to 7.
  10. 一种计算机可读存储介质,其特征在于,用于存储计算机程序;其中计算机程序被处理器执行时实现如权利要求1至7任一项所述的OTP存储器内数据保护方法。A computer-readable storage medium, characterized in that it is used to store a computer program; wherein when the computer program is executed by a processor, the method for protecting data in the OTP memory according to any one of claims 1 to 7 is realized.
PCT/CN2022/100710 2021-06-30 2022-06-23 Method and apparatus for protecting data in otp memory, and device and storage medium WO2023274011A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110744345.8 2021-06-30
CN202110744345.8A CN113408017B (en) 2021-06-30 2021-06-30 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Publications (1)

Publication Number Publication Date
WO2023274011A1 true WO2023274011A1 (en) 2023-01-05

Family

ID=77680859

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/100710 WO2023274011A1 (en) 2021-06-30 2022-06-23 Method and apparatus for protecting data in otp memory, and device and storage medium

Country Status (2)

Country Link
CN (1) CN113408017B (en)
WO (1) WO2023274011A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116455572A (en) * 2023-06-16 2023-07-18 北京华安天成智能技术有限公司 Data encryption method, device and equipment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113408017B (en) * 2021-06-30 2022-10-14 湖南国科微电子股份有限公司 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory
CN114629643A (en) * 2022-03-25 2022-06-14 山东云海国创云计算装备产业创新中心有限公司 Key processing method, device and medium
CN116011041A (en) * 2022-12-07 2023-04-25 成都海光集成电路设计有限公司 Key management method, data protection method, system, chip and computer equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010032318A1 (en) * 1999-12-03 2001-10-18 Yip Kun Wah Apparatus and method for protecting configuration data in a programmable device
CN103378966A (en) * 2012-04-26 2013-10-30 Nxp股份有限公司 Secret key programming on safety dynamic piece
CN106650510A (en) * 2016-12-26 2017-05-10 湖南国科微电子股份有限公司 OTP memory data protection method and system and OTP controller
CN109670344A (en) * 2018-12-05 2019-04-23 珠海全志科技股份有限公司 Encryption device, method and system on chip
CN110287708A (en) * 2018-03-19 2019-09-27 扬智科技股份有限公司 One Time Programmable encryption device and its encryption method
CN113408017A (en) * 2021-06-30 2021-09-17 湖南国科微电子股份有限公司 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6704871B1 (en) * 1997-09-16 2004-03-09 Safenet, Inc. Cryptographic co-processor
US20070050622A1 (en) * 2005-09-01 2007-03-01 Rager Kent D Method, system and apparatus for prevention of flash IC replacement hacking attack
US8127130B2 (en) * 2006-04-18 2012-02-28 Advanced Communication Concepts, Inc. Method and system for securing data utilizing reconfigurable logic
US20200076591A1 (en) * 2018-09-05 2020-03-05 Bprk Llc Systems and Methods for Automated Generation and Update of Cipher Parameters

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010032318A1 (en) * 1999-12-03 2001-10-18 Yip Kun Wah Apparatus and method for protecting configuration data in a programmable device
CN103378966A (en) * 2012-04-26 2013-10-30 Nxp股份有限公司 Secret key programming on safety dynamic piece
CN106650510A (en) * 2016-12-26 2017-05-10 湖南国科微电子股份有限公司 OTP memory data protection method and system and OTP controller
CN110287708A (en) * 2018-03-19 2019-09-27 扬智科技股份有限公司 One Time Programmable encryption device and its encryption method
CN109670344A (en) * 2018-12-05 2019-04-23 珠海全志科技股份有限公司 Encryption device, method and system on chip
CN113408017A (en) * 2021-06-30 2021-09-17 湖南国科微电子股份有限公司 Method, device, equipment and storage medium for protecting data in OTP (one time programmable) memory

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116455572A (en) * 2023-06-16 2023-07-18 北京华安天成智能技术有限公司 Data encryption method, device and equipment
CN116455572B (en) * 2023-06-16 2023-08-29 北京华安天成智能技术有限公司 Data encryption method, device and equipment

Also Published As

Publication number Publication date
CN113408017B (en) 2022-10-14
CN113408017A (en) 2021-09-17

Similar Documents

Publication Publication Date Title
WO2023274011A1 (en) Method and apparatus for protecting data in otp memory, and device and storage medium
US11469885B2 (en) Remote grant of access to locked data storage device
KR102013841B1 (en) Method of managing key for secure storage of data, and and apparatus there-of
US8107621B2 (en) Encrypted file system mechanisms
US11308241B2 (en) Security data generation based upon software unreadable registers
WO2016146013A1 (en) Method, device and system for online writing application key in digital content device
US11606206B2 (en) Recovery key for unlocking a data storage device
US11831752B2 (en) Initializing a data storage device with a manager device
US11405202B2 (en) Key processing method and apparatus
CN111488630A (en) Storage device capable of configuring safe storage area and operation method thereof
WO2023046207A1 (en) Data transmission method and apparatus, and non-volatile computer-readable storage medium
US11334677B2 (en) Multi-role unlocking of a data storage device
WO2023240866A1 (en) Cipher card and root key protection method therefor, and computer readable storage medium
US11366933B2 (en) Multi-device unlocking of a data storage device
US20230289456A1 (en) Certificates in data storage devices
US9985960B2 (en) Method for protecting data on a mass storage device and a device for the same
CN113545021B (en) Registration of pre-authorized devices
US11556665B2 (en) Unlocking a data storage device
US20210218556A1 (en) Secure logging of data storage device events
JP6203532B2 (en) Semiconductor memory device and data processing system
CN114329574B (en) Encrypted partition access control method and system based on domain management platform and computing equipment
US8689014B2 (en) Data encryption device and control method thereof
CN116383858A (en) Disk data processing method, device, equipment and medium
CN115017520A (en) Security protection system, method, electronic device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22831827

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE